We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Create groups based on departments of users

March 17, 2021 Views: 2764

The script adds a user to a group with the same name as the user's department. If a group with the necessary name does not exist it will be created.

To use the script, you need to create a business rule triggered automatically once a user is created or updated. For more information on how to automatically run a script once a new user is created, see Run PowerShell Script after Creating a User. Alternatively, you can schedule adding users to groups.

Parameters:

  • $groupOuDn - Specifies the distinguished name (DN) of the Organizational Unit where to search for groups matching departments.
  • $groupType - Specifies what types of groups to create if there isn't a group for a user's department. For a complete list of possible values, see ADS_GROUP_TYPE_ENUM.
Edit Remove
PowerShell
$groupName = "Group-%department%" # TODO: modify me
$groupOuDn = "OU=Departments,DC=example,DC=com" # TODO: modify me
[Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
 "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED" # TODO: modify me

if ([System.String]::IsNullOrEmpty("%department%"))
{
    return # Department not specified
}

# Get GUIDs of groups user is a direct member of
try
{
    $groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
}
catch
{
    $groupGuidsBytes = @()
}

$groupGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$groupGuidsBytes | %%{[void]$groupGuids.Add([Guid]$_)}

# Search group for department
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$searcher = $Context.BindToObject("Adaxes://$domainName/RootDSE")
$searcher.SearchFilter = "(&(objectClass=group)(name=$groupName))"
$searcher.SetPropertiesToLoad(@("ObjectGuid"))

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    if ($searchResults.Length -ge 1)
    {
        foreach ($searchResult in $searchResults)
        {
            $guid = [Guid]$searchResult.Properties["ObjectGuid"].Value
            if ($groupGuids.Contains($guid))
            {
                continue # The user is already a member of an appropriate group
            }
            
            # Group found, add user
            $departmentGroup = $Context.BindToObject($searchResult.AdsPath)
            $departmentGroup.Add($Context.TargetObject.AdsPath)
        }
    }
    else
    {
        # Group not found, create one
        $targetContainer = $Context.BindToObjectByDN($groupOuDn)
        $departmentGroup = $targetContainer.Create("group","CN=$groupName")
        $departmentGroup.Put("groupType", [Int32]$groupType)
        $departmentGroup.Put("sAMAccountName", $groupName)
        $departmentGroup.SetInfo()
        
        # Add user
        $departmentGroup.Add($Context.TargetObject.AdsPath)
    }
}
catch
{
    $Context.LogMessage("An error occurred when adding the user to group '$groupName'. Error: " + $_.Exception.Message, "Warning")
}
finally
{
    $searchResultIterator.Dispose()
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers