Script Repository


Check whether user performing an operation manages the OU where target object is located

January 15, 2016
1267

The script can be used to check whether an operation is performed by a user who manages the OU where the target object is located. It can be used in the If PowerShell returns true condition. The condition is met, when the user does not manage the OU.

Edit Remove
PowerShell
# Bind to the OU where the target object is located
$parent = $Context.BindToObject($Context.TargetObject.Parent)

# Get parent OU owner
$Context.ConditionIsMet = $True
try
{
    $ownerDN = $parent.Get("managedBy")
}
catch
{
    return
}

# Check whether initiator is the owner
if ($ownerDN -eq "%adm-InitiatorDN%")
{
    $Context.ConditionIsMet = $False
    return
}

# Check whether owner is a group
$owner = $Context.BindToObjectByDN($ownerDN)

if ($owner.Class -ne "Group")
{
    return
}

# Get group members
try
{
    $memberGuidsBytes = $owner.GetEx("adm-MembersGuid")
}
catch
{
    return # The group has no members
}

# Check whether initiator is a member of the group
$initiatorGuid = [Guid]"%adm-InitiatorGuid%"
foreach ($guidBytes in $memberGuidsBytes)
{
    $guid = [Guid]$guidBytes
    if ($guid -ne $initiatorGuid)
    {
        continue
    }
    
    # Initiator is a member of the group that owns the OU
    $Context.ConditionIsMet = $False
    return
}


Comments ( 0 )
No results found.
Leave a comment