Automatically Change Group Membership Using Scripts

With the help of Business Rules, Scheduled Tasks and Custom Commands, you can automatically add or remove Active Directory objects from groups. The standard way to do it is to use the Add to Group and Remove from Group actions.

For details, see Automate Group Membership Management.

However, when the number of groups you need to manage is large, or when the rules for group membership are complex, to automate the process you will need to create a bulky structure of many actions and conditions that is hard to maintain and update. To avoid it, you can create a single action that will add and remove objects from groups using a PowerShell script.

To execute a PowerShell script in a Business Rule, Custom Command or Scheduled Task, you need to add the Run a program or PowerShell script action to it.

  • Launch Adaxes Administration Console and select a Business Rule, Custom Command or a Scheduled Task.

  • Click Add new action set.

  • Right-click Do nothing and select Add Action in the context menu.

  • In the Add Action dialog, select the Run a program or PowerShell script action.

  • To open the script editor, click the Edit button.
  • If a script is executed in a Business Rule and its execution may take a long time, it is recommended to run the script asynchronously. To do it, select the Execute asynchronously option.

    If the option is selected, the Business Rule will not wait until the script is finished, and as a result, users will not wait long until the operation completes. Take into account that if an error occurs during asynchronous execution of a script, it will not be displayed in the Execution Log of the operation.

  • Click the button to provide a custom description for the action.

To get the properties of the Active Directory object which the script is executed for, you can use value references (e.g. %username%). Before executing the script, Adaxes will replace the value references with corresponding property values of the object.

	$department = "%department%"
	$title = "%title%"

After replacing the value references, the script will look as follows:

	$department = "Sales"
	$title = "Manager"

Also, to get the object properties you can use a variable called $Context. It is a predefined PowerShell variable of type ExecuteScriptContext.

	$department = $Context.TargetObject.Get("department")
	$title = $Context.TargetObject.Get("title")

For more details, see Server-Side Scripting.

Example 1

Import-Module Adaxes

$userDN = "%distinguishedName%"

# If the department is 'Sales', the user must be a member of the 'Sales Staff' group
$department = "%department%"
$salesStaffGroup = Get-AdmGroup "Sales Staff"
if ($department -eq "Sales")
    # Add the user to the 'Sales Staff' group
    Add-AdmGroupMember $salesStaffGroup $userDN -ErrorAction SilentlyContinue
    # Remove the user from the 'Sales Staff' group
    Remove-AdmGroupMember $salesStaffGroup $userDN -Confirm:$False `
        -ErrorAction SilentlyContinue

# If the user is located under Organizational Unit 'New York', add the user to
# the 'New York Office' group
$newYorkOUDN = "OU=New York,DC=example,DC=com"
$dn = New-Object "Softerra.Adaxes.Ldap.DN" $userDN
$userOUDN = $dn.Parent.ToString()
$newYorkGroup = Get-AdmGroup "New York Office"
if ($newYorkOUDN -eq $userOUDN)
    # Add the user to the 'New York Office' group
    Add-AdmGroupMember $newYorkGroup $userDN -ErrorAction SilentlyContinue
    # Remove the user from the 'New York Office' group
    Remove-AdmGroupMember $newYorkGroup $userDN -Confirm:$False `
        -ErrorAction SilentlyContinue

Example 2 - Remove a user from all groups

Import-Module Adaxes

$user = Get-AdmUser "%distinguishedName%" -Properties MemberOf

if ($user.MemberOf -ne $Null)
    foreach ($groupDN in $user.MemberOf)
        Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False

Example 3 - Remove a user from all mail-enabled groups

Import-Module Adaxes

$username = "%username%"
$domainName = $Null

Get-AdmPrincipalGroupMembership $username -server $domainName -adaxesservice localhost |
Get-AdmGroup -Properties mail -server $domainName | Where {$_.mail -ne $NULL} |
Remove-AdmGroupMember -member $username -server $domainName  -Confirm:$False

Scripts in this article use PowerShell cmdlets from Adaxes PowerShell Module. To run the scripts, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.

See Also

Open tutorial filtering

Got questions?
Support Questions & Answers