• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Building a Managed Unit Dynamically
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • -PowerShell
      • PowerShell Library Source Code
      • -PowerShell samples
        • Alert on pending approval request expiration
        • Building a Managed Unit Dynamically
        • Calculate user mailbox size
        • Checking the uniqueness of a property
        • Create Dynamic Group in PowerShell
        • Export Domain Users to a .csv file
        • Functions for creation of Policy links
        • Get Active Roles Management Shell Module version (with build number)
        • Home Folder Move with User Moves
        • How to schedule the Active Roles Management shell
        • Populating a custom Virtual Attribute with a readable accountExpires timestamp using an Active Roles Policy Script
        • PowerShell: Update Property Generation and Validation policy with a new possible value list
        • Random Password Generation
        • Renaming a user post-creation
        • Working with the mS-DS-ConsistencyGuid attribute
    • +VBScript

Building a Managed Unit Dynamically

DESCRIPTION

The query-based Managed Units in ARS are all full "Subtree" searches of the provided container. In some cases this is undesirable; rather a "Onelevel" search is needed instead.

The code below is intended to capture object creation events and, if the object's parent is equal to the supplied container and is of the desired object class, add the object to a Managed Unit. The object is added as explicitly and statically, however Active Roles on its own (without need for additional coding) remove the reference to the object in the Managed Unit should that object be deleted. Note that this code is intended to be implemented in a Policy with the "Handle changes from DirSync control" option enabled, so that objects created outside of ARS may be added to the Managed Unit as well. For this reason it is not possible to create this as a custom policy extension (policy extensions do not allow you to specify the DirSync option).

Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.

SCRIPT

#*********************************************************************************

# THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

#

# IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

# PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.

#*********************************************************************************

 

$EDST_MOD_SOURCE_AD = 2

$EDS_MUCONDITION_INCLUDE_DIRECTLY = 3

function onInit($Context) {

$Parameter = $Context.AddParameter("Managed Unit")

$Parameter.Description = "This is the distinguishedName of the Managed Unit to which the newly created objects should be added"

$Parameter.Required = $True

$Parameter.Syntax = "DN"

$Parameter = $Context.AddParameter("Base DN")

$Parameter.Description = "This is the distinguishedName of the base container; only objects created in this container will be added to the Managed Unit."

$Parameter.Required = $True

$rootDSE = [ADSI]"LDAP://rootDSE"

$defaultNamingContext = [string]$rootDSE.defaultNamingContext

$Parameter.DefaultValue = $defaultNamingContext

$Parameter = $Context.AddParameter("objectClass")

$Parameter.Description = "Only objects of this type will be added to the Managed Unit."

$Parameter.Required = $True

$Parameter.DefaultValue = "organizationalUnit"

}

function onPostCreate($Request) {

$ManagedUnitDN = $PolicyEntry.Parameter("Managed Unit")

if ($Request.Class -ne $PolicyEntry.Parameter("objectClass")) {

return

}

$DirObj.GetInfoEx(@("edsvaParentDN"), 0)

if ($DirObj.Get("edsvaParentDN") -ne $PolicyEntry.Parameter("Base DN")) {

return

}

if ($Request.Parameter("RequestSource") -ne $EDST_MOD_SOURCE_AD) {

return

}

$ManagedUnit = [ADSI]"EDMS://$ManagedUnitDN"

$RuleCollection = $ManagedUnit.MembershipRuleCollection

$Rule = New-Object -ComObject "EDSIManagedUnitCondition"

$Rule.Base = "EDMS://" + $DirObj.Get("distinguishedName")

$Rule.BaseGuid = $DirObj.Guid

$Rule.Type = $EDS_MUCONDITION_INCLUDE_DIRECTLY

$RuleCollection.Add($Rule)

$ManagedUnit.SetInfo()

}

#***** END OF CODE ***************************************************************

  • Script Center: PowerShell
  • Script Center
  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center