Script repository

Add user to a specific group if they are owners of at least one group

Updated on: Jan 18, 2026, Views: 116

Group membership, Managers and subordinates

The script adds a user to a specific group if they are owners of at least one group. Group ownership is determined only according to the adm-Owners calculated property. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

In the script, the $groupDN variable specifies the distinguished name (DN) of the group to add group owners to. For information on how to get the DN, see Get the DN of a directory object.

$groupDN = "CN=MyGroup,OU=Groups,DC=example,DC=com" # TODO: modify me

function SearchObjects($criteria, $properties)
{
    # Search parameters
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($properties)
    $searcher.VirtualRoot = $True
    
    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Get groups with owners.
$groupCriteria = New-AdmCriteria "group" -Expression {directOwners -empty $False}
$groupSearchResults = SearchObjects $groupCriteria @("adm-Owners")
$ownerDNs = [string[]]($groupSearchResults.Values | Select -Unique)

# Get users from group owners.
$userCriteria = New-AdmCriteria
$simpleItem = $userCriteria.CreateSimple()
$simpleItem.SetProperty("distinguishedName").SetComparisonOperator("eq").SetValueLogicalOperator("OR").AddValues($ownerDNs)
$userCriteria.AddType("user", $simpleItem)

$userSearchResults = SearchObjects $userCriteria @("distinguishedName")
$userDNs = $userSearchResults.Value

# Update group members.
$group = $Context.BindToObjectByDN($groupDN)
$group.Put("member", $userDNs)
$group.SetInfo()

Comments 6

You must be signed in to comment.

  • Christian

    Christian

    Hi,

    You wrote: "Group ownership is determined only according to the Managed By property."

    However, within the script you use the attribute adm-Owners. This is an internal Adaxes attribute. Shouldn't it be managedBy instead?

    Additionally, I tested the script with both attributes, and the group is not being populated.

    Questions:

    1. Which attribute should be used for standard AD group ownership?
    2. Will the script also consider nested owner groups (i.e., if a group is set as an owner, will its members be included)?

    Thanks

    • Support

      Support

      Hello Christian,

      The adm-Owners calculated property is being loaded only. It is not used in search criteria for groups. The property can be used to get both, primary and secondary owners of an object at the same time. However, your assumption is still correct. And we updated the script description accordingly. If you want the script to only affect the users who are specified in the Managed By property of a group, replace this line in the script

      $groupSearchResults = SearchObjects $groupCriteria @("adm-Owners")

      with the following one

      $groupSearchResults = SearchObjects $groupCriteria @("managedBy")
      • Christian

        Christian

        Hi,

        Thanks for your answer and clarification.

        I noticed another issue in the script: the variable memberDNs is never populated or assigned a value, yet it's being used at the end of the script. Should this actually be userDNs instead?

        I tested the script using userDNs in place of memberDNs, but now I'm encountering this error:

        Exception calling "SetInfo" with "0" argument(s): "The specified account does not exist."
Stack trace: at <ScriptBlock>, <No file>: line 46

        When I added a temporary output to check the $userDNs variable, I noticed it contains also cloud-only users. This is likely causing the problem, since cloud-only users cannot be added to on-premises groups.

        Question: Is it possible to filter both the groups and users to include only on-premises objects? This would prevent the script from attempting to add cloud-only users to on-prem groups.

        Thanks!

        • Support

          Support

          Hello Christian,

          Thank you for pointing out the issue. We updated the script accordingly.

          • Christian

            Christian

            I am still getting the below error

            Exception calling "SetInfo" with "0" argument(s): "The specified account does not exist."
Stack trace: at <ScriptBlock>, <No file>: line 46

            Did you saw my observation and comment about cloud-only user objects?

            • Support

              Support

              Hello Christian,

              The error occurs because a user cannot be added to the specified group. For us to suggest a solution, please, describe the entire desired behavior you require in all the possible details with live examples. Also, please, specify the purpose of the group with the members.

              In addition to the above, please, send us (support@adaxes.com) a screenshot of the Multi-server environment dialog. The dialog displays how many Adaxes services you have and what their versions are. For information on how to view it, see https://www.adaxes.com/help/MultiServerEnvironment.

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.