Script Repository


Assign Password Self-Service Policy based on attribute

March 09, 2016
984

The script assigns a certain Password Self-Service Policy to a user if a certain attribute of the user account is empty, and another policy if it is not.

To use the script with Adaxes, create a Scheduled Task for the User object type that runs the script.

Parameters:

  • $policyPropertyNotEmpty - specifies the name of the Password Self-Service Policy to assign if the attribute is not empty;
  • $policyPropertyEmpty - specifies the name of the Password Self-Service Policy to assign if the attribute is empty;
  • $propertyValue - specifies a value reference for the attribute to check.
Edit Remove
PowerShell
$policyPropertyNotEmpty = "Password Self-Service Policy 1" # TODO: modify me
$policyPropertyEmpty = "Password Self-Service Policy 2" # TODO: modify me
$propertyValue = "%adm-CustomAttributeText1%" # TODO: modify me

function UpdateActivityScope ()
{
    Param(
        $configurationObjectPath,
        $baseObjectDN,
        $scopeItemType,
        $inheritance,
        $exclude
    )
    
    if ($configurationObjectPath -eq $NULL)
    {
        return
    }
    
    $configurationObject = $Context.BindToObject($configurationObjectPath)    

    # Get the base object GUID
    if ([System.String]::IsNullOrEmpty($baseObjectDN))
    {
        # All objects
        $baseObject = $NULL
        $baseObjectGuid = [Guid]::Empty
    }
    else
    {
        $baseObject = $Context.BindToObjectByDN($baseObjectDN)
        $baseObjectGuid = [Guid]$baseObject.Get("objectGuid")
    }
    
    # Check whether the scope item already exists in the Activity Scope
    $removeExistingItem = $False
    $scopeItems = $configurationObject.ActivityScopeItems
    foreach ($item in $scopeItems)
    {
        $scopeBaseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
        if (($scopeBaseObjectGuid -ne $baseObjectGuid) -or 
            ($item.Inheritance -ne $inheritance) -or
            ($item.Type -ne $scopeItemType))
        {
            continue
        }
        
        if ($item.Exclude -eq $exclude)
        {
            return
        }
        
        # Remove the item
        $removeExistingItem = $True
        break
    }
    
    if ($removeExistingItem)
    {
        $scopeItems.Remove($item)
    }
    
    # Add a new item to the Activity Scope
    $scopeItem = $scopeItems.Create()
    $scopeItem.BaseObject = $baseObject
    $scopeItem.Type = $scopeItemType
    $scopeItem.Inheritance = $inheritance
    $scopeItem.Exclude = $exclude
    $scopeItem.SetInfo()
    
    $scopeItems.Add($scopeItem)
}

function GetConfigurationObjectPath ($objectName, $objectType, $configurationContainer)
{
    # Search the Password Self-Service Policy
    $configurationContainerPath = $Context.GetWellKnownContainerPath($configurationContainer)
    $searcher = $Context.BindToObject($configurationContainerPath)
    $searcher.SearchFilter = "(&(objectCategory=$objectType)(name=$objectName))"
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    
    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
       
        if ($searchResults.Length -gt 1)
        {
            $Context.LogMessage("Found more than one configuration object with name '$objectName'.", "Warning")
            return $NULL
        }
        if ($searchResults.Length -eq 0)
        {
            $Context.LogMessage("Configuration object '$objectName' does not exist.", "Error")
            return $NULL
        }
       
        # Bind to the policy
        return $searchResults[0].AdsPath
    }
    finally
    {
        # Close the search and release resources
        $searchResultIterator.Dispose()
    }
}

# Get ADS paths of the policies
$policyPropertyNotEmptyPath = GetConfigurationObjectPath $policyPropertyNotEmpty "adm-PasswordSelfServicePolicy" "PasswordSelfServicePolicies"
$policyPropertyEmptyPath = GetConfigurationObjectPath $policyPropertyEmpty "adm-PasswordSelfServicePolicy" "PasswordSelfServicePolicies"

# Check the property value
$propertyIsEmpty = [System.String]::IsNullOrEmpty($propertyValue)

# Update activity scopes of the policies
UpdateActivityScope -ConfigurationObjectPath $policyPropertyNotEmptyPath `
                    -BaseObjectDN "%distinguishedName%" `
                    -ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
                    -Inheritance "ADS_SCOPE_BASE" `
                    -Exclude $propertyIsEmpty
                    
UpdateActivityScope -ConfigurationObjectPath $policyPropertyEmptyPath `
                    -BaseObjectDN "%distinguishedName%" `
                    -ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
                    -Inheritance "ADS_SCOPE_BASE" `
                    -Exclude (!$propertyIsEmpty)

Comments ( 0 )
No results found.
Leave a comment