Script Repository


Update allowed values Property Pattern based on group members

September 15, 2020
242

The script updates the list of values allowed for a DN syntax property by a Property Pattern with members of groups. To run the script, create a Scheduled Task configured for the Domain-DNS object type and add a managed domain to the Activity Scope. The domain will only be used to trigger execution of the Scheduled Task. The search criteria are specified in the script.

Parameters

  • $groupDNs - Specifies distinguished names (DNs) of the groups whose members will be set as allowed property values.
  • $isPropertyRequired - Specifies whether the property should be set as required in the Property Pattern.
  • $patternName - Specifies the name of the Property Pattern to update.
  • $propertyName - Specifies the LDAP name of the property for which the list of allowed values will be updated in a Property Pattern.
Edit Remove
PowerShell
$groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$isPropertyRequired = $True # TODO: modify me
$patternName = "User Pattern" # TODO: modify me
$propertyName = "seeAlso" # TODO: modify me

function SearchObjects($path, $filter, $properties, $searchInAllDomans)
{
    $searcher = $Context.BindToObject($path)
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($properties)
    if ($searchInAllDomans)
    {
        $searcher.VirtualRoot = $True
    }
    
    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

$filter = New-Object "System.Text.StringBuilder"
foreach ($dn in $groupDNs)
{
    $group = $Context.BindToObjectByDN($dn)
    try
    {
        $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
    }
    catch
    {
        continue
    }
    
    foreach ($guidBytes in $guidsBytes)
    {
        $guid = [Guid]$guidBytes
        [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
    }
}

# Search Property Pattern
$propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
$searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
if ($searchResults.Length -eq 0)
{
    $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
    return
}
elseif ($searchResults.Length -gt 1)
{
    $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")
    return
}

# Bind to the Property Pattern
$pattern = $Context.BindToObject($searchResults[0].AdsPath)

# Delete item for property
foreach ($item in $pattern.Items)
{
    if ($item.PropertyName -ieq $propertyName)
    {
        $pattern.Items.Remove($item)
        break
    }
}

if ($filter.Length -eq 0)
{
    return # Groups have no members
}

# Get member DNs
$memberDNs = @()
$searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
$searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}

# Create a new item for property
$item = $pattern.Items.Create()
$item.PropertyName = $propertyName
$item.IsPropertyRequired = $isPropertyRequired

$constraints = $item.GetConstraints()
$constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $memberDNs
$constraints.Add($constraint)
$item.SetConstraints($constraints)

# Save the changes
$item.SetInfo()
$pattern.Items.Add($item)


Comments ( 0 )
No results found.
Leave a comment