• State Not Answered
  • Replies 1 reply
  • Subscribers 66 subscribers
  • Views 721 views
  • Users 0 members are here
Options
Related

Restricting the type of object being added to a group

aaron.anderson

I'm trying to write a onPreModify script that restricts the type of objects being added to certain groups. I don't want contact entries in certain groups.

I've used the functions available here:  PowerShell Library Source Code

I test is the member attribute has changed for what I considered a managed group. On additions, I get the LDAP path to the object ($v):

Function isMgdGroup2($Request) {
    If ( IsObjectClassRequested("group", $Request) -eq $false )
    {
        log $([string]::Format("{0} is not a group", $Request.name))
        Return $false
    }
    
    $groupType = GetAttribute("groupType", $Request)
    log $([string]::Format("{0} has a group type of {1}", $Request.name, $groupType))
    If ( $groupType -eq $DSGroup ) {
        log $([string]::Format("{0} is a global group", $Request.name))
        return $true
    } elseif ( $groupType -eq $UGGroup ) {
        If ( $Request.name.startswith("UA-A-") ) { 
            Return $false
        } Else {
            Return $true
        }
    } Else {
        Return $false
    }
}

function onPreModify($Request)
{
    if (IsAttributeModified("member", $Request)) {
        If ( isMgdGroup2($Request) ) { 
            for ($i = 0; $i -lt $Request.PropertyCount; $i++) {
                $item = $Request.Item($i)
            	if ($item.name -eq "member" -and $item.ControlCode -eq $ADS_PROPERTY_APPEND ) {
            	    foreach( $val in $item.Values ) {
            	        $path = $val
            	    }
            	}
            }
        }
    }

What I want to do is verify the object is a user. I've tried using System.DirectoryServices.DirectoryEntry. For example

function isContactObj([string]$path)
{
    $obj = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$path")
    if ($obj.objectClass.Contains("contact")) {
       return $true #contact object
    } else {
        return $false #not
    }
}

The problem I have is ARS manages two domains that are not in the same forest. The ARS server is in domain A. When I create a new DirectoryEntry() object for a Domain A group, it works. When I try to do this for Domain B, it doesn't. It returns null.  Get-ADUser seems to work if I specify the domain using -Server. I could do something like:

If ($path.endswith("dc=domaina,dc=company,dc=com")) Then
    $server = domaina.company.com
} else {
    $server = domainb.company.com
}

Is there a better way to handle this in ARS?

  • 0

    Hi  

    Could you check what value the $Path parameter is set to? Is it the DN of an object in Domain B, of is it the Foreign Security Principal from Domain A? 

    You can use the below in your Policy Script to write to the ARS Event log

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE, "IsContactObject  - Path: $($Path)")