• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Script Policy to check group members when they are added to or removed from a group
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • +PowerShell
    • -VBScript
      • VBScript Library source code
      • -VBScript samples
        • A Managed Unit with users which have not logged on for last 90 days
        • Adjust the case of usernames to title case (first letter of each part of the name)
        • Advanced group creation/provision
        • Advanced shared folder creation
        • Bulk policy incompliance fixing
        • Check unique value of an attribute
        • +Computer management
        • +Exchange management
        • Function that converts regular date into integer8 format
        • Get effective policy info list
        • -Group management
          • Convert a normal group to a dynamic group - Option 1
          • Convert a normal group to a dynamic group - Option 2
          • Create Group Membership AutoProvisioning policy
          • How to convert Query-based Distribution Group to Active Roles Dynamic Group
          • Notify member upon expiration of his membership in group
          • Script Policy to check group members when they are added to or removed from a group
          • Set Group Ownership upon any Modification
        • How to find a request source in script policy
        • How to send emails based on scripts policy parameters and Virtual Attribute values
        • +Permissions Management
        • Policy incompliance reporting & fixing for specified policy
        • Populate values from a SQL database to an AD Attribute
        • Prevent copying an attribute on user copy
        • Prohibite a permission propagation to AD
        • Prohibite an AD native security editing
        • Read large integer date attributes and display them in date and time readable format
        • Read XML Node text or attribute value
        • Read XML Node with Children into DictionaryObject
        • Standalone script that requests built-in password generation policy
        • +User management
        • Validate moving operations
        • +VBScript: Approval

Script Policy to check group members when they are added to or removed from a group

DESCRIPTION

When an Active Roles client adds/removes members to a group, it updates the member attribute of a group object. Even when the initiator selects a user object and adds it to multiple groups, the member attribute for these groups is updated. This is a multi-valued attribute that stores the DN of all current group members. To add new members, the client sets a list of members DN in a "member" attribute value with ADS_PROPERTY_APPEND control. To remove members, the client sets the "member" attribute value with ADS_PROPERTY_REMOVE control. To detect this situation in a script policy and validate new members, you need to use the IADsPropertyList interface, implemented by the Request object. The following code snippet shows how to check each member being added or removed to a group.

NOTES

Active Roles Console and Web Interface only adds or removes value for member attribute. However, other applications (or scripts) can update (re-write) the "member" attribute or clear all values. If the client updates the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_UPDATE. Note, that in this case, you do not know what particular members were added or removed, you have only the full new group membership in the item.Values array. If the client clears the attribute, it sets new values with item.ControlCode equals toADS_PROPERTY_CLEAR. No values are sent to the Active Roles service in item.Values array. In these cases, if you need to know exactly which members were added/removed, you need to load the current group membership from the AD (using DirObj.GetEx("member") method call) and compare to Item.Values array.

If a group is specified as primary for a user, this user's DN is not listed in the member attribute of the group. Instead, "primaryGroupID" attribute of user object stores the RID of the primary group. RID is a part of group's SID (objectSID attribute).


Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.


SCRIPT

'*********************************************************************************

' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

'

' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.

'*********************************************************************************

Sub onPreModify(Request)

' Optimization: check that group object is being updated

If Request.Class <> "group" Then Exit Sub

' Optimization: check that attribute member is being updated for a group object

If VarType(Request.Get("member")) = vbEmpty Then Exit Sub

' Go through properties being updated until member attribute found

For i=0 To Request.PropertyCount-1

Set item = Request.Item(i)

If item.Name = "member" Then

' Check that members are being added to a group

If item.ControlCode = ADS_PROPERTY_APPEND Then

For Each v In item.Values

strDN = v.DNString

' strDN is a DN of new member being added to a group

' Put your validation code here

Next

End If

' Check that members are being removed from a group

If item.ControlCode = ADS_PROPERTY_DELETE then

For Each v In item.Values

strDN = v.DNString

' strDN is a DN of a member being removed from a group

' Put your validation code here

Next

End If

' member attribute was validated, we can exit the procedure

Exit Sub

End If

Next

End Sub

'***** END OF CODE ***************************************************************

  • Script Center
  • Script Center: VBScript
  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center