We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Update allowed values property pattern based on group members

February 24, 2021 Views: 857

The script updates the list of values allowed for a DN syntax property by a property pattern with members of groups. To run the script, create a scheduled task configured for the Domain-DNS object type and add a managed domain to the Activity Scope. The domain will only be used to trigger execution of the scheduled task. The search criteria are specified in the script.


  • $groupDNs - Specifies distinguished names (DNs) of the groups whose members will be set as allowed property values.
  • $isPropertyRequired - Specifies whether the property should be set as required in the property pattern.
  • $patternName - Specifies the name of the property pattern to update.
  • $propertyName - Specifies the LDAP name of the property for which the list of allowed values will be updated in a property pattern.
Edit Remove
$groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$isPropertyRequired = $True # TODO: modify me
$patternName = "User Pattern" # TODO: modify me
$propertyName = "seeAlso" # TODO: modify me

function SearchObjects($path, $filter, $properties, $searchInAllDomans)
    $searcher = $Context.BindToObject($path)
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    if ($searchInAllDomans)
        $searcher.VirtualRoot = $True
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        return ,$searchResults
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }

$filter = New-Object "System.Text.StringBuilder"
foreach ($dn in $groupDNs)
    $group = $Context.BindToObjectByDN($dn)
        $guidsBytes = $group.GetEx("adm-DirectMembersGuid")
    foreach ($guidBytes in $guidsBytes)
        $guid = [Guid]$guidBytes
        [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))

# Search Property Pattern
$propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
$searchResults = SearchObjects $propertyPatternsPath "(&(objectClass=adm-PropertyPattern)(name=$patternName))" @() $False
if ($searchResults.Length -eq 0)
    $Context.LogMessage("Property Pattern '$patternName' not found.", "Warning")
elseif ($searchResults.Length -gt 1)
    $Context.LogMessage("Found more than one Property Pattern with the following name: '$patternName'", "Warning")

# Bind to the Property Pattern
$pattern = $Context.BindToObject($searchResults[0].AdsPath)

# Delete item for property
foreach ($item in $pattern.Items)
    if ($item.PropertyName -ieq $propertyName)

if ($filter.Length -eq 0)
    return # Groups have no members

# Get member DNs
$memberDNs = @()
$searchResults = SearchObjects "Adaxes://RootDSE" "(&(sAMAccountType=805306368)(|$($filter.ToString())))" @("distinguishedName") $True
$searchResults | %%{$memberDNs += $_.Properties["distinguishedName"].Value}

# Create a new item for property
$item = $pattern.Items.Create()
$item.PropertyName = $propertyName
$item.IsPropertyRequired = $isPropertyRequired

$constraints = $item.GetConstraints()
$constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $memberDNs

# Save the changes

Comments 0
Leave a comment

Got questions?

Support Questions & Answers