Script Repository


Copy user memberships in a certain group to a similar group in another domain

February 24, 2021
1261

The script copies user memberships of in a certain group to a similar group located in another domain. This is done by getting usernames (sAMAccountName attribute) of all users who are members of the source group and adding users from the other domain who have identical usernames to the target group. Thus, for the script to work correctly, users from both the domains must have identical usernames. Identical groups are also identified by the Group Name (pre-Windows 2000) attribute (LDAP name: sAMAccountName).

To use the script in Adaxes, add it to your business rule, custom command or scheduled task with the help of the Run a program or PowerShell script action.

Parameter:

  • $targetDomain - Specifies the DNS name of the domain of the target group.
Edit Remove
PowerShell
$targetDomain = "domain.com" # TODO: modify me

function SearchObjects ($filter, $property, $domain, $list)
{
    try
    {
        $searcher = $Context.BindToObject("Adaxes://$domain/RootDSE")
        $searcher.SearchFilter = $filter
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.SetPropertiesToLoad(@($property))
        
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        if ($list -eq $NULL)
        {
            if ($searchResults.Length -eq 0)
            {
                return $NULL
            }
            else
            {
                return $searchResults[0].AdsPath
            }
        }
        
        foreach ($searchResult in $searchResults)
        {
            [void]$list.Add($searchResult.Properties[$property].Value)
        }
    }
    finally
    {
        $searchResultIterator.Dispose()
    }
}

# Search the group in the target domain
$targetGroupPath = SearchObjects "(&(objectCategory=group)(sAMAccountName=%sAMAccountName%))" "" $targetDomain $NULL
if ($targetGroupPath -eq $NULL)
{
    $Context.LogMessage("Group '%sAMAccountName%' does not exist in the target domain", "Warning")
    return
}

# Get members of the source group
try
{
    $memberGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMembersGuid")
}
catch
{
    $Context.LogMessage("The group doesn't have any members.", "Warning")
    return
}

# Build filter
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(sAMAccountType=805306368)(|")
foreach ($guidBytes in $memberGuidsBytes)
{
    [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guidBytes))
}
[void]$filter.Append("))")

# Get usernames
$usernames = New-Object "System.Collections.Generic.HashSet[System.String]"
$domain = $Context.GetObjectDomain("%distinguishedName%")
SearchObjects $filter.ToString() "sAMAccountName" $domain $usernames

# Build filter to search users in the target domain
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(sAMAccountType=805306368)(|")
$usernames | %%{[void]$filter.Append("(sAMAccountName=$_)")}
[void]$filter.Append("))")

# Get user DNs
$userDNs = New-Object "System.Collections.Generic.HashSet[System.String]"
SearchObjects $filter.ToString() "distinguishedName" $targetDomain $userDNs

# Add users to the target group
$targetGroup = $Context.BindToObjectEx($targetGroupPath, $True)
foreach ($dn in $userDNs)
{
    try
    {
        $targetGroup.Add("Adaxes://$dn")
    }
    catch
    {
        $Context.LogMessage("Cannot add user '$dn' to group in domain '$targetDomain'", "Warning")
    }
}

Comments ( 0 )
No results found.
Leave a comment

Related Scripts