Script Repository

Create LDAP filter to find groups where user is assistant or secretary

September 14, 2017

The script creates an LDAP filter that allows finding all AD groups where user is assistant or secretary and saves it to a certain attribute of the user account. The filter will include both groups where user is directly assigned as assistant or secretary and those where they are assigned via membership in other AD groups.

Note: Users are assigned as assistants and secretaries of AD groups via the Assistant and Secretary properties of a group object.


  • $propertyForFilter - specifies the LDAP display name of the property that will be used to store the LDAP filter.

To create the LDAP filter for any user on demand, create a Custom Command that can be executed on User objects and execute it on the users you need. To keep up with changes in your Active Directory, create a Scheduled Task to update the filters of users on a regular basis.

Edit Remove
$propertyForLDAPFilter = "adm-CustomAttributeText1" # TODO: modify me

# Build filter
$ldapFilter = New-Object "System.Text.StringBuilder"
[Void]$ldapFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("assistant", "%distinguishedName%"))
[Void]$ldapFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("secretary", "%distinguishedName%"))

# Add all groups where user is a member to the filter
    $groupGuidsBytes = $Context.TargetObject.GetEx("adm-MemberOfGuid")
    $groupGuidsBytes = $NULL

if ($groupGuidsBytes -ne $NULL)
    $groupFilter = New-Object "System.Text.StringBuilder"
    foreach ($guidBytes in $groupGuidsBytes)
        [Void]$groupFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("ObjectGuid", $guidBytes))
    # Find all the groups
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $groupFilter.ToString()
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        foreach ($searchResult in $searchResults)
            # Add group DN to the filter
            $dn = $searchResult.Properties["distinguishedName"].Value
            [Void]$ldapFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("assistant", $dn))
            [Void]$ldapFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("secretary", $dn))


# Save filter to the property specified
$Context.TargetObject.Put($propertyForLDAPFilter, $ldapFilter.ToString())

The script can be used to build a Business Unit that will present each user with a list of all groups where they are either a secretary or an assistant. For information on how to create such a Business unit, see Example 3 under Query Results in Group AD Objects Based on Logged In User.

For the LDAP filter, specify a value reference for the property that you used in $propertyForFilter. For example, if you specified adm-CustomAttributeText1, use the following value reference: %adm-CustomAttributeText1%.

See Also:

Comments ( 0 )
No results found.
Leave a comment