IdAM Thoughts

MIM

FIMService: Convert Static Group to Dynamic

Following from my previous post on how to create a group with both static members and dynamic filter, I came across a scenario where post migration we have some customers who initially had a group with explicit members but we thought they could be converted to a filter based group which matches the business case.

The script below helps you on doing the same. Again using LithnetRMA for the process.

Warning: Again, many custom attributes logic in FIMService for my environment but again you will get the whole idea. I have left the script as-is and not dumbed it down.

Please read my Groups with Static and Dynamic Members in FIMService post to understand the logic I have been applying for Autogen groups and how group and set tie up to each other in FIMService.

LOGIC

Asks for existing group name (DisplayName) in FIMService.
If found, outputs the number of explicit members found
Asks if you want to put a filter on the group and then asks for the XPATH filter (coming soon on how to create XPATH easily)
Checks if the filter is valid. If so (the fun part)
- Outputs the count of users in the new filter
- Compares the filter users to explicit members and gives a count of
  - New members to be added due to filter (i.e. not found in the explicit members list)
  - Count of common members found between existing explicit members and XPATH
  - Finally gives count of explicit members for the new set to be created (i.e. not found in the new filter).
Finally if the user wants to continue after above information
- Creates a set with “Autogen-GroupName” and set the filter and explicit members to that
- Modify’s existing group and deletes the current explicit members
- Converts the existing group to a filter based and sets the objectID of the set created above.
Done

Import-Module LithnetRMA
Set-ResourceManagementClient -BaseAddress "http://YOUR-FIMSERVICE-ENDPOINT:5725"

Function ModifyUserGroup($groupObjectID, $setObjectID)
    {
        $group = Get-Resource -ID $groupObjectID
        Write-Host "Deleting Group Explicit Members" -ForegroundColor Cyan
        $group.ExplicitMember = $null
        Write-Host "Changing accountType to AutogenGroup" -ForegroundColor Cyan
        $group.accountType = "AutogenGroup"
        Write-Host "Changing Group Type to Filter" -ForegroundColor Cyan
        $group.MembershipLocked = $true
        $group.MembershipAddWorkflow = "None"
        Write-Host "Adding Filter to Parent Group" -ForegroundColor Cyan
        $group.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/*[((ObjectType = "Person") or (ObjectType = "Group")) and (ObjectID = /Set[ObjectID ="' +$setObjectID+ '"]/ComputedMember)]</Filter>'
        $group.connectedSetObjectID = "$setObjectID"
        try 
            {
               Write-Host "Modifying Parent Group:" $group.DisplayName -ForegroundColor Cyan
               Save-Resource $group
               
            }
        catch 
            {
                Write-Warning ("Unable to modify group:" + $_.Exception.Message)
                exit
            }
    }


Function CreateSet($groupObjectID, $groupDisplayName, $explicitmembers, $newfilter)
    {
        
        $set = New-Resource -ObjectType Set
        $set.DisplayName = "Autogen-" + $groupDisplayName
        $set.accountType = "AutogenSet"
        if ($newfilter) {
        $set.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">' +$newfilter+ '</Filter>'
        }
        $set.connectedGroupObjectID = $groupObjectID

        foreach ($member in $explicitmembers)
            {
                $set.ExplicitMember.Add($member) | Out-Null
            }

        try 
            {
               Write-Host "Creating new AutogenSet:" $set.DisplayName -ForegroundColor Cyan
               Save-Resource $set
               $setObjectID = Get-Resource -ObjectType Set -AttributeName DisplayName -AttributeValue $set.DisplayName
               return $setObjectID.ObjectID
            }

        catch 
            {
                Write-Warning ("Unable to create set:" + $_.Exception.Message)
                exit
            }

    }


Function CheckMembers($explicitmembers, $newfilter) 
    {
        try
            {
                $filtermembers = Search-Resources -XPath "$newfilter" -AttributesToGet ObjectID
            }
        catch
            {
                $host.UI.WriteErrorLine("Bad Filter")
                continue
            }

         if ($filtermembers -eq $null)
            {
                    $host.UI.WriteErrorLine("No Users found in new filter")
                    continue
            }
      
       $compare = $explicitmembers | ?{$filtermembers.ObjectID.Value -notcontains $_}
       
       Write-Host "New Filter Members:" $filtermembers.ObjectID.Count -ForegroundColor Cyan
       Write-Host "Found Common Members Between New Filter & Existing Explicit Members:" ($explicitmembers.Count - $compare.Count) -ForegroundColor Cyan
       Write-Host "Total Explicit Members for New Set:" $compare.Count -ForegroundColor Cyan
 
       return $compare
    }

Function ConvertStaticToAutogen()
{
    $groupname = Read-Host -Prompt "Enter the static group name" 



    $staticgroup = Search-Resources -XPath "/Group[(DisplayName = '$groupname')]" -AttributesToGet ExplicitMember, DisplayName, ObjectID, Filter -ErrorAction SilentlyContinue

    if ($staticgroup)
        {

            Write-Host "Found Group:" $staticgroup.DisplayName -ForegroundColor Cyan
            Write-Host "Current Explicit Members:" $staticgroup.ExplicitMember.Count -ForegroundColor Cyan
            

            if ($staticgroup.Filter)
                {
                    $host.UI.WriteErrorLine("This groups has a filter")
                    
                    continue 
                }

           
           $hasfilter = Read-Host -Prompt "Do you want to put a filter (y/n)"

           switch ($hasfilter)
            {
                y { 
                    $newfilter = Read-Host -Prompt "Enter the new filter for the group"
                    $filter = $newfilter.Trim()
                    $newexplicitmembers = CheckMembers ($staticgroup.ExplicitMember.Value) ($filter)
                  }
                
                n { Write-Warning "No Filter given"
                    $filter = $null }
                default {  Write-Warning "Please input y or n only"
                     exit
                }
            }
    
            
         
          $confirmcreation = Read-Host "Do you want to continue (y/n)"

          switch ($confirmcreation)
            {
                y {
                    $newSetObjectID = CreateSet ($staticgroup.ObjectID) ($staticgroup.DisplayName) ($newexplicitmembers) ($filter)
                    ModifyUserGroup ($staticgroup.ObjectID.Value) ($newSetObjectID.Value)
                    Write-Host "Done!!!" -ForegroundColor Cyan
                  }

                n { 
                        Write-Host "Exiting without creation"
                  }

           default { Write-Warning "Please input y or n only"
                     exit
                }
            }
        }
    else
        {
            
            $host.UI.WriteErrorLine("Group Not Found")
            continue
        }

}


ConvertStaticToAutogen

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

Import-Module LithnetRMA

Set-ResourceManagementClient -BaseAddress "http://YOUR-FIMSERVICE-ENDPOINT:5725"

Function ModifyUserGroup($groupObjectID, $setObjectID)

{

$group = Get-Resource -ID $groupObjectID

Write-Host "Deleting Group Explicit Members" -ForegroundColor Cyan

$group.ExplicitMember = $null

Write-Host "Changing accountType to AutogenGroup" -ForegroundColor Cyan

$group.accountType = "AutogenGroup"

Write-Host "Changing Group Type to Filter" -ForegroundColor Cyan

$group.MembershipLocked = $true

$group.MembershipAddWorkflow = "None"

Write-Host "Adding Filter to Parent Group" -ForegroundColor Cyan

$group.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/*[((ObjectType = "Person") or (ObjectType = "Group")) and (ObjectID = /Set[ObjectID ="' +$setObjectID+ '"]/ComputedMember)]</Filter>'

$group.connectedSetObjectID = "$setObjectID"

try

{

Write-Host "Modifying Parent Group:" $group.DisplayName -ForegroundColor Cyan

Save-Resource $group

}

catch

{

Write-Warning ("Unable to modify group:" + $_.Exception.Message)

exit

}

Function CreateSet($groupObjectID, $groupDisplayName, $explicitmembers, $newfilter)

{

$set = New-Resource -ObjectType Set

$set.DisplayName = "Autogen-" + $groupDisplayName

$set.accountType = "AutogenSet"

if ($newfilter) {

$set.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">' +$newfilter+ '</Filter>'

}

$set.connectedGroupObjectID = $groupObjectID

foreach ($member in $explicitmembers)

{

$set.ExplicitMember.Add($member) | Out-Null

}

try

{

Write-Host "Creating new AutogenSet:" $set.DisplayName -ForegroundColor Cyan

Save-Resource $set

$setObjectID = Get-Resource -ObjectType Set -AttributeName DisplayName -AttributeValue $set.DisplayName

return $setObjectID.ObjectID

}

catch

{

Write-Warning ("Unable to create set:" + $_.Exception.Message)

exit

}

Function CheckMembers($explicitmembers, $newfilter)

{

try

{

$filtermembers = Search-Resources -XPath "$newfilter" -AttributesToGet ObjectID

}

catch

{

$host.UI.WriteErrorLine("Bad Filter")

continue

}

if ($filtermembers -eq $null)

{

$host.UI.WriteErrorLine("No Users found in new filter")

continue

}

$compare = $explicitmembers | ?{$filtermembers.ObjectID.Value -notcontains $_}

Write-Host "New Filter Members:" $filtermembers.ObjectID.Count -ForegroundColor Cyan

Write-Host "Found Common Members Between New Filter & Existing Explicit Members:" ($explicitmembers.Count - $compare.Count) -ForegroundColor Cyan

Write-Host "Total Explicit Members for New Set:" $compare.Count -ForegroundColor Cyan

return $compare

}

Function ConvertStaticToAutogen()

{

$groupname = Read-Host -Prompt "Enter the static group name"

$staticgroup = Search-Resources -XPath "/Group[(DisplayName = '$groupname')]" -AttributesToGet ExplicitMember, DisplayName, ObjectID, Filter -ErrorAction SilentlyContinue

if ($staticgroup)

{

Write-Host "Found Group:" $staticgroup.DisplayName -ForegroundColor Cyan

Write-Host "Current Explicit Members:" $staticgroup.ExplicitMember.Count -ForegroundColor Cyan

if ($staticgroup.Filter)

{

$host.UI.WriteErrorLine("This groups has a filter")

continue

}

$hasfilter = Read-Host -Prompt "Do you want to put a filter (y/n)"

switch ($hasfilter)

{

y {

$newfilter = Read-Host -Prompt "Enter the new filter for the group"

$filter = $newfilter.Trim()

$newexplicitmembers = CheckMembers ($staticgroup.ExplicitMember.Value) ($filter)

}

n { Write-Warning "No Filter given"

$filter = $null }

default { Write-Warning "Please input y or n only"

exit

}

$confirmcreation = Read-Host "Do you want to continue (y/n)"

switch ($confirmcreation)

{

y {

$newSetObjectID = CreateSet ($staticgroup.ObjectID) ($staticgroup.DisplayName) ($newexplicitmembers) ($filter)

ModifyUserGroup ($staticgroup.ObjectID.Value) ($newSetObjectID.Value)

Write-Host "Done!!!" -ForegroundColor Cyan

}

n {

Write-Host "Exiting without creation"

}

default { Write-Warning "Please input y or n only"

exit

}

else

{

$host.UI.WriteErrorLine("Group Not Found")

continue

}

ConvertStaticToAutogen

Hope it helps.. Please like, share or leave a comment below..

By Piyush Khandelwal, 7 years ago

Powershell

Groups with Static and Dynamic Members in FIMService

We had a business case whereby a filter couldn’t really create groups which catered for the purpose. We also needed to put in some static members (Explicit Members) in it.

Now by default a /Group in FIMService can either be Explicit or a Filter type group. But a Set allows you to have an explicit as well as filter on it.

WARNING: Many custom attributes are used for our purpose but you hopefully will get the gist of it

CREATE

So came up with a design for such groups (we identify them by Autogen and have an attribute called accountType)

Create a Set with Autogen-{GroupName} with an accountType = AutogenSet
Set the filter and explicit members needed on the set
Create a filter group with Autogen-{GroupName} with an accountType = AutogenGroup
Put the ResourceID of the new group in the set to an attribute called ‘connectedGroupObjectID’ and viceversa to ‘connectedSetObjectID’ – This it have relation between the group and set
Set the filter on this group as

/*[((ObjectType = "Person") or (ObjectType = "Group")) and (ObjectID = /Set[ObjectID ="{connectedSetObjectID}"]/ComputedMember)

1	/*[((ObjectType = "Person") or (ObjectType = "Group")) and (ObjectID = /Set[ObjectID ="{connectedSetObjectID}"]/ComputedMember)

CLEANUP

Create a auth workflow with delete resource and target = [//Target/connectedSetObjectID]
Create a set which has ‘All Autogen Groups’
Create a MPR which ties the above i.e. when a delete resource happens for any in set ‘All Autogen Groups’ then run the Auth workflow which will delete the set as well

SCRIPT

Wrote a script so that these groups, sets and links can be created in one go using FIM/MIM Service Powershell Module.

NOTE

I assume user already knows the XPATH for his filter (Will help you on how to create it easily as well in a post coming soon).
Many custom attributes have been used in FIMService but you get the bigger picture and not necessarily needed for your environment.
I am really bad at powershell so don’t be surprised if you see some ‘what the hell did he do that for?’ moment 🙂 You will definitely find mistakes but hey.. works for me.. Still please point it out 🙂

LOGIC

This script was written by me quite specific for our environment and therefore contains a lot of custom attributes and logic. This is just to give an idea what we do / can do with the idea. I have decided not to dumb it down and present it as-is. If you get confused somewhere please do contact me or leave a comment

Asks for DisplayName (Mandatory)
Asks for a requestedAccountName (Mandatory in our env to generate sAMAccountName and AccountName)
Asks for a owner AccountName / uid (Mandatory in our environment to set as the owner of the group)
Asks if the Group will have a mail address (if so then we populate some additional attributes to provision to GoogleApps)
- If Mail Enabled then asks for some additional attributes to be set like
  - Mail Prefix (to generate the mail address)
  - Posting Permission
  - To be hidden from Global Address List or not
  - Is it going to be used as a Security Group in AD (sets as Distribution else as MailEnabledSecurity)
- If not then sets it as a Security Group
Asks for the XPATH Filter – then it goes and checks if it’s correct and does return some users back else exists.
Creates the Set and adds the above filter to it
Creates the Group
- Sets the filter pointing to the set above
Links the two
Done

The only thing it doesn’t do is setting explicit members to the set which is done manually after creation.

Import-Module LithnetRMA
Set-ResourceManagementClient -BaseAddress "http://YOUR-FIMSERVICE-HOST:5725"

Function MailSettings()
    {
        $requestedmailprefix = Read-Host "Requested Mail Prefix"
        if (!$requestedmailprefix) { Write-Warning "Enter a value"
                                     exit }
              
          
        Write-Host "Posting Permissions" -ForegroundColor Cyan
        Write-Host "[1] Anyone Can Post"
        Write-Host "[2] All Monash Users Can Post"
        Write-Host "[3] All Members Can Post"
        Write-Host "[4] Selected Members Can Post"
        Write-Host "[5] No One Can Post"
        Write-Host

        $select = Read-Host "Select one of the posting permission" 

        switch ($select)
            {
                1 { $gappswhocanpost = "ANYONE_CAN_POST" }
                2 { $gappswhocanpost = "ALL_IN_DOMAIN_CAN_POST" }
                3 { $gappswhocanpost = "ALL_MEMBERS_CAN_POST" }
                4 { $gappswhocanpost = "ALL_MANAGERS_CAN_POST" }
                5 { $gappswhocanpost = "NONE_CAN_POST" }
                default { Write-Warning "Please make correct selection"
                          exit }
            }


        $hidemail = Read-Host "Hide From GAL (y/n)" 

        switch($hidemail)
            {
                y { $hidefromgal = $true }
                n { $hidefromgal = $false }
                default { Write-Warning "Please input y or n only" 
                          exit }
            }
                

        $issecuritygroup = Read-Host "Is it a security group (y/n)"
        
        switch ($issecuritygroup)
            {
                y { $grouptype = "MailEnabledSecurity" }
                n { $grouptype = "Distribution" }
                default { Write-Warning "Please input y or n only" 
                          exit }
            }

        return ($requestedmailprefix, $gappswhocanpost, $hidefromgal, $grouptype)
     }

    

Function SetConnectedGroupObjectID ($setobjectid, $groupobjectid)
    {
        $set = Get-Resource -ID $setobjectid
        $set.connectedGroupObjectID = $groupobjectid

        try 
            {
               Write-Host "Linking AutogenGroup to AutogenSet" -ForegroundColor Cyan
               Save-Resource $set
            }

       catch 
            {
                Write-Warning ("Unable to link group to set:" + $_.Exception.Message)
                exit
            }

    }


Function CreateAutogenGroup($groupname, $requestedaccountname, $requestedmailprefix, $grouptype, $setObjectID, $ownerObjectID, $gappswhocanpost, $hidefromgal)
    {
        $group = New-Resource -ObjectType Group
        $group.DisplayName = $groupname
        $group.requestedAccountName = $requestedaccountname
        $group.requestedMailPrefix = $requestedmailprefix
        $group.Type = $grouptype
        $group.accountType = "AutogenGroup"
        $group.Owner = $ownerObjectID
        $group.connectedSetObjectID = $setObjectID.Value
        $group.Domain = $env:USERDOMAIN
        $group.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/*[((ObjectType = "Person") or (ObjectType = "Group")) and (ObjectID = /Set[ObjectID ="' +$setObjectID.Value+ '"]/ComputedMember)]</Filter>'
        $group.MembershipLocked = $true
        $group.Scope = 'Global'
        $group.MembershipAddWorkflow = "None"
        $group.gappsWhoCanPost = $gappswhocanpost
        $group.hideFromGal = $hidefromgal

        try 
            {
               Write-Host "Creating AutogenGroup:" $group.DisplayName -ForegroundColor Cyan
               Save-Resource $group
               $groupobjectid = Get-Resource -ObjectType Group -AttributeName DisplayName -AttributeValue $group.DisplayName 
               return $groupobjectid.ObjectID
               
            }
        catch 
            {
                Write-Warning ("Unable to create group:" + $_.Exception.Message)
                exit
            }
    }


Function CreateAutogenSet($DisplayName, $filter)
    {
        
        $set = New-Resource -ObjectType Set
        $set.DisplayName = "Autogen-" + $DisplayName
        $set.accountType = "AutogenSet"
        $set.Filter = '<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">' +$filter+ '</Filter>'

        try 
            {
               Write-Host "Creating AutogenSet:" $set.DisplayName -ForegroundColor Cyan
               Save-Resource $set
               $setObjectID = Get-Resource -ObjectType Set -AttributeName DisplayName -AttributeValue $set.DisplayName
               return $setObjectID.ObjectID
            }

        catch 
            {
                Write-Warning ("Unable to create set:" + $_.Exception.Message)
                exit
            }

    }


Function CheckFilter($filter) 
    {
        try
            {
                $filtermembers = Search-Resources -XPath $filter -AttributesToGet ObjectID
                Write-Host "No of dynamic members found: " $filtermembers.Count -ForegroundColor Cyan
            }
        catch
            {
                $host.UI.WriteErrorLine("Bad Filter")
                exit
               
            }

         if ($filtermembers -eq $null)
            {
                $host.UI.WriteErrorLine("No Users found in new filter")
                exit
                    
            }
      
    }

Function CreateGroup()
{
    Write-Host "Information Required for new Autogen Group" -ForegroundColor Cyan

    $groupname = Read-Host -Prompt "Enter Display Name" 

    if (!$groupname) { Write-Warning "Display Name Value Missing"
                        exit } 

    $accountname = Read-Host -Prompt "Requested Account Name"

    if (!$accountname) { Write-Warning "Requested Name Value Missing"
                        exit }

    $owner = read-host "Enter uid of the owner"
     
    if ($owner) 
        { 
            try
                {
                    $ownerObjectID = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $owner.Trim() -AttributesToGet ObjectID
                }
            catch
                {
                    Write-Warning "Invalid Owner" 
                    exit
                }
        }

     else
        {      
            Write-Warning "UID of Owner Missing"
            exit
        }

    $mailinglist = Read-Host "Is this group mail enabled (y/n)" 
    
    switch ($mailinglist)
        {
            y { 
                $mailsettings = MailSettings
                $requestedmailprefix = $mailsettings[0]
                $gappswhocanpost = $mailsettings[1]
                $hidefromgal = $mailsettings[2]
                $grouptype = $mailsettings[3]
                
              }
            n { 
            $grouptype = "Security" } 
            default { 
                      Write-Warning "Please input y or n only" 
                      exit 
                    }
        }
                
    
    $filter = Read-Host -Prompt "Enter Filter"

    if ($filter)
        {
            CheckFilter($filter.Trim())
        }
    else
        {
            Write-Warning "Filter is Missing"
            exit
        }

       $confirmcreation = Read-Host "Do you want to continue (y/n)"

       switch ($confirmcreation)
            {
                y {
                    $newSetObjectID = CreateAutogenSet ($groupname) ($filter.Trim())
                    $newGroupObjectID = CreateAutogenGroup ($groupname) ($accountname) ($requestedmailprefix) ($grouptype) ($newSetObjectID) ($ownerObjectID.ObjectID.Value) ($gappswhocanpost) ($hidefromgal)

                    SetConnectedGroupObjectID ($newSetObjectID) ($newGroupObjectID)

                    Write-Host "AutogenGroup and AutogenSet Created!!!" -ForegroundColor Cyan
                  }
               
                n { 
                        Write-Host "Exiting without creation"
                  }

           default { Write-Warning "Please input y or n only"
                     exit
                }
            }

}


CreateGroup

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

Import-Module LithnetRMA

Set-ResourceManagementClient -BaseAddress "http://YOUR-FIMSERVICE-HOST:5725"

Function MailSettings()

{

$requestedmailprefix = Read-Host "Requested Mail Prefix"

if (!$requestedmailprefix) { Write-Warning "Enter a value"

exit }

Write-Host "Posting Permissions" -ForegroundColor Cyan

Write-Host "[1] Anyone Can Post"

Write-Host "[2] All Monash Users Can Post"

Write-Host "[3] All Members Can Post"

Write-Host "[4] Selected Members Can Post"

Write-Host "[5] No One Can Post"

Write-Host

$select = Read-Host "Select one of the posting permission"

switch ($select)

{

1 { $gappswhocanpost = "ANYONE_CAN_POST" }

2 { $gappswhocanpost = "ALL_IN_DOMAIN_CAN_POST" }

3 { $gappswhocanpost = "ALL_MEMBERS_CAN_POST" }

4 { $gappswhocanpost = "ALL_MANAGERS_CAN_POST" }

5 { $gappswhocanpost = "NONE_CAN_POST" }

default { Write-Warning "Please make correct selection"

exit }

}

$hidemail = Read-Host "Hide From GAL (y/n)"

switch($hidemail)

{

y { $hidefromgal = $true }

n { $hidefromgal = $false }

default { Write-Warning "Please input y or n only"

exit }

}

$issecuritygroup = Read-Host "Is it a security group (y/n)"

switch ($issecuritygroup)

{

y { $grouptype = "MailEnabledSecurity" }

n { $grouptype = "Distribution" }

default { Write-Warning "Please input y or n only"

exit }

}

return ($requestedmailprefix, $gappswhocanpost, $hidefromgal, $grouptype)

}

Function SetConnectedGroupObjectID ($setobjectid, $groupobjectid)

{

$set = Get-Resource -ID $setobjectid

$set.connectedGroupObjectID = $groupobjectid

try

{

Write-Host "Linking AutogenGroup to AutogenSet" -ForegroundColor Cyan

Save-Resource $set

}

catch

{

Write-Warning ("Unable to link group to set:" + $_.Exception.Message)

exit

}

Function CreateAutogenGroup($groupname, $requestedaccountname, $requestedmailprefix, $grouptype, $setObjectID, $ownerObjectID, $gappswhocanpost, $hidefromgal)

{

$group = New-Resource -ObjectType Group

$group.DisplayName = $groupname

$group.requestedAccountName = $requestedaccountname

$group.requestedMailPrefix = $requestedmailprefix

$group.Type = $grouptype

$group.accountType = "AutogenGroup"

$group.Owner = $ownerObjectID

$group.connectedSetObjectID = $setObjectID.Value

$group.Domain = $env:USERDOMAIN

$group.MembershipLocked = $true

$group.Scope = 'Global'

$group.MembershipAddWorkflow = "None"

$group.gappsWhoCanPost = $gappswhocanpost

$group.hideFromGal = $hidefromgal

try

{

Write-Host "Creating AutogenGroup:" $group.DisplayName -ForegroundColor Cyan

Save-Resource $group

$groupobjectid = Get-Resource -ObjectType Group -AttributeName DisplayName -AttributeValue $group.DisplayName

return $groupobjectid.ObjectID

}

catch

{

Write-Warning ("Unable to create group:" + $_.Exception.Message)

exit

}

Function CreateAutogenSet($DisplayName, $filter)

{

$set = New-Resource -ObjectType Set

$set.DisplayName = "Autogen-" + $DisplayName

$set.accountType = "AutogenSet"

try

{

Write-Host "Creating AutogenSet:" $set.DisplayName -ForegroundColor Cyan

Save-Resource $set

$setObjectID = Get-Resource -ObjectType Set -AttributeName DisplayName -AttributeValue $set.DisplayName

return $setObjectID.ObjectID

}

catch

{

Write-Warning ("Unable to create set:" + $_.Exception.Message)

exit

}

Function CheckFilter($filter)

{

try

{

$filtermembers = Search-Resources -XPath $filter -AttributesToGet ObjectID

Write-Host "No of dynamic members found: " $filtermembers.Count -ForegroundColor Cyan

}

catch

{

$host.UI.WriteErrorLine("Bad Filter")

exit

}

if ($filtermembers -eq $null)

{

$host.UI.WriteErrorLine("No Users found in new filter")

exit

}

Function CreateGroup()

{

Write-Host "Information Required for new Autogen Group" -ForegroundColor Cyan

$groupname = Read-Host -Prompt "Enter Display Name"

if (!$groupname) { Write-Warning "Display Name Value Missing"

exit }

$accountname = Read-Host -Prompt "Requested Account Name"

if (!$accountname) { Write-Warning "Requested Name Value Missing"

exit }

$owner = read-host "Enter uid of the owner"

if ($owner)

{

try

{

$ownerObjectID = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $owner.Trim() -AttributesToGet ObjectID

}

catch

{

Write-Warning "Invalid Owner"

exit

}

else

{

Write-Warning "UID of Owner Missing"

exit

}

$mailinglist = Read-Host "Is this group mail enabled (y/n)"

switch ($mailinglist)

{

y {

$mailsettings = MailSettings

$requestedmailprefix = $mailsettings[0]

$gappswhocanpost = $mailsettings[1]

$hidefromgal = $mailsettings[2]

$grouptype = $mailsettings[3]

}

n {

$grouptype = "Security" }

default {

Write-Warning "Please input y or n only"

exit

}

$filter = Read-Host -Prompt "Enter Filter"

if ($filter)

{

CheckFilter($filter.Trim())

}

else

{

Write-Warning "Filter is Missing"

exit

}

$confirmcreation = Read-Host "Do you want to continue (y/n)"

switch ($confirmcreation)

{

y {

$newSetObjectID = CreateAutogenSet ($groupname) ($filter.Trim())

$newGroupObjectID = CreateAutogenGroup ($groupname) ($accountname) ($requestedmailprefix) ($grouptype) ($newSetObjectID) ($ownerObjectID.ObjectID.Value) ($gappswhocanpost) ($hidefromgal)

SetConnectedGroupObjectID ($newSetObjectID) ($newGroupObjectID)

Write-Host "AutogenGroup and AutogenSet Created!!!" -ForegroundColor Cyan

}

n {

Write-Host "Exiting without creation"

}

default { Write-Warning "Please input y or n only"

exit

}

CreateGroup

To the sync side you will simply see one Group come out with Member attribute containing both ExplicitMembers and ComputedMembers and a combination.

Hope this helps someone in their “complex business” environment.

By Piyush Khandelwal, 7 years03/28/2017 ago

Powershell

Composite write back to FIMService via Powershell

So if you have a large number of objects to update in FIMService it could be complicated..

Lithnet FIM/MIM Powershell Module makes it so much simpler..

Below is a script I used to say update all accounts which have “accountType” = oldaccounts and set “accountBlocked” to true (my custom schema).

Some explanations

I have set PageSize = 100 which means if you are returning more than that number process only 100 at a time..
I have set “-AttributesToGet” which gives me only the attribute what I want

$objs = Search-ResourcesPaged -XPath "/Person[(accountType = 'oldaccounts')]" -AttributesToGet accountBlocked
$objs.PageSize = 100

$i = 0

while ($objs.HasMoreItems)
    {
        $results = $objs.GetNextPage();

        foreach ($user in $results)
            {
                $user.accountBlocked = $true
                $i++
            }
        Save-Resource $results
        Write-Host "Saved $i of " $objs.TotalCount      
    }

$objs = Search-ResourcesPaged -XPath "/Person[(accountType = 'oldaccounts')]" -AttributesToGet accountBlocked

$objs.PageSize = 100

$i = 0

while ($objs.HasMoreItems)

{

$results = $objs.GetNextPage();

foreach ($user in $results)

{

$user.accountBlocked = $true

$i++

}

Save-Resource $results

Write-Host "Saved $i of " $objs.TotalCount

}

See how easy is that? You can do multiple operations before save-resource and thus do a bunch of changes to say 1000 users and in 10 saves it will be done!!!

PS: As you can see its simple for demonstration and not doing any error handling etc..

By Piyush Khandelwal, 7 years03/22/2017 ago

ADConnect

Scheduling Syncs for ADConnect Maintenance

We have loads of objects in our AD / Azure AD.. we believe doing regular Full Imports and Full Syncs for all the MA’s is a good way to make sure Sync engine is healthy.

Had recently visited #MSAUIGNITE 2017 in Gold Coast, Australia and SME’s there suggested Full Sync is not needed in environments unless there has been a connector change.. But I disagree and consider ADConnect as Microsoft Identity Manager (MIM / FIM) and by experience we have seen a good healthy sync engine we should do FI / FS for maintenance.

After doing some initial sync timings, found our FI from Azure took 9 hrs and FS took about 2 hrs. Likewise from AD FI took 1 hr and FS took 2 hrs.

Decided we wanted to schedule each FI and FS to make sure sync engine is all caught up out of business hours.

Assumptions

The MA is called “AzureAD”
Run Profile Name is called “Full Import”

Do the following on our ADConnect Sync Box

Create a powershell script with the following code and save it as “AzureFI.ps1” at a location say D:\SyncScript

Import-Module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $False
Stop-ADSyncSyncCycle
Invoke-ADSyncRunProfile -ConnectorName "AzureAD" -RunProfileName "Full Import"
Set-ADSyncScheduler -SyncCycleEnabled $true

Import-Module ADSync

Set-ADSyncScheduler -SyncCycleEnabled $False

Stop-ADSyncSyncCycle

Invoke-ADSyncRunProfile -ConnectorName "AzureAD" -RunProfileName "Full Import"

Set-ADSyncScheduler -SyncCycleEnabled $true

Create a task scheduler and run as the same user which runs the sync engine.
Schedule it once a week / month as per your requirement. As per your initial tests, you can schedule it out of business hours say 10pm and by morning it is finished.
For action
- Action: Start a Program
- Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Argument: -ExecutionPolicy Bypass -File “D:\SyncScript\AzureFI.ps1”

That’s it!!! You can create similar scripts and change ConnectorName / RunProfileName and create tasks for each at particular times.

You will have a healthy sync engine for ADConnect.