The scripts can be used in business rules, custom commands and scheduled tasks to check group memberships of an AD object the script is executed on. The script must be executed in the If PowerShell script returns true condition.
- The 1st script returns True if the object is a member of all the specified groups
- The 2nd script returns True if the object is a member of any of the specified groups
To use them in your rule, command or task, add the If PowerShell script returns true condition that runs one of the scripts.
Return true if the target object is a member of all the groups
Parameter:
- $groupDNs - Specifies a list of distinguished names (DNs) of the groups to check.
PowerShell
$groupDNs = @(
"CN=Sales Agents,CN=Users,DC=domain,DC=com",
"CN=New York Employees,CN=Users,DC=domain,DC=com"
) # TODO: modify me
$Context.ConditionIsMet = $False
# Get the group GUIDa
# Build search filter to find the specified groups
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectCategory=group)(|")
foreach ($dn in $groupDNs)
{
[void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
}
[void]$filter.Append("))")
# Find the groups and fetch group GUIDs
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter.ToString()
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectGuid"))
$searcher.VirtualRoot = $True
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
# Build a hash table with group GUIDs
$groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"
foreach ($searchResult in $searchResults)
{
[void]$groupGuidsToCheck.Add([Guid]$searchResult.Properties["objectGuid"].Value)
}
}
finally
{
# Release resources
$searchResultIterator.Dispose()
}
# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
$Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
return # The user is not a member of any groups. Return False
}
foreach ($guid in $groupGuidsToCheck)
{
# Check whether the target object is a member of the groups in list
if ($targetGroupGuids.Contains($guid))
{
continue
}
return # The user is not a member of all the groups that are in the list. Return False
}
# User is a member of all the groups that are in the list. Return True
$Context.ConditionIsMet = $True
Return true if the target object is a member of any of the groups
Parameter:
- $groupDNs - Specifies a list of distinguished names (DNs) of the groups to check.
PowerShell
$groupDNs = @(
"CN=Sales Agents,CN=Users,DC=domain,DC=com",
"CN=New York Employees,CN=Users,DC=domain,DC=com"
) # TODO: modify me
$Context.ConditionIsMet = $False
# Get the group GUIDa
# Build search filter to find the specified groups
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectCategory=group)(|")
foreach ($dn in $groupDNs)
{
[void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
}
[void]$filter.Append("))")
# Find the groups and fetch group GUIDs
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter.ToString()
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectGuid"))
$searcher.VirtualRoot = $True
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
# Build a hash table with group GUIDs
$groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"
foreach ($searchResult in $searchResults)
{
[void]$groupGuidsToCheck.Add([Guid]$searchResult.Properties["objectGuid"].Value)
}
}
finally
{
# Release resources
$searchResultIterator.Dispose()
}
# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
$Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
return # The user is not a member of any groups. Return False
}
foreach ($guid in $groupGuidsToCheck)
{
# Check whether the target object is a member of the groups in list
if ($targetGroupGuids.Contains($guid))
{
# User is a member of at least one of the groups. Return True
$Context.ConditionIsMet = $True
return
}
}