The script creates an LDAP filter that allows finding all objects managed by all secretaries of the user on which the script is executed. The filter is saved to a certain attribute of the user account.
Note: Secretaries are specified in the Secretary property of a user and assigned to manage an AD object via the Managed By property of the corresponding object.
Parameter:
-
$propertyForFilter - Specifies the LDAP display name of the property that will be used to store the LDAP filter.
- $dNsAttribute - Specifies the LDAP display name of the property to get a list of secretaries from. Besides the secretary attribute, you can also use such attributes as assistant, directReports or See Also, for example.
To create the LDAP filter for any user on demand, create a custom command that can be executed on User objects and execute it on the users you need. To keep up with changes in your Active Directory, create a scheduled task to update the filters of users on a regular basis.
$propertyForLDAPFilter = "adm-CustomAttributeText1" # TODO: modify me
$dNsAttribute = "secretary" # TODO: modify me
function SearchObjects($filter, $properties)
{
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad($properties)
$searcher.VirtualRoot = $True
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
return ,$searchResults
}
finally
{
# Release resources
if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
}
function UpdateAttribute ($propertyName, $value)
{
$Context.TargetObject.Put($propertyName, $value)
$Context.TargetObject.SetInfo()
}
try
{
# Get DNs of related users / groups
$relatedDNs = $Context.TargetObject.GetEx($dNsAttribute)
}
catch
{
# Set an empty GUID as the filter so no objects are returned
UpdateAttribute $propertyForLDAPFilter "(objectGuid=\00)"
return
}
# Find objects managed by users/groups in $relatedDNs
# Build filter
$managedObjectsFilter = New-Object "System.Text.StringBuilder"
[Void]$managedObjectsFilter.Append("(|")
foreach ($dn in $relatedDNs)
{
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("managedBy", $dn)
[Void]$managedObjectsFilter.Append($filterPart)
}
[Void]$managedObjectsFilter.Append(")")
# Perform the search
$searchResults = SearchObjects $managedObjectsFilter.ToString() @("objectGUID")
if ($searchResults.Length -eq 0)
{
# Set an empty GUID as the filter so no objects are returned
UpdateAttribute $propertyForLDAPFilter "(objectGuid=\00)"
return
}
# Build filter containing GUIDs of the objects found
$ldapFilter = New-Object "System.Text.StringBuilder"
[Void]$ldapFilter.Append("(|")
foreach ($searchResult in $searchResults)
{
$guid = [Guid]$searchResult.Properties["objectGUID"].Value
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGUID", $guid)
[Void]$ldapFilter.Append($filterPart)
}
[Void]$ldapFilter.Append(")")
# Save filter to the property specified
UpdateAttribute $propertyForLDAPFilter $ldapFilter.ToString()The script can be used to build a business unit that will present each user with a list of all objects managed by their secretaries. For information on how to create such a business unit, see Example 3 under Query Results in Group AD Objects Based on Logged In User.
For the LDAP filter, specify a value reference for the property that you used in $propertyForFilter. For example, if you specified adm-CustomAttributeText1, use the following value reference: %adm-CustomAttributeText1%.
