Script Repository

Update AD group membership of a user based on business unit membership

February 25, 2021

The script adds/remove users from Active Directory groups based on the business units the users are members of. To run the script, create a scheduled task configured for the Domain-DNS object type and add a managed domain to the Activity Scope of the task.


  • $unitDNsToGroupDNs - Maps distinguished names (DNs) of the business units a user needs to be a member of to be added Active Directory groups with DNs of the groups that correspond to each business unit. A business unit can have one or more associated group. For information on how to get DN of a directory object, see Get the DN of a directory object.
Edit Remove
$unitDNsToGroupDNs = @{
    "CN=My Unit1,CN=Business Units,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" = @(
    "CN=My Unit2,CN=Business Units,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" = @(
} # TODO: modify me

foreach ($unitDN in $unitDNsToGroupDNs.Keys)
    # Get member DNs
    $unit = $Context.BindToObjectByDN($unitDN)
    $membershipRules = $unit.GetMembershipRules()
    $memberGuids = $unit.GetMemberGuids($membershipRules)
    $memberSearcher = $Context.CreateGuidBasedSearcher($memberGuids)
        $searchResultIterator = $memberSearcher.ExecuteSearch()
        $memberSearchResults = $searchResultIterator.FetchAll()
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    # Get object DNs
    $memberDNs = New-Object "System.Collections.ArrayList"
    $memberSearchResults | %%{[void]$memberDNs.Add($_.Properties["distinguishedName"].Value)}
    foreach ($dn in $unitDNsToGroupDNs[$unitDN])
        $group = $Context.BindToObjectByDN($dn)
        # Update group membership
        $group.Put("member", $memberDNs.ToArray())

Comments ( 0 )
No results found.
Leave a comment

Related Scripts