Script Repository


Update group membership based on property value

February 25, 2021
633

Update group membership of all users

The script makes sure that only users with a specific property value are members of the corresponding groups. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, create a scheduled task configured for the Domain-DNS object type.

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
  • $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.
Edit Remove
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
    "Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
    "Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True
    
    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

foreach ($value in $valuesToGroupDNs.Keys)
{
    # Build filter
    $filter = "(&(sAMAccountType=805306368)($propertyName=$value))"
    
    # Search users
    $searchResults = SearchObjects $filter
    
    # Get user DNs
    $userDNs = $searchResults | %%{$_.Properties["distinguishedName"].Value}
    
    # Update group members
    foreach ($dn in $valuesToGroupDNs[$value])
    {
        $group = $Context.BindToObjectByDN($dn)
        $group.Put("member", $userDNs)
        $group.SetInfo()
    }
}

Update group membership of only the target user

The script makes sure that the target user is a member of only the groups that correspond to the specified property value. If the property value does not match groups the user is currently a member of, the user will be removed from the groups. To run the script, for example, you can create a custom command configured for the User object type or a business rule triggering After updating a user.

Parameters:

  • $propertyName - Specifies the LDAP name of the property whose value will be used to determine groups a user should be a member of.
  • $valuesToGroupDNs - Maps property values with distinguished names (DNs) of groups.

Edit Remove
PowerShell
$propertyName = "title" # TODO: modify me
$valuesToGroupDNs = @{
    "Value1" = @("CN=MyGroup1,OU=Groups,DC=domain,DC=com", "CN=MyGroup2,OU=Groups,DC=domain,DC=com")
    "Value2" = @("CN=MyGroup3,OU=Groups,DC=domain,DC=com")
} # TODO: modify me

function UpdateGroupMembership ($memberPath, $groupDNs, $addToGroup)
{
    foreach ($dn in $groupDNs)
    {
        $group = $Context.BindToObjectByDN($dn)
        if ($addToGroup)
        {
            try
            {
                $group.Add($memberPath)
            }
            catch
            {
                $Context.LogMessage("An error occurred when adding the user to group '$groupName'. Error: " + $_.Exception.Message, "Warning")
            }
        }
        else
        {
            try
            {
                $group.Remove($memberPath)
            }
            catch
            {
                $Context.LogMessage("An error occurred when removing the user from group '$groupName'. Error: " + $_.Exception.Message, "Warning")
            }
        }
    }
}

try
{
    $propertyValue = $Context.TargetObject.Get($propertyName)
}
catch
{
    $propertyValue = $NULL
}

foreach ($value in $valuesToGroupDNs.Keys)
{
    $addToGroup = $propertyValue -eq $value
    UpdateGroupMembership $Context.TargetObject.AdsPath $valuesToGroupDNs[$value] $addToGroup
}

Comments ( 0 )
No results found.
Leave a comment

Related Scripts