DESCRIPTION
When client adds/removes members to a group, it updates member attribute of a group object. Even when operator selects a user objects and adds it to multiple groups, the member attribute for these groups is updated. This is a multi-valued attribute that stores DN of all current group members . To add new members, client sets a list of members DN in a "member" attribute value with ADS_PROPERTY_APPEND control. To remove members, client sets "member" attribute value with ADS_PROPERTY_REMOVE control. To detect this situation in a script policy and validate new members, you need to use IADsPropertyList interface, implemented by Request object. The following code snipped shows how to check each member being added or removed to a group.
NOTES
AR Server Snap-in and Web Interface only adds or removes value for member attribute. However, other applications (or scripts) can update (re-write) "member" attribute or clear all values. If client updates the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_UPDATE. Note, that in this case you do not know what particular members were added or removed, you have only the full new group membership in item.Values array. If client clears the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_CLEAR. No values are sent to service in item.Values array. In these cases, if you need to know exactly which members were added/removed, you need to load current group membership from the AD (using DirObj.GetEx("member") method call) and compare to Item.Values array.
If a group is specified as primary for a user, this user's DN is not listed in the member attribute of the group. Instead, "primaryGroupID" attribute of user object stores the RID of the primary group. RID is a part of group's SID (objectSID attribute).
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
Sub onPreModify(Request)
' Optimization: check that group object is being updated
If Request.Class <> "group" Then Exit Sub
' Optimization: check that attribute member is being updated for a group object
If VarType(Request.Get("member")) = vbEmpty Then Exit Sub
' Go through properties being updated until member attribute found
For i=0 To Request.PropertyCount-1
Set item = Request.Item(i)
If item.Name = "member" Then
' Check that members are being added to a group
If item.ControlCode = ADS_PROPERTY_APPEND Then
For Each v In item.Values
strDN = v.DNString
' strDN is a DN of new member being added to a group
' Put your validation code here
Next
End If
' Check that members are being removed from a group
If item.ControlCode = ADS_PROPERTY_DELETE then
For Each v In item.Values
strDN = v.DNString
' strDN is a DN of a member being removed from a group
' Put your validation code here
Next
End If
' member attribute was validated, we can exit the procedure
Exit Sub
End If
Next
End Sub
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): <Not specified>