• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Allow only computers be members of a group
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • +PowerShell
    • -VBScript
      • VBScript Library source code
      • -VBScript samples
        • A Managed Unit with users which have not logged on for last 90 days
        • Adjust the case of usernames to title case (first letter of each part of the name)
        • Advanced group creation/provision
        • Advanced shared folder creation
        • Bulk policy incompliance fixing
        • Check unique value of an attribute
        • -Computer management
          • Allow only computers be members of a group
          • Move computer account to appropriate OU on joining computer to domain
        • +Exchange management
        • Function that converts regular date into integer8 format
        • Get effective policy info list
        • +Group management
        • How to find a request source in script policy
        • How to send emails based on scripts policy parameters and Virtual Attribute values
        • +Permissions Management
        • Policy incompliance reporting & fixing for specified policy
        • Populate values from a SQL database to an AD Attribute
        • Prevent copying an attribute on user copy
        • Prohibite a permission propagation to AD
        • Prohibite an AD native security editing
        • Read large integer date attributes and display them in date and time readable format
        • Read XML Node text or attribute value
        • Read XML Node with Children into DictionaryObject
        • Standalone script that requests built-in password generation policy
        • +User management
        • Validate moving operations
        • +VBScript: Approval

Allow only computers be members of a group

DESCRIPTION

The script policy provided below allows only computer accounts be added to a group. It checks any group modification and if a new member is not a computer account, the policy reports an error.


Note This code may use functions from the Active Roles Script Policy Best Practices.

Follow the link to obtain instructions and code for those functions.


SCRIPT

'*********************************************************************************

' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

'

' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.

'*********************************************************************************

' Script name: Allow only computers to be members of a group

' Version: 1.0.0

'

' This script policy, when applied to an OU or group,

' allows only computers to be added to a group

' This policy does not prevent removal of any current group member

' This policy does not report any policy incompliance

'

' Error message shown to user when trying to add member other then computer object

Const c_ErrorMessage = "Only computers allowed to be members of this group"

' On group creation, if member attribute was popultaed on New Group wizard

' validate new members

Sub onPreCreate(Request)

' Optimization: process only group objects

If Request.Class "group" Then Exit Sub

' Optimization: process group only if member attribute was set

If VarType(Request.Get("member")) = vbEmpty Then Exit Sub

' Validate that all added members are computer accounts

If CheckMembers(Request) = False Then

' Report error

Err.Raise 5, "Administrative policy", c_ErrorMessage

End If

End Sub

' On group modification, if member attribute was updated

' validate new members

Sub onPreModify(Request)

' Optimization: process only group objects

If Request.Class "group" Then Exit Sub

' Optimization: process group only if member attribute was set

If VarType(Request.Get("member")) = vbEmpty Then Exit Sub

' Validate that all added members are computer accounts

If CheckMembers(Request) = False Then

' Report error

Err.Raise 5, "Administrative policy", c_ErrorMessage

End If

End Sub

' Helper function: find values for member attribute,

' then for each value bind to the object, referenced by value, and validate its class

' Return True if all new members are allowed, otherwise return False

Function CheckMembers(Request)

CheckMembers = True

' Find the member attribute among other modified attributes

For i=0 To Request.PropertyCount-1

Set item = Request.Item(i)

If item.Name = "member" Then

' Check that members are being added or updated, not removed

If item.ControlCode = ADS_PROPERTY_APPEND Or item.ControlCode = ADS_PROPERTY_UPDATE Then

' For each new member...

For Each v In item.Values

strDN = v.DNString

' Bind to member being added to validate it's class

Set obj = GetObject ("EDMS://" & strDN)

obj.GetInfoEx Array("objectClass"), 0

If obj.Class "computer" Then

CheckMembers = False

Exit Function

End If

Next

End If

Exit Function

End If

Next

End Function

'***** END OF CODE ***************************************************************

  • Script Center
  • Script Center: VBScript
  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center