DESCRIPTION
When an Active Roles client adds/removes members to a group, it updates the member attribute of a group object. Even when the initiator selects a user object and adds it to multiple groups, the member attribute for these groups is updated. This is a multi-valued attribute that stores the DN of all current group members. To add new members, the client sets a list of members DN in a "member" attribute value with ADS_PROPERTY_APPEND control. To remove members, the client sets the "member" attribute value with ADS_PROPERTY_REMOVE control. To detect this situation in a script policy and validate new members, you need to use the IADsPropertyList interface, implemented by the Request object. The following code snippet shows how to check each member being added or removed to a group.
NOTES
Active Roles Console and Web Interface only adds or removes value for member attribute. However, other applications (or scripts) can update (re-write) the "member" attribute or clear all values. If the client updates the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_UPDATE. Note, that in this case, you do not know what particular members were added or removed, you have only the full new group membership in the item.Values array. If the client clears the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_CLEAR. No values are sent to the Active Roles service in item.Values array. In these cases, if you need to know exactly which members were added/removed, you need to load the current group membership from the AD (using DirObj.GetEx("member") method call) and compare to Item.Values array.
If a group is specified as primary for a user, this user's DN is not listed in the member attribute of the group. Instead, "primaryGroupID" attribute of user object stores the RID of the primary group. RID is a part of group's SID (objectSID attribute).
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Sub onPreModify(Request)
' Optimization: check that group object is being updated
If Request.Class <> "group" Then Exit Sub
' Optimization: check that attribute member is being updated for a group object
If VarType(Request.Get("member")) = vbEmpty Then Exit Sub
' Go through properties being updated until member attribute found
For i=0 To Request.PropertyCount-1
Set item = Request.Item(i)
If item.Name = "member" Then
' Check that members are being added to a group
If item.ControlCode = ADS_PROPERTY_APPEND Then
For Each v In item.Values
strDN = v.DNString
' strDN is a DN of new member being added to a group
' Put your validation code here
Next
End If
' Check that members are being removed from a group
If item.ControlCode = ADS_PROPERTY_DELETE then
For Each v In item.Values
strDN = v.DNString
' strDN is a DN of a member being removed from a group
' Put your validation code here
Next
End If
' member attribute was validated, we can exit the procedure
Exit Sub
End If
Next
End Sub
'***** END OF CODE ***************************************************************