We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Copy group memberships from template based on property values

October 12, 2020 Views: 2914

The script copies group memberships from a template user to the current user. The template is selected based on the value of the specified property. Original memberships of the user that existed before copying are removed.

Script 1: Template is determined based on a single property value

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine the template user to copy group membership from. You can use a multi-valued property in the variable (e.g. CustomAttributeTextMultiValue1). In this case, group membership will be copied from each template user that corresponds to each property value.
  • $propertyToTemplateMap - Maps property values with distinguished names (DNs) of the corresponding template users.
Edit Remove
PowerShell
$propertyName = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$propertyToTemplateMap = @{
    "Administration" = "CN=_Administration_Department_Template,CN=Users,DC=example,DC=com"
    "IT" = "CN=_IT_Department_Template,CN=Users,DC=example,DC=com"
    "Sales" = "CN=_Sales_Department_Template,CN=Users,DC=example,DC=com"
} # TODO: modify me.
# E.g. if Property value is 'Administration', copy group memberships from user '_Administration_Department_Template'.

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
   
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Get property value
try
{
    $values = $Context.TargetObject.GetEx($propertyName)
}
catch
{
    $Context.LogMessage("Could not add the user to any groups, because the '$propertyName' property is empty", "Warning")
    return
}

$groupsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
foreach ($value in $values)
{
    # Bind to the template user
    $templateUser = $Context.BindToObjectByDn($propertyToTemplateMap[$value])
    
    # Get all groups the template user is a direct member of
    $templateUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupsToAdd.Add([Guid]$_)}
}

foreach ($guid in $groupsToAdd)
{
    # Bind to the group
    $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
    
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}

Script 2: Template is determined based on a two property values

Parameters:

  • $firstPropertyName - Specifies the LDAP name of the first property whose value will be used to determine the template user to copy group membership from.
  • $secondPropertyName - Specifies the LDAP name of the second property whose value will be used to determine the template user to copy group membership from.
  • $templateUsersInfo - Maps property values with distinguished names (DNs) of the corresponding template users.
  • $groupDNsToKept - Specifies distinguished names (DNs) of groups the target user will not be removed from even if the template user is not a member of the groups. Set the variable to an empty arrray for the entire group membership to be updated.
Edit Remove
PowerShell
$firstPropertyName = "l" # TODO: modify me
$secondPropertyName = "employeeType" # TODO: modify me
$templateUsersInfo = @{
    "New York;Sales" = "CN=TemplateUser1,CN=Users,DC=example,DC=com"
    "Washington;IT" = "CN=TemplateUser2,CN=Users,DC=example,DC=com"
} # TODO: modify me
$groupDNsToKept = @("CN=MyGroup1,OU=Groups,DC=example,DC=com", "CN=MyGroup2,OU=Groups,DC=example,DC=com") # TODO: modify me

# Get the first property value of the user
try
{
    $firstValue = $Context.TargetObject.Get($firstPropertyName)
}
catch
{
    $Context.LogMessage("Property $firstPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get the second property value of the user
try
{
    $secondValue = $Context.TargetObject.Get($secondPropertyName)
}
catch
{
    $Context.LogMessage("Property $secondPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get template user DN
$templateUserDN = $templateUsersInfo["$firstValue;$secondValue"]
if ([System.String]::IsNullOrEmpty($templateUserDN))
{
    $Context.LogMessage("No source user is specified for combination property $firstPropertyName equals $firstValue and property $secondPropertyName equals $secondValue. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

$groupGuidsToKept = New-Object System.Collections.Generic.HashSet[System.Guid]
foreach ($dn in $groupDNsToKept)
{
    $group = $Context.BindToObjectByDN($dn)
    $guid = $group.Get("objectGUID")
    $groupGuidsToKept.Add($guid)
}

# Get all groups user is a direct member of
$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($guidBytes in $groupGuidsBytes)
{
    $groupGuid = [Guid]$guidBytes
    if ($groupGuidsToKept.Contains($groupGuid))
    {
        continue
    }
    
    # Bind to the group
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    $groupDN = $group.Get("distinguishedName")
   
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Bind to the template user
$templateUser = $Context.BindToObjectByDn($templateUserDN)

# Get all groups the template user is a direct member of
$groupGuidsBytes = $templateUser.GetEx("adm-DirectMemberOfGuid")

foreach ($guidBytes in $groupGuidsBytes)
{
    # Bind to the group
    $groupGuid = [Guid]$guidBytes
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    
    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers