This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DG Conditions List / map available ?

Is there a list/chart/map for the Conditions types specified in edsaDGConditionsList ?

I can discern these after mapping the associated GUIDS to the objects in scope - what are the others?

0x1 equates to the OU/Scope of the dynamic group.

0x3 equates to Include explicitly

0x4 equates to: Exclude explicitly

0x5 equates to: Exclude Group Members

Parents
  • What exactly are you trying to accomplish by de-crypting this?  Perhaps there's some other guidance we might be able to provide.

  • I am on a skills development kick to return as much information as I can without invoking privilege from my workstation, or using AD Modules or ARS Commandlets -  in  way I could share with partner/customer groups who have a need-to-know.

    The DG's that contain rules that specify include-by-group were returning incomplete results, so  I took a look at the edsaDGConditionslist and noted the different hex conditions.

    Rather than provide an example of the formatted output, here's the method I'm using to get the basic membership rules associated with a dynamic group directly from AD.

    $search = "YOUR AD DYNAMIC GROUP NAME"
    $ADG = ([adsisearcher]"name=$search").findone().properties.accountnamehistory
    $XML = ([XML]($ADG)).DynamicGroupXML
    $ARS = $XML.conditions
    $RES = $ARS.replace("(!(","!").split("([|]|&)")
    $RES.where{($_ -ne '')}.replace("0x1;","`r`n0x1;")

    To resolve a GUID in AD using the rules returned from above - I run this

    $ADGUID = $RES.where{($_ -match "0x1;")}.split(";")[1]
    $GUIDSCH = (([System.Guid]"$ADGUID").ToByteArray() | foreach { '\' + $_.ToString('x2') }) -join ''
    ([adsisearcher]"objectguid=$GUIDSCH").findone().properties.name

Reply
  • I am on a skills development kick to return as much information as I can without invoking privilege from my workstation, or using AD Modules or ARS Commandlets -  in  way I could share with partner/customer groups who have a need-to-know.

    The DG's that contain rules that specify include-by-group were returning incomplete results, so  I took a look at the edsaDGConditionslist and noted the different hex conditions.

    Rather than provide an example of the formatted output, here's the method I'm using to get the basic membership rules associated with a dynamic group directly from AD.

    $search = "YOUR AD DYNAMIC GROUP NAME"
    $ADG = ([adsisearcher]"name=$search").findone().properties.accountnamehistory
    $XML = ([XML]($ADG)).DynamicGroupXML
    $ARS = $XML.conditions
    $RES = $ARS.replace("(!(","!").split("([|]|&)")
    $RES.where{($_ -ne '')}.replace("0x1;","`r`n0x1;")

    To resolve a GUID in AD using the rules returned from above - I run this

    $ADGUID = $RES.where{($_ -match "0x1;")}.split(";")[1]
    $GUIDSCH = (([System.Guid]"$ADGUID").ToByteArray() | foreach { '\' + $_.ToString('x2') }) -join ''
    ([adsisearcher]"objectguid=$GUIDSCH").findone().properties.name

Children
No Data