• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 61 subscribers
  • Views 2036 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DG Conditions List / map available ?

dyannic
over 5 years ago

Is there a list/chart/map for the Conditions types specified in edsaDGConditionsList ?

I can discern these after mapping the associated GUIDS to the objects in scope - what are the others?

0x1 equates to the OU/Scope of the dynamic group.

0x3 equates to Include explicitly

0x4 equates to: Exclude explicitly

0x5 equates to: Exclude Group Members

  • 0 over 5 years ago

    What exactly are you trying to accomplish by de-crypting this?  Perhaps there's some other guidance we might be able to provide.

  • 0 over 5 years ago

    Followed  2 year old post from Johnny Quest - from the SDK

    The prior inquiry conversation Feb 2017

    Just 6?  I expected more ... 0x1 is include by query ...  I supposed 0x1 includes the scope of the DG, as it is included once for each OU my groups are scoped to.

    0x1: Include by query

    0x2: Exclude by query

    0x3: Include Explicitly

    0x4: Exclude Explicitly

    0x5: Include Group Members

    0x6: Exclude Group Members

  • 0 over 5 years ago in reply to JohnnyQuest

    I am on a skills development kick to return as much information as I can without invoking privilege from my workstation, or using AD Modules or ARS Commandlets -  in  way I could share with partner/customer groups who have a need-to-know.

    The DG's that contain rules that specify include-by-group were returning incomplete results, so  I took a look at the edsaDGConditionslist and noted the different hex conditions.

    Rather than provide an example of the formatted output, here's the method I'm using to get the basic membership rules associated with a dynamic group directly from AD.

    $search = "YOUR AD DYNAMIC GROUP NAME"
    $ADG = ([adsisearcher]"name=$search").findone().properties.accountnamehistory
    $XML = ([XML]($ADG)).DynamicGroupXML
    $ARS = $XML.conditions
    $RES = $ARS.replace("(!(","!").split("([|]|&)")
    $RES.where{($_ -ne '')}.replace("0x1;","`r`n0x1;")

    To resolve a GUID in AD using the rules returned from above - I run this

    $ADGUID = $RES.where{($_ -match "0x1;")}.split(";")[1]
    $GUIDSCH = (([System.Guid]"$ADGUID").ToByteArray() | foreach { '\' + $_.ToString('x2') }) -join ''
    ([adsisearcher]"objectguid=$GUIDSCH").findone().properties.name