DESCRIPTION
The script policy provided below allows only computer accounts be added to a group. It checks any group modification and if a new member is not a computer account, the policy reports an error.
Note This code may use functions from the Active Roles Script Policy Best Practices.
Follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
' Script name: Allow only computers to be members of a group
' Version: 1.0.0
'
' This script policy, when applied to an OU or group,
' allows only computers to be added to a group
' This policy does not prevent removal of any current group member
' This policy does not report any policy incompliance
'
' Error message shown to user when trying to add member other then computer object
Const c_ErrorMessage = "Only computers allowed to be members of this group"
' On group creation, if member attribute was popultaed on New Group wizard
' validate new members
Sub onPreCreate(Request)
' Optimization: process only group objects
If Request.Class "group" Then Exit Sub
' Optimization: process group only if member attribute was set
If VarType(Request.Get("member")) = vbEmpty Then Exit Sub
' Validate that all added members are computer accounts
If CheckMembers(Request) = False Then
' Report error
Err.Raise 5, "Administrative policy", c_ErrorMessage
End If
End Sub
' On group modification, if member attribute was updated
' validate new members
Sub onPreModify(Request)
' Optimization: process only group objects
If Request.Class "group" Then Exit Sub
' Optimization: process group only if member attribute was set
If VarType(Request.Get("member")) = vbEmpty Then Exit Sub
' Validate that all added members are computer accounts
If CheckMembers(Request) = False Then
' Report error
Err.Raise 5, "Administrative policy", c_ErrorMessage
End If
End Sub
' Helper function: find values for member attribute,
' then for each value bind to the object, referenced by value, and validate its class
' Return True if all new members are allowed, otherwise return False
Function CheckMembers(Request)
CheckMembers = True
' Find the member attribute among other modified attributes
For i=0 To Request.PropertyCount-1
Set item = Request.Item(i)
If item.Name = "member" Then
' Check that members are being added or updated, not removed
If item.ControlCode = ADS_PROPERTY_APPEND Or item.ControlCode = ADS_PROPERTY_UPDATE Then
' For each new member...
For Each v In item.Values
strDN = v.DNString
' Bind to member being added to validate it's class
Set obj = GetObject ("EDMS://" & strDN)
obj.GetInfoEx Array("objectClass"), 0
If obj.Class "computer" Then
CheckMembers = False
Exit Function
End If
Next
End If
Exit Function
End If
Next
End Function
'***** END OF CODE ***************************************************************