The script creates an LDAP filter that allows finding all the groups where subordinates of the user are members and saves the filter to the attribute of the user account. To run the script, create a business rule, custom command or scheduled task configured for the User object type.
For an object to be a subordinate, a user must be specified in the Manager property of the object.
Parameter:
-
$propertyForLDAPFilter - Specifies the LDAP property name of the property that will be used to store the LDAP filter.
PowerShell
$propertyForLDAPFilter = "adm-CustomAttributeText1" # TODO: modify me
try
{
# Get GUIDs of user subordinates
$directReportDNs = $Context.TargetObject.GetEx("directReports")
}
catch
{
# Set an empty GUID as the filter
$Context.TargetObject.Put($propertyForLDAPFilter, "(objectGuid=\00)")
$Context.TargetObject.SetInfo()
return
}
# Build filter
$ldapFilter = New-Object "System.Text.StringBuilder"
[Void]$ldapFilter.Append("(&(objectCategory=group)")
[Void]$ldapFilter.Append("(|")
foreach ($dn in $directReportDNs)
{
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("member", $dn)
[Void]$ldapFilter.Append($filterPart)
}
[Void]$ldapFilter.Append("))")
# Save the filter
$Context.TargetObject.Put($propertyForLDAPFilter, $ldapFilter.ToString())
$Context.TargetObject.SetInfo()