Script repository

Update values allowed by property pattern with group members

Updated on: Jan 18, 2026, Views: 4001

Miscellaneous

The script updates the list of values allowed for a DN syntax property by a property pattern with members of groups. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $groupDNs - the distinguished names (DNs) of the groups whose members will be set as allowed property values. For information on how to get the DNs, see Get the DN of a directory object.
  • $propertyName - the name of the property for which the list of allowed values will be updated in a property pattern.
  • $isPropertyRequired - if set to $true, the property will be set as required in the property pattern.
  • $patternDN - the distinguished name (DN) of the property pattern to update.
$groupDNs = @("CN=Managers1,OU=Groups,DC=domain,DC=com", "CN=Managers2,OU=Groups,DC=domain,DC=com") # TODO: modify me
$patternDN = "CN=User,CN=Builtin,CN=Property Patterns,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$propertyName = "seeAlso" # TODO: modify me
$isPropertyRequired = $True # TODO: modify me

# Get member GUIDs
$allMemberGuidBytes = New-Object "System.Collections.Generic.HashSet[Byte[]]"
foreach ($groupDN in $groupDNs)
{
    try
    {
        $group = $Context.BindToObjectByDN($groupDN)
        $memberGuidsBytes = $group.GetEx("adm-DirectMembersGuid")
    }
    catch
    {
        continue
    }

    $memberGuidsBytes | %% { [void]$allMemberGuidBytes.Add($_) }
}

if ($allMemberGuidBytes.Count -eq 0)
{
    $Context.LogMessage("Groups have no members.", "Warning")
    return
}

# Search parameters
$searcher = $Context.CreateGuidBasedSearcher(@($allMemberGuidBytes))
$criteriaUser = New-AdmCriteria "user"
$searcher.AddCriteria($criteriaUser)
$searcher.SetPropertiesToLoad(@("distinguishedName"))
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Groups have no members that are users.", "Warning")
        return
    }
    
    $memberDNs = New-Object System.Collections.ArrayList
    foreach ($searchResult in $searchResults)
    {
        $memberDNs.Add($searchResult.GetPropertyByName("distinguishedName").Values[0])
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

# Bind to the property pattern.
$pattern = $Context.BindToObjectByDN($patternDN)

# Delete item for property.
foreach ($item in $pattern.Items)
{
    if ($item.PropertyName -ieq $propertyName)
    {
        $pattern.Items.Remove($item)
        break
    }
}

# Create a new item for property.
$item = $pattern.Items.Create()
$item.PropertyName = $propertyName
$item.IsPropertyRequired = $isPropertyRequired

$constraints = $item.GetConstraints()
$constraint = $constraints.Create("ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $memberDNs.ToArray()
$constraints.Add($constraint)
$item.SetConstraints($constraints)

# Save the changes
$item.SetInfo()
$pattern.Items.Add($item)

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.