Script Repository


Check whether the target object is a member of multiple groups

February 12, 2016
1627

The scripts can be used in Business Rules, Custom Commands and Scheduled Tasks to check group memberships of an AD object on which the script is executed.

  • The 1st script returns True if the object is a member of all the specified groups
  • The 2nd script returns True if the object is a member of any of the specified groups

To use them in your rule, command or task, add the If PowerShell script returns true condition that runs one of the scripts.

Return true if the target object is a member of all the groups

Parameter:

  • $groupDNs - specifies a list of Distinguished Names (DNs) of the groups to check.
Edit Remove
PowerShell
$groupDNs = @(
    "CN=Sales Agents,CN=Users,DC=domain,DC=com",
    "CN=New York Employees,CN=Users,DC=domain,DC=com"
) # TODO: modify me

$Context.ConditionIsMet = $False

# Get the group GUIDa
# Build search filter to find the specified groups
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectCategory=group)(|")

foreach ($dn in $groupDNs)
{
    [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
}
[void]$filter.Append("))")

# Find the groups and fetch group GUIDs
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter.ToString()
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectGuid"))
$searcher.VirtualRoot = $True

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    # Build a hash table with group GUIDs
    $groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"

    foreach ($searchResult in $searchResults)
    {
        [void]$groupGuidsToCheck.Add([Guid]$searchResult.Properties["objectGuid"].Value)
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
    $Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
    return # The user is not a member of any groups. Return False
}

foreach ($guid in $groupGuidsToCheck)
{
    # Check whether the target object is a member of the groups in list
    if ($targetGroupGuids.Contains($guid))
    {
        continue
    }
    
    return # The user is not a member of all the groups that are in the list. Return False
}

# User is a member of all the groups that are in the list. Return True
$Context.ConditionIsMet = $True

Return true if the target object is a member of any of the groups

Parameter:

  • $groupDNs - specifies a list of Distinguished Names (DNs) of the groups to check.
Edit Remove
PowerShell
$groupDNs = @(
    "CN=Sales Agents,CN=Users,DC=domain,DC=com",
    "CN=New York Employees,CN=Users,DC=domain,DC=com"
) # TODO: modify me

$Context.ConditionIsMet = $False

# Get the group GUIDa
# Build search filter to find the specified groups
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectCategory=group)(|")

foreach ($dn in $groupDNs)
{
    [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
}
[void]$filter.Append("))")

# Find the groups and fetch group GUIDs
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter.ToString()
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectGuid"))
$searcher.VirtualRoot = $True

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    # Build a hash table with group GUIDs
    $groupGuidsToCheck = New-Object "System.Collections.Generic.HashSet[Guid]"

    foreach ($searchResult in $searchResults)
    {
        [void]$groupGuidsToCheck.Add([Guid]$searchResult.Properties["objectGuid"].Value)
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

# Get GUIDs of the groups the user is a member of
$targetGroupGuids = New-Object "System.Collections.Generic.HashSet[Guid]"
try
{
    $Context.TargetObject.GetEx("adm-MemberOfGuid") | %%{[void]$targetGroupGuids.Add([Guid]$_)}
}
catch
{
    return # The user is not a member of any groups. Return False
}

foreach ($guid in $groupGuidsToCheck)
{
    # Check whether the target object is a member of the groups in list
    if ($targetGroupGuids.Contains($guid))
    {
        # User is a member of at least  one of the groups. Return True
        $Context.ConditionIsMet = $True
        return
    }
}

Comments ( 0 )
No results found.
Leave a comment

Related Scripts