Script repository

Check whether the target object is a member of multiple groups

March 01, 2024 Views: 5459
Group Membership

The scripts can be used in business rules, custom commands and scheduled tasks to check group memberships of an AD object the script is executed on. The script must be executed in the If PowerShell script returns true condition.

  • The 1st script returns True if the object is a member of all the specified groups
  • The 2nd script returns True if the object is a member of any of the specified groups

To use them in your rule, command or task, add the If PowerShell script returns true condition that runs one of the scripts.

Return true if the target object is a member of all the groups

Parameter:

  • $groupDNs - Specifies a list of distinguished names (DNs) of the groups to check.
Edit Remove
PowerShell
$groupDNs = @(
    "CN=Group 1,OU=Groups,DC=company,DC=com",
    "CN=Group 2,OU=Groups,DC=company,DC=com",
    "CN=Group 3,OU=Groups,DC=company,DC=com",
    "CN=Group 4,OU=Groups,DC=subdomain,DC=company,DC=com")

$Context.ConditionIsMet = $False

# Get the group GUIDs

# Build a hash table with group GUIDs
$groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"

foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDN($groupDN)
    $groupGuid = $group.Get("objectGuid")
    [void]$groupGuidsToCheck.Add($groupGuid)
}

# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
    $Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
    return # The user is not a member of any groups.
}

foreach ($guid in $groupGuidsToCheck)
{
    # Check whether the target object is a member of the groups in list
    if ($targetGroupGuids.Contains($guid))
    {
        continue
    }
    
    return # The user is not a member of all the groups that are in the list.
}

# User is a member of all the groups that are in the list.
$Context.ConditionIsMet = $True

Return true if the target object is a member of any of the groups

Parameter:

  • $groupDNs - Specifies a list of distinguished names (DNs) of the groups to check.
Edit Remove
PowerShell
$groupDNs = @(
    "CN=Group 1,OU=Groups,DC=company,DC=com",
    "CN=Group 2,OU=Groups,DC=company,DC=com",
    "CN=Group 3,OU=Groups,DC=company,DC=com",
    "CN=Group 4,OU=Groups,DC=subdomain,DC=company,DC=com")

$Context.ConditionIsMet = $False

# Get the group GUIDs

# Build a hash table with group GUIDs
$groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"

foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDN($groupDN)
    $groupGuid = $group.Get("objectGuid")
    [void]$groupGuidsToCheck.Add($groupGuid)
}

# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
    $Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
    return # The user is not a member of any groups.
}

foreach ($guid in $groupGuidsToCheck)
{
    # Check whether the target object is a member of the groups in list
    if ($targetGroupGuids.Contains($guid))
    {
        # User is a member of at least  one of the groups.
        $Context.ConditionIsMet = $True
        return
    }
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers