• State Verified Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 479 views
  • Users 0 members are here
Options
Related

Help in creating dynamic group using powershell using Include group members

c0dac0da
1 month ago

Does anyone have an example of a PowerShell script of creating a dynamic group based upon the "Include by group membership" & "Include Explicit" rules? I'm able to setup groups using the Include by query rule.

FYI, I tried following the instruction from IEDMMembershipRule in the SDK but not luck.

Parents
  • 0 1 month ago

    There are six Dynamic Group rule types:

    1: "Include by query"
    2: "Exclude by query"
    3: "Include explicitly"
    4: "Exclude explicitly"
    5: "Include group members"
    6: "Exclude group members"

    These rules are referred to internally by their numbers, as described in the above list.

    So, the sample that you will find in the Wiki at https://www.oneidentity.com/community/active-roles/w/wiki/1040/create-dynamic-group-in-powershell is for Rule 1, "Include by query"

    It has a "Base", a "Filter", and a "Type".

    The Base is the search root, the filter is the LDAP filter, and the type is 1.

    If you are explicitly specifying an object or a group, you don't need a filter. Just specify the base and the type.

    So, like this:

    $objGroup = [ADSI] "EDMS://CN=GroupName,OU=Dynamic Groups,DC=lab,DC=local"

$objRuleCollection = $objGroup.MembershipRuleCollection

$rule1 = New-Object -ComObject "EDSIManagedUnitCondition"

$rule1.Base = "EDMS://CN=John McTest,OU=One Account,DC=lab,DC=local"

$rule1.Type=3

$objRuleCollection.Add($rule1)

$objGroup.SetInfo()

Reply
  • 0 1 month ago

    There are six Dynamic Group rule types:

    1: "Include by query"
    2: "Exclude by query"
    3: "Include explicitly"
    4: "Exclude explicitly"
    5: "Include group members"
    6: "Exclude group members"

    These rules are referred to internally by their numbers, as described in the above list.

    So, the sample that you will find in the Wiki at https://www.oneidentity.com/community/active-roles/w/wiki/1040/create-dynamic-group-in-powershell is for Rule 1, "Include by query"

    It has a "Base", a "Filter", and a "Type".

    The Base is the search root, the filter is the LDAP filter, and the type is 1.

    If you are explicitly specifying an object or a group, you don't need a filter. Just specify the base and the type.

    So, like this:

    $objGroup = [ADSI] "EDMS://CN=GroupName,OU=Dynamic Groups,DC=lab,DC=local"

$objRuleCollection = $objGroup.MembershipRuleCollection

$rule1 = New-Object -ComObject "EDSIManagedUnitCondition"

$rule1.Base = "EDMS://CN=John McTest,OU=One Account,DC=lab,DC=local"

$rule1.Type=3

$objRuleCollection.Add($rule1)

$objGroup.SetInfo()

Children
  • 0 1 month ago in reply to Terrance.Crombie

    Is this correct? Group1 is the group I intend to create & group2 is the group I want to include group members. I see that it create the group but the not dynamic & the rules are not applied.

    Connect-QADService -Proxy

    $GroupName = "Group1"
    $rule1 = New-Object -ComObject "EDSIManagedUnitCondition"

    if ($GroupName -like "Group*"){
    $GroupEmailPrefix = $GroupName.replace(" ",".")
    $GroupEmail = "$GroupEmailPrefix@mydomain.com"
    $rule1.Base = "EDMS://OU=GroupsOU,DC=mydomain"
    }

    $NewGroup = New-QADGroup -Name $GroupName -ParentContainer 'OU=GroupsOU,DC=mydomain' -GroupType 'Security' -GroupScope 'Global' -DisplayName "$GroupName*" -ObjectAttributes @{adminDescription= "Dynamic Divisional group for $GroupName employees"; proxyAddresses= "SMTP:$GroupEmail"; mailNickname= $GroupEmailPrefix; -Email $GroupEmail


    $objGroup = [ADSI] "EDMS://CN=Group2,OU=GroupsOU,DC=mydomain"
    $objRuleCollection = $objGroup.MembershipRuleCollection
    $rule1.Type=5
    $objRuleCollection.Add($rule1)
    $objGroup.SetInfo()

  • +1 1 month ago in reply to c0dac0da

    You seem to be setting $rule1.Base to an Organizational Unit.

    This should be set to the EDMS address of the group that you want to include members for. In your example, it would be EDMS://CN=Group2,OU=GroupsOU,DC=mydomain

  • 0 1 month ago in reply to Terrance.Crombie

    Thanks that fixed it, appreciate your help.