• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 64 subscribers
  • Views 1776 views
  • Users 0 members are here
Options
Related

Is it possible to convert an exiting security group to a dynamic group using powershell?

ScotJay
11 months ago

Hey.

We have a number of normal security group in our AD (most of them empty) that we'd like to convert to dynamic groups with membership rules. Is it possible to convert them using the PowerShell? Also, if possible, what it the exiting group already contained members, can they be rolled over in in to the dynamic group?

Many thanks,

SJ

Parents
  • 0 11 months ago

    Here's some sample code to convert a group to dynamic and create a membership rule:

    $GroupObj = [ADSI]"EDMS://CN=Test_Dynamic_1,OU=Group,DC=companyb,DC=local"

    # Set the dynamic group flag

    $GroupObj.Properties["edsaIsDynamicGroup"].Value = $true

    $GroupObj.CommitChanges()

    # Begin creating a membership rule set - note that you have to be bound to group via Active Roles 

    $RuleCollection = $GroupObj.MembershipRuleCollection

    # Begin creating a membership rule

    $NewRule = New-Object -comobject "EDSIManagedUnitCondition"
    $NewRule.Base="EDMS://DC=CompanyB,DC=local"

    # Use the MMC to help you figure out the syntax for the LDAP filter - the filter is stored in AccountNameHistory

    $NewRule.Filter="(&(&(|(&(objectCategory=person)(objectSid=*)(!(sAMAccountType:1.2.840.113556.1.4.804:=3)))(&(objectCategory=person)(!(objectSid=*)))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(!(userAccountControl:1.2.840.113556.1.4.804:=2048)))(&(department=Engineering)(objectClass=user)))"
    $NewRule.Type=1 # Include by Query

    $RuleCollection.Add($NewRule)

    $GroupObj.setinfo()

  • 0 11 months ago in reply to JohnnyQuest

    Hey  ,

    Thanks for the expanded response. I've been trying to work with Rule.Type=3 (include explicitly rule), to add members that were present before the group is converted to dynamic. I'm having problems with adding multiple members though.

    For example,

    I grab the existing group members with...

    $grpMembers = (Get-QADGroup $groupName).members

    Then I loop through the members, to try an add them to the base...


    Foreach ($grp in $grpMembers)
    {
          $grpAdd = $grp.replace("CN=","EDMS://CN=")
          $rule1.Base = (($grpAdd).ToString())
          $objRuleCollection.Add($rule1)

    }

    But this only leaves the last DN in the loop in $rule1.base.

    I also tried adding DNs to $rule1.base as a comma separated list of DNs, prefixed by "EDMS://", but this threw an error when attempting to $objGroup.SetInfo().

    Is it possible to have multiple conditions (DNs included explicitly) contained in the same ruleset? Or, will I have to dynamically define a rule for every group member I want to add explicitly? If so, what it the maximum number of rules I can apply?

    As always, your support is greatly appreciated!

    SJ

  • 0 11 months ago in reply to ScotJay

    I've created "(Addtional)" groups for this:
    - Dynamic Group: Group X
    - Normal Group: Group X (Additional)

    Group X then has all the rules I want to populate it with and then an additional rule to include members from "Group X (Additional)".  This way it's very easy to delegate out one-off's to someone else.

  • 0 11 months ago in reply to ScotJay

    For the explicit includes, you would would need to do a .SetInfo() for each explicit object you want to add.  Basically, a rule per object.  I am not aware of any limit.

  • 0 11 months ago in reply to JohnnyQuest

    Thanks  ,  

      I kinda figured that might be the case.

    For anyone else interested in doing this, here's what I came up with. It will iteratively add existing group members as "include explicitly" in the membership rules. 

    $grpMembers = (Get-QADGroup $groupName).members
    $memberCount = $grpMembers.Count

    #this variable assumes there are other rules being defined before this dynamic block of code. For example, static rules defines as $rule1, $rule2, etc. This number sets where ruleX will start from
    $additionalRuleBaseStart = 4
    $endingNumber = $additionalRuleBaseStart + $memberCount - 1
    $grpIndexCount = 0

    For ($i = $additionalRuleBaseStart; $i -le $endingNumber; $i++)
    {
         $dynRule =$null

         #Write "Rule Iteration : " $i
         $dynVariableName = "rule$i"
         $comObjectName = "EDSIManagedUnitCondition"
         $dynRule = New-Object -ComObject $comObjectName

         $grpAdd = $grpMembers[$grpIndexCount].replace("CN=","EDMS://CN=")
         $dynRule.Filter = $null
         $dynRule.Base = (($grpAdd).ToString())
         $dynRule.Type=3

         New-Variable -Name $dynVariableName
         Set-Variable -Name $dynVariableName -Value $dynRule

         $currentRuleSet = Get-Variable $dynVariableName -ValueOnly
         $objRuleCollection.Add($currentRuleSet)

         $grpIndexCount ++

    }

  • 0 11 months ago in reply to ScotJay

    Not sure why you need to generate new variable names?   The variable names themselves have no significance.  (Seems like un-needed complexity?)

    Why not just re-use the existing one in your loop and do a SetInfo() each time you create a new rule?

    $objRuleCollection.Add($dynrule)

    At that point you are done with the rule for that group object and can move on to processing your next explicit group member. 

  • 0 11 months ago in reply to JohnnyQuest

    Edit:

    At that point you are done with the rule for that group member object and can move on to processing your next explicit group member. 

Reply Children
No Data