The script updates the list of values allowed for a DN syntax property by a property pattern with members of groups. To run the script, create a scheduled task configured for the Domain-DNS object type and add a managed domain to the Activity Scope. The domain will only be used to trigger execution of the scheduled task. The search criteria are specified in the script.
Parameters
- $groupDNs - Specifies distinguished names (DNs) of the groups whose members will be set as allowed property values.
- $isPropertyRequired - Specifies whether the property should be set as required in the property pattern.
- $patternName - Specifies the name of the property pattern to update.
- $propertyName - Specifies the LDAP name of the property for which the list of allowed values will be updated in a property pattern.
PowerShell
$groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$isPropertyRequired = $True # TODO: modify me
$patternName = "User Pattern" # TODO: modify me
$propertyName = "seeAlso" # TODO: modify me
function SearchObjects($path, $filter, $properties, $searchInAllDomans)
{
$searcher = $Context.BindToObject($path)
$searcher.SearchFilter = $filter
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad($properties)
if ($searchInAllDomans)
{
$searcher.VirtualRoot = $True
}
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
return ,$searchResults
}
finally
{
# Release resources
if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
}
$filter = New-Object "System.Text.StringBuilder"
foreach ($dn in $groupDNs)
{
$group = $Context.BindToObjectByDN($dn)
try
{
$guidsBytes = $group.GetEx("adm-DirectMembersGuid")
}
catch
{
continue
}
foreach ($guidBytes in $guidsBytes)
{
$guid = [Guid]$guidBytes
[void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
}
}
# Search Property Pattern
$propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
$searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
if ($searchResults.Length -eq 0)
{
$Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
return
}
elseif ($searchResults.Length -gt 1)
{
$Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
return
}
# Bind to the Property Pattern
$pattern = $Context.BindToObject($searchResults[0].AdsPath)
# Delete item for property
foreach ($item in $pattern.Items)
{
if ($item.PropertyName -ieq $propertyName)
{
$pattern.Items.Remove($item)
break
}
}
if ($filter.Length -eq 0)
{
return # Groups have no members
}
# Get member DNs
$memberDNs = @()
$searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
$searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}
# Create a new item for property
$item = $pattern.Items.Create()
$item.PropertyName = $propertyName
$item.IsPropertyRequired = $isPropertyRequired
$constraints = $item.GetConstraints()
$constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $memberDNs
$constraints.Add($constraint)
$item.SetConstraints($constraints)
# Save the changes
$item.SetInfo()
$pattern.Items.Add($item)