-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathad3_managed_group_unnested_syncs.ps1
215 lines (167 loc) · 9.14 KB
/
ad3_managed_group_unnested_syncs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<#
Title: ad3_managed_group_unnested_syncs.ps1
Authors: Dean Bunn
Inspired By: Ben Clark
Last Edit: 2025-01-24
#>
#Import Custom uInform API Module
Import-Module .\uInformAPI.psm1
#Custom Object for UC Davis API Information
$global:UCDAPIInfo = new-object PSObject -Property (@{ uinform_public_key=""; uinform_private_key=""; uinform_url_base="";});
#Load Public and Private Keys for uInform API Access
$UCDAPIInfo.uinform_public_key = Get-Secret -Name "uInformAPI-Pubkey" -AsPlainText -Vault UCDAccounts;
$UCDAPIInfo.uinform_private_key = Get-Secret -Name "uInformAPI-Pvtkey" -AsPlainText -Vault UCDAccounts;
$UCDAPIInfo.uinform_url_base = "https://ws.uinform.ucdavis.edu/";
#Array of Custom AD Unnested Group Settings
$arrADUnnestedGrpSyncs = @();
#Custom Object for AD3 Managed Unnested Group
$cstAD3UnnestMngdGrp1 = New-Object PSObject -Property (@{ AD3_Unnested_Grp_GUID="c462cf19-195a-4071-8273-02277b426a17";
AD3_Unnested_Grp_Name="COE-SW-Empire";
SRC_Nested_Groups_GUIDs=@("23e83beb-f5d6-476a-b1c7-505da5a9d0ad",
"5f5701c5-a2dc-4848-bada-621b9f30cfca");
});
#Add Custom AD3 Managed Unnested Groups to Sync Array
$arrADUnnestedGrpSyncs += $cstAD3UnnestMngdGrp1;
<#Example of How to Add Additional Unnested Groups to Sync Array.
$cstAD3UnnestMngdGrp2 = New-Object PSObject -Property (@{ AD3_Unnested_Grp_GUID="23e83beb-f5d6-476a-b1c7-505da5a9d0ad";
AD3_Unnested_Grp_Name="COE-SW-Republic";
SRC_Nested_Groups_GUIDs=@("b4961625-87fc-4aec-bc72-7201880b2e79");
});
$arrADUnnestedGrpSyncs += $cstAD3UnnestMngdGrp2;
#>
#Initiate Principal Contexts for Both AD3 and OU Domains
$prctxAD3 = New-Object DirectoryServices.AccountManagement.PrincipalContext([DirectoryServices.AccountManagement.ContextType]::Domain,"AD3","DC=AD3,DC=UCDAVIS,DC=EDU");
$prctxOU = New-Object DirectoryServices.AccountManagement.PrincipalContext([DirectoryServices.AccountManagement.ContextType]::Domain,"OU","DC=OU,DC=AD3,DC=UCDAVIS,DC=EDU");
#Var for UCD Users DN Partial
[string]$ucdUsersDNPartial = ",ou=ucdusers,dc=ad3,dc=ucdavis,dc=edu";
foreach($cstAUGS in $arrADUnnestedGrpSyncs)
{
#Hash Table for Source Groups Members GUIDs
$htSrcGrpMbrGUIDs = @{};
#Hash Table for Members to Remove from AD Group
$htMTRFG = @{};
#HashTable for Members to Add to AD Group
$htMTATG = @{};
foreach($srcGrpGUID in $cstAUGS.SRC_Nested_Groups_GUIDs)
{
#Var for Sync Source Group's LDAP Path Based Upon AD GUID
[string]$grpLDAPPathSSG = "LDAP://ad3.ucdavis.edu/<GUID=" + $srcGrpGUID + ">";
#Check for LDAP Path Before Pulling Group
if([DirectoryServices.DirectoryEntry]::Exists($grpLDAPPathSSG) -eq $true)
{
#Initiate Directory Entry for Source Group
$deADGroupSSG = New-Object DirectoryServices.DirectoryEntry($grpLDAPPathSSG);
#Var for Group's DN
[string]$grpDNSSG = $deADGroupSSG.Properties["distinguishedname"][0].ToString();
#Var for GroupPrincipal for Sync Source Group
$grpPrincipalSSG = $null;
#Configure Group Principal Based Upon Domain of Source Group
if($grpDNSSG.ToLower().Contains("dc=ou,") -eq $true)
{
$grpPrincipalSSG = [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($prctxOU, [DirectoryServices.AccountManagement.IdentityType]::DistinguishedName,$grpDNSSG);
}
else
{
$grpPrincipalSSG = [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($prctxAD3, [DirectoryServices.AccountManagement.IdentityType]::DistinguishedName,$grpDNSSG);
}
#Check Membership Count of Sync Source Group
if($grpPrincipalSSG.Members.Count -gt 0)
{
#Pull All Nested Membership for the Group
foreach($ssgMbr in $grpPrincipalSSG.GetMembers($true))
{
#Only Sync AD3 UCD Users
if($ssgMbr.DistinguishedName.ToString().ToLower().EndsWith($ucdUsersDNPartial) -eq $true)
{
#Check for Unique Source Member's GUID
if($htSrcGrpMbrGUIDs.ContainsKey($ssgMbr.Guid.ToString()) -eq $false)
{
$htSrcGrpMbrGUIDs.Add($ssgMbr.Guid.ToString(),"1");
}
}
else
{
Write-Output "User account is not meant for this sync tool";
}
}#End of Source Group Membership Foreach
}#End of Membership Count Check on Sync Source Group
#Close out Directory Entry for Source Group
$deADGroupSSG.Close();
}#End of Directory Entry Check on LDAP Path
}#End of Source Nested Groups GUIDs Foreach
#Pull Membership of Unnested Group
#Var for LDAP Path of Unnested Group
[string]$grpLDAPPathUNN = "LDAP://ad3.ucdavis.edu/<GUID=" + $cstAUGS.AD3_Unnested_Grp_GUID + ">";
#Check LDAP Path of Unnested Group
if([DirectoryServices.DirectoryEntry]::Exists($grpLDAPPathUNN) -eq $true)
{
#Initiate Directory Entry for Unnested Group
$deADGroupUNN = New-Object DirectoryServices.DirectoryEntry($grpLDAPPathUNN);
#Var for Group's DN
[string]$grpDNUNN = $deADGroupUNN.Properties["distinguishedname"][0].ToString();
#Var for GroupPrincipal for Unnested Group
$grpPrincipalUNN = $null;
#Configure Group Principal Based Upon Domain of Unnested Group
if($grpDNUNN.ToLower().Contains("dc=ou,") -eq $true)
{
$grpPrincipalUNN = [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($prctxOU, [DirectoryServices.AccountManagement.IdentityType]::DistinguishedName,$grpDNUNN);
}
else
{
$grpPrincipalUNN = [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($prctxAD3, [DirectoryServices.AccountManagement.IdentityType]::DistinguishedName,$grpDNUNN);
}
#Check Membership Count of Unnested Group
if($grpPrincipalUNN.Members.Count -gt 0)
{
#Pull All Unnested Membership for the Unnested Group
foreach($unnMbr in $grpPrincipalUNN.GetMembers($false))
{
#Load Current Members Into Remove Hash Table
$htMTRFG.Add($unnMbr.Guid.ToString(),"1");
}#End of Source Group Membership Foreach
}#End of Membership Count Check on Unnested Group
#Determine Which Users to Remove or Add Using Source Group(s) Members
if($htSrcGrpMbrGUIDs.Count -gt 0)
{
#Loop Through Source Groups Members Hash Table and Check Member Status
foreach($dsGUID in $htSrcGrpMbrGUIDs.Keys)
{
#Don't Remove Existing Members In Data Source Listing
if($htMTRFG.ContainsKey($dsGUID) -eq $true)
{
$htMTRFG.Remove($dsGUID);
}
else
{
#Add Them to List to Be Added to Group
$htMTATG.Add($dsGUID.ToString(),"1");
}
}#End of Data Source Members Add or Remove Checks
}#End of $htSrcGrpMbrGUIDs Empty Check
#Null\Empty Checks on uInform API Values
if([string]::IsNullOrEmpty($UCDAPIInfo.uinform_public_key) -eq $false -and [string]::IsNullOrEmpty($UCDAPIInfo.uinform_public_key) -eq $false)
{
#Check for Members to Remove
if($htMTRFG.Count -gt 0)
{
foreach($mtrfg in $htMTRFG.Keys)
{
#Submit Remove Member Request to uInform API
Submit-uInformAPIAD3ManagedGroupMembershipChange -GroupGUID $cstAUGS.AD3_Unnested_Grp_GUID -MembershipAction "REMOVE" -MemberGUID $mtrfg.ToString();
}#End of $htMTRFG.Keys Foreach
}#End of Members to Remove
#Check for Members to Add
if($htMTATG.Count -gt 0)
{
#Loop Through AD3 User GUIDs to Add to Group
foreach($mtatg in $htMTATG.Keys)
{
#Submit Add Member Request to uInform API
Submit-uInformAPIAD3ManagedGroupMembershipChange -GroupGUID $cstAUGS.AD3_Unnested_Grp_GUID -MembershipAction "ADD" -MemberGUID $mtatg.ToString();
}#End of $htMTATG.Keys Foreach
}#End of Members to Add
}#End of Null\Empty Checks on uInform API Values
#Close Out Directory Entry for Unnested Group
$deADGroupUNN.Close();
}#End of Unnested Group LDAP Path Exists Check
}#End of $arrADUnnestedGrpSyncs Foreach