Script repository

Copy group memberships from template based on property values

Updated on: Jan 18, 2026, Views: 5697

Group membership

The scripts copy group membership from a template user to the target user. The template user is selected based on property values. Initial membership of the target user is cleared. To execute either of the scripts, create a business rule, custom command or scheduled task configured for the User object type.

Script 1: Template user is determined based on a single property value

Parameters

  • $propertyName - the name of the property whose value will be used to determine the template user to copy group membership from. You can use a multi-valued property in the variable (e.g. CustomAttributeTextMultiValue1). In this case, group membership will be copied from each template user that corresponds to each property value.
  • $propertyToTemplateMap - maps property values with distinguished names (DNs) of the corresponding template users. For information on how to get the DNs, see Get the DN of a directory object.
$propertyName = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$propertyToTemplateMap = @{
    "Administration" = "CN=_Administration_Department_Template,CN=Users,DC=example,DC=com"
    "IT" = "CN=_IT_Department_Template,CN=Users,DC=example,DC=com"
    "Sales" = "CN=_Sales_Department_Template,CN=Users,DC=example,DC=com"
} # TODO: modify me

# Get all groups user is a direct member of.
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the primary group identifier.
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group.
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
   
    # Skip the group if it is the user's primary group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group.
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Get property value.
try
{
    $values = $Context.TargetObject.GetEx($propertyName)
}
catch
{
    $Context.LogMessage("Could not add the user to any groups, because the '$propertyName' property is empty", "Warning")
    return
}

$groupsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"
foreach ($value in $values)
{
    # Bind to the template user.
    $templateUser = $Context.BindToObjectByDn($propertyToTemplateMap[$value])
    
    # Get all groups the template user is a direct member of.
    $templateUser.GetEx("adm-DirectMemberOfGuid") | %%{[void]$groupsToAdd.Add([Guid]$_)}
}

foreach ($guid in $groupsToAdd)
{
    # Bind to the group.
    $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
    
    # Skip the group if it is the user's primary group.
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}

Script 2: Template us is determined based on a combination of two property values

Parameters

  • $firstPropertyName - the name of the first property whose value will be used to determine the template user to copy group membership from.
  • $secondPropertyName - the name of the second property whose value will be used to determine the template user to copy group membership from.
  • $templateUsersInfo - maps property values with distinguished names (DNs) of the corresponding template users. For information on how to get the DNs, see Get the DN of a directory object.
  • $groupDNsToKeet - distinguished names (DNs) of groups the target user will not be removed from even if the template user is not a member of the groups. Set the variable to an empty array for the entire group membership to be replaced.
$firstPropertyName = "l" # TODO: modify me
$secondPropertyName = "employeeType" # TODO: modify me
$templateUsersInfo = @{
    "New York;Sales" = "CN=TemplateUser1,CN=Users,DC=example,DC=com"
    "Washington;IT" = "CN=TemplateUser2,CN=Users,DC=example,DC=com"
} # TODO: modify me
$groupDNsToKeet = @("CN=MyGroup1,OU=Groups,DC=example,DC=com", "CN=MyGroup2,OU=Groups,DC=example,DC=com") # TODO: modify me

# Get the first property value of the user.
try
{
    $firstValue = $Context.TargetObject.Get($firstPropertyName)
}
catch
{
    $Context.LogMessage("Property $firstPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get the second property value of the user.
try
{
    $secondValue = $Context.TargetObject.Get($secondPropertyName)
}
catch
{
    $Context.LogMessage("Property $secondPropertyName is empty. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

# Get template user DN.
$templateUserDN = $templateUsersInfo["$firstValue;$secondValue"]
if ([System.String]::IsNullOrEmpty($templateUserDN))
{
    $Context.LogMessage("No source user is specified for combination property $firstPropertyName equals $firstValue and property $secondPropertyName equals $secondValue. Group membership of user %fullname% will not be updated.", "Warning")
    return
}

$groupGuidsToKept = New-Object System.Collections.Generic.HashSet[System.Guid]
foreach ($dn in $groupDNsToKeet)
{
    $group = $Context.BindToObjectByDN($dn)
    $guid = $group.Get("objectGUID")
    $groupGuidsToKept.Add($guid)
}

# Get all groups user is a direct member of.
$groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the primary group identifier.
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($guidBytes in $groupGuidsBytes)
{
    $groupGuid = [Guid]$guidBytes
    if ($groupGuidsToKept.Contains($groupGuid))
    {
        continue
    }
    
    # Bind to the group.
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    $groupDN = $group.Get("distinguishedName")
   
    # Skip the group if it is the user's primary group.
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group.
    $group.Remove($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

# Bind to the template user.
$templateUser = $Context.BindToObjectByDn($templateUserDN)

# Get all groups the template user is a direct member of.
$groupGuidsBytes = $templateUser.GetEx("adm-DirectMemberOfGuid")

foreach ($guidBytes in $groupGuidsBytes)
{
    # Bind to the group.
    $groupGuid = [Guid]$guidBytes
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    
    # Skip the group if it is the user's primary group.
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
   
    $group.Add($Context.TargetObject.AdsPath)
    $groupName = $group.Get("cn")
    $Context.LogMessage("Added the user to group '$groupName'", "Information")
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.