• State Not Answered
  • Replies 0 replies
  • Subscribers 62 subscribers
  • Views 13 views
  • Users 0 members are here
Options
Related

Restricting the type of object being added to a group

aaron.anderson
4 hours ago

I'm trying to write a onPreModify script that restricts the type of objects being added to certain groups. I don't want contact entries in certain groups.

I've used the functions available here:  PowerShell Library Source Code

I test is the member attribute has changed for what I considered a managed group. On additions, I get the LDAP path to the object ($v):

Function isMgdGroup2($Request) {
    If ( IsObjectClassRequested("group", $Request) -eq $false )
    {
        log $([string]::Format("{0} is not a group", $Request.name))
        Return $false
    }
    
    $groupType = GetAttribute("groupType", $Request)
    log $([string]::Format("{0} has a group type of {1}", $Request.name, $groupType))
    If ( $groupType -eq $DSGroup ) {
        log $([string]::Format("{0} is a global group", $Request.name))
        return $true
    } elseif ( $groupType -eq $UGGroup ) {
        If ( $Request.name.startswith("UA-A-") ) { 
            Return $false
        } Else {
            Return $true
        }
    } Else {
        Return $false
    }
}

function onPreModify($Request)
{
    if (IsAttributeModified("member", $Request)) {
        If ( isMgdGroup2($Request) ) { 
            for ($i = 0; $i -lt $Request.PropertyCount; $i++) {
                $item = $Request.Item($i)
            	if ($item.name -eq "member" -and $item.ControlCode -eq $ADS_PROPERTY_APPEND ) {
            	    foreach( $val in $item.Values ) {
            	        $path = $val
            	    }
            	}
            }
        }
    }

What I want to do is verify the object is a user. I've tried using System.DirectoryServices.DirectoryEntry. For example

function isContactObj([string]$path)
{
    $obj = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$path")
    if ($obj.objectClass.Contains("contact")) {
       return $true #contact object
    } else {
        return $false #not
    }
}

The problem I have is ARS manages two domains that are not in the same forest. The ARS server is in domain A. When I create a new DirectoryEntry() object for a Domain A group, it works. When I try to do this for Domain B, it doesn't. It returns null.  Get-ADUser seems to work if I specify the domain using -Server. I could do something like:

If ($path.endswith("dc=domaina,dc=company,dc=com")) Then
    $server = domaina.company.com
} else {
    $server = domainb.company.com
}

Is there a better way to handle this in ARS?