• State Verified Answer
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 1293 views
  • Users 0 members are here
Options
Related

Ldap filter for edsaDGOriginatingService

lrigs
over 1 year ago

Hello All,

I don't see a way to do a ldapfilter for edsaDGOriginatingService. It seems to not work. I can use some virtual attribute to do ldap filter but this one is not working.

We have over 8k Dynamic groups and I need to just filter those that have a specific one. I know i can do a where but it takes forever with -Dynamic $true having so many of them.

Lu

Top Replies

  • over 1 year ago in reply to lrigs +1 verified

    Hi  

    The script below should do something similar to what your trying

    Clear-host
$DisallowedARSServer = @('ARS001.Domain.Com','ARS002.Domain.Com','ARS003.Domain.Com')

$NewARSServer = "ARS004.Domain…

  • 0 over 1 year ago

    Can you show us how / where you have been trying to do this?  For example, in a Powershell script or in a membership rule for a Managed Unit?

  • 0 over 1 year ago in reply to JohnnyQuest

    Hi  ,

    I've been working to get a script in place to make sure when a dynamic group is created that it is not sitting on 3 specific servers. I plan to run a daily job that will look for those and change them. We run a lot of daily jobs and with this running daily it takes up a lot of resources so I need to cut the run time down, Running the following takes a long time to complete even with changing a few a day it needs to query through all the dynamic groups which we have over 8k of. We currently have 6 ARS servers and 1,2,3 are used for web front end which we do not want any dynamic groups sitting on. Here is the script i put together but again it is taking a very long time to run.

    $arsServer = "ARS-Server4.something.com"

    Get-QADGroup -SizeLimit 0 -Dynamic $TRUE -proxy -DontUseDefaultIncludedProperties -IncludedProperties edsaDGOriginatingService -SearchRoot "DC=something,DC=com" |
    where {$_.edsaDGOriginatingService -ne "ARS-Server4.something.com" -and $_.edsaDGOriginatingService -ne "ARS-Server5.something.com" -and $_.edsaDGOriginatingService -ne "ARS-Server6.something.com"}  |
    Set-QADGroup -proxy -ObjectAttributes @{'edsaDGOriginatingService'="$arsServer"}

    If you have any other suggestions on how to ensure Dynamic groups are not assigned to servers I would appreciate any help.
    Thanks in advanced for any help.

    Lu

  • +1 over 1 year ago in reply to lrigs

    Hi  

    The script below should do something similar to what your trying

    Clear-host
$DisallowedARSServer = @('ARS001.Domain.Com','ARS002.Domain.Com','ARS003.Domain.Com')

$NewARSServer = "ARS004.Domain.Com"

$SearchRoot = "DC=Domain,DC=Com"
$SizeLimit = 0
$Groups = $null

$DGGroups = Get-QADGroup -DontUseDefaultIncludedProperties -searchRoot $SearchRoot -SizeLimit $SizeLimit -Dynamic $true -Proxy -IncludedProperties edsaDGOriginatingService

ForEach($DGGroup in $DGGroups)
{
    if($DGGroup.edsaDGOriginatingService -in $DisallowedARSServer)
    {
        Write-Host "$($DGGroup.name) is pointed to `'$($DGGroup.edsaDGOriginatingService)`'"
        Set-QADGroup -Identity $DGGroup.DN -proxy -ObjectAttributes @{'edsaDGOriginatingService'="$NewARSServer"} | Out-Null
    }
    
}

    The other option might be to use a workflow, to intercept the convertion to a DG, and change the value of edsaDGOriginatingService to a fix value

  • 0 over 1 year ago in reply to Stu.Pollock

     

    Thanks Stu I will test this one out.