Script to create dynamic group

 Hi Gégé 

Yes it is totally possible to create Dynamic Groups via a script, which would also mean with the correctly written script your can do this via a workflow.

The process for converting a dyanmic gorup is very similar to that of programmatically creating a Managed Unit, just binding to a group object, instead of a managed unit object.

### Variables
# DN of target Group to covert
$GroupDN = "CN=Group1,OU=MyGroups,DC=Test,DC=Domain,DC=com"

# Membership Rule variables
$RuleSearchRoot = "OU=MyUsers,DC=Test,DC=Domain,DC=com" #BASE
$LDAPFilter = "(|(objectClass=user)(Department=ARS Team))" # FILTER



### Code
$EDMSstring = "EDMS://$($GroupDN)"
 
$GroupObject = [ADSI] $EDMSstring
$RuleCollection = $GroupObject.MembershipRuleCollection

# Create a new Include by Query rule
$rule1 = New-Object -ComObject "EDSIManagedUnitCondition"
$rule1.Base = "EDMS://$($RuleSearchRoot)"
$rule1.Filter = "$($LDAPFilter)"
$rule1.Type = 1 
# Add the newly created membership rule to the rule collection
$RuleCollection.Add($rule1)
$GroupObject.SetInfo()
"Rule added"

For other rule types, have a look within the Active Roles SDK under IEDMMembershipRule, which will give you more information (in VBScript) on what values are expected, IE:

Hope this help.

Kind regards

Stu

Thanks Stu.

I tried the script, on a security group it works fine, but on a distribution group auto-populating does not happen.

I keep looking;)

See you soon Stu

Hi Gégé 

This is by design, however it is configurable. 

In the  "Built-in Policy - Dynamic Groups" Administration Policy, the policy settings has by default a check in "Include only mail-enabled users in dynamic distribution groups", uncheck this option, and try your script again.

However what is the purpose of your DLs? The they being used to stage users prior to go live of some service, where the group will then be changed for Distribution to Security?

Kind regards

Stu

Hello Stu,

I changed configuration of builtin policy Dynamics Groups and it work fine !

Thanks, thanks, thanks ! :)

So, I'm using the above script (modified for my environment of course), and I get to the '$RuleCollection.Add($rule1)' part and I get the following error:

PS C:\Windows\system32> $objRuleCollection.Add($oBaseIncRule)
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $objRuleCollection.Add($oBaseIncRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

and when I look the $ObjRuleCollection object only has the following:

PS C:\Windows\system32> $objRuleCollection

OverloadDefinitions
-------------------

PS C:\Windows\system32> $objRuleCollection |GM

TypeName: System.Management.Automation.PSMethod

Name MemberType Definition
---- ---------- ----------
Copy Method System.Management.Automation.PSM
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
Invoke Method System.Object Invoke(Params Syst
ToString Method string ToString()
IsInstance Property bool IsInstance {get;}
MemberType Property System.Management.Automation.PSM
Name Property string Name {get;}
OverloadDefinitions Property System.Collections.ObjectModel.C
TypeNameOfValue Property string TypeNameOfValue {get;}
Value Property System.Object Value {get;set;}

Neither the $objGroup line, nor the $objRuleCollection liens are giving any errors.

PS C:\Windows\system32> $objgroup

distinguishedName :
Path : EDMS://Sanitized\Newgroup_Dynamic_Users

PS C:\Windows\system32>

Anyone have some clue-bits they want to share?

Thank you,

Mike

EDMS://Sanitized\Newgroup_Dynamic_Users

object name need to be in DN format:

EDMS://CN=Newgroup_Dynamic_Users,OU=Sanitized 

I'm still getting the same result. It successfully creates a group, but it does not add the rules, and the $objGroup.MembershipRuleCollection is still empty, or seemingly non-existent:

PS C:\Windows\system32> $objGroup

distinguishedName : {CN=NewGroup_More_Dynamic_Users,OU=Sanitize,DC=Sani,DC=Tized}
Path : EDMS://CN=NewGroup_More_Dynamic_Users,OU=Sanitize,DC=Sani,DC=Tized

PS C:\Windows\system32> $objRuleCollection.Add($oBaseIncRule) #Fails - ObjRuleCollection object does not have an "Add"
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $objRuleCollection.Add($oBaseIncRule) #Fails - ObjRuleCollection obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

PS C:\Windows\system32> $objRuleCollection.Add($oScndRule) #Fails - ObjRuleCollection object does not have an "Add"
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $objRuleCollection.Add($oScndRule) #Fails - ObjRuleCollection obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

PS C:\Windows\system32>
PS C:\Windows\system32> $objGroup.MembershipRuleCollection
PS C:\Windows\system32> $objGroup |GM

TypeName: System.DirectoryServices.DirectoryEntry

Name MemberType Definition
---- ---------- ----------
ConvertDNWithBinaryToString CodeMethod static string ConvertDNWithBinaryToString(psobject deInstance, psobject dnWithBinaryInstance)
ConvertLargeIntegerToInt64 CodeMethod static long ConvertLargeIntegerToInt64(psobject deInstance, psobject largeIntegerInstance)
cn Property System.DirectoryServices.PropertyValueCollection cn {get;set;}
distinguishedName Property System.DirectoryServices.PropertyValueCollection distinguishedName {get;set;}
dSCorePropagationData Property System.DirectoryServices.PropertyValueCollection dSCorePropagationData {get;set;}
groupType Property System.DirectoryServices.PropertyValueCollection groupType {get;set;}
instanceType Property System.DirectoryServices.PropertyValueCollection instanceType {get;set;}
name Property System.DirectoryServices.PropertyValueCollection name {get;set;}
nTSecurityDescriptor Property System.DirectoryServices.PropertyValueCollection nTSecurityDescriptor {get;set;}
objectCategory Property System.DirectoryServices.PropertyValueCollection objectCategory {get;set;}
objectClass Property System.DirectoryServices.PropertyValueCollection objectClass {get;set;}
objectGUID Property System.DirectoryServices.PropertyValueCollection objectGUID {get;set;}
objectSid Property System.DirectoryServices.PropertyValueCollection objectSid {get;set;}
sAMAccountName Property System.DirectoryServices.PropertyValueCollection sAMAccountName {get;set;}
sAMAccountType Property System.DirectoryServices.PropertyValueCollection sAMAccountType {get;set;}
uSNChanged Property System.DirectoryServices.PropertyValueCollection uSNChanged {get;set;}
uSNCreated Property System.DirectoryServices.PropertyValueCollection uSNCreated {get;set;}
whenChanged Property System.DirectoryServices.PropertyValueCollection whenChanged {get;set;}
whenCreated Property System.DirectoryServices.PropertyValueCollection whenCreated {get;set;}

Thanks,

Mike

So, it may be a version problem. On the two "local" servers we seem to have version 7.0 of Quest Cmdlets installed, while on two other servers we seem to have version 7.4. The script as written works* on the servers with the 7.4 cmdlets.

*More or less anyway, I now get "An invalid directory pathname was passed" when I do the  $objGroup.SetInfo(). There is something wrong with my second rule, if I only try to add the first rule, it works.

Thanks everyone

Are you appending for your second rule to your Rule Collection before you do your SetInfo()?

(Was typing too fast above)

I believe you need to build your full Rule Collection before committing it using SetInfo() - you don't commit the rules individually.