Script Repository


Maintain distribution lists based on employee types

February 12, 2016
986

The script creates distribution lists for each employee type specified for users in Active Directory, and also updates user membership in the groups based on employee types of users.

To use the script, create a Scheduled Task configured for the Domain-DNS object type that runs the script and assign it over any of your AD domains. Such a task will update the groups for employee types on a periodical basis.

Parameters:

  • $groupOuDn - specifies the Distinguished Name (DN) of the Organizational Unit where the distribution lists are located;
  • $employeeTypeAttribute - specifies the LDAP display name of the attribute that is used to store the employee type of a user.
Edit Remove
PowerShell
$groupOUDN = "OU=Groups,DC=domain,DC=com" # TODO: modify me
$employeeTypeAttribute = "employeeType" # TODO: modify me

# Search all users who have an employee type specified
$domain = $Context.GetObjectDomain($groupOUDN)
$searcher = $Context.BindToObject("Adaxes://$domain/rootDSE")
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))($employeeTypeAttribute=*))"
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@($employeeTypeAttribute, "ObjectGuid"))

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    # Create a hash table with all employee types
    $employeeTypeInfos = @{}
    foreach ($searchResult in $searchResults)
    {
        $guid = [Guid]$searchResult.Properties["ObjectGuid"].Value
        $employeeType = $searchResult.Properties[$employeeTypeAttribute].Value
        
        if ($employeeTypeInfos.ContainsKey($employeeType))
        {
            $employeeTypeInfos[$employeeType] += $guid
        }
        else
        {
            [void]$employeeTypeInfos.Add($employeeType, @($guid))
        }
    }
}
finally
{
    $searchResultIterator.Dispose()
}

# Search groups that represent employee types
foreach ($employeeType in $employeeTypeInfos.Keys)
{
    # Check whether the group for this employee type exists
    $searcher = $Context.BindToObject("Adaxes://$domain/rootDSE")
    $searcher.SearchFilter = "(&(objectCategory=group)(sAMAccountName=$employeeType))"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        if ($searchResults.Length -eq 0)
        {
            # Create group
            $container = $Context.BindToObjectByDN($groupOUDN)
            $group = $container.Create("group","CN=$employeeType")
            [Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType = "ADS_GROUP_TYPE_UNIVERSAL_GROUP"
            $group.Put("groupType", [Int32]$groupType)
            $group.Put("sAMAccountName", $employeeType)
            $group.SetInfo()
            
            # Mail-enable the group
            $alias = $employeeType.Replace(" ", "")
            $group.MailEnable($alias, $NULL, $NULL, $NULL)
        }
        elseif ($searchResults.Length -gt 1)
        {
            $Context.LogMessage("Found more than one Group with name '$employeeType", "Warning")
            continue
        }
        else
        {
            $group = $Context.BindToObject($searchResults[0].AdsPath)
        }
    }
    finally
    {
        $searchResultIterator.Dispose()
    }
    
    # Get group members
    try
    {
        $memberGuidsBytes = $group.GetEx("adm-DirectMembersGuid")
    }
    catch
    {
        $memberGuidsBytes = @()
    }
    
    # Update group membership
    $membersToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
    $employeeTypeInfos[$employeeType] | %%{[void]$membersToAdd.Add($_)}
    
    foreach ($guidBytes in $memberGuidsBytes)
    {
        $guid = [Guid]$guidBytes
        if ($membersToAdd.Remove($guid))
        {
            continue # Already a member of the group
        }
        
        $group.Remove("Adaxes://<GUID=$guid>") # Remove from the group
    }
    
    foreach ($guid in $membersToAdd)
    {
        $group.Add("Adaxes://<GUID=$guid>") # Add to the group
    }
}

Comments ( 0 )
No results found.
Leave a comment