Open dbeugger opened 8 months ago
Sorry about the late response
That said, I cannot reproduce your issue. Did you make sure to reload the configuration? (The config files will not be automatically loaded again on Test- or Invoke- runs.
Either start a new console or run:
Import-Module ADMF -Force
My Object Categories
@{
Name = 'DomainController'
ObjectClass = 'computer'
Property = @('PrimaryGroupID')
TestScript = { $args[0].PrimaryGroupID -eq 517 }
LDAPFilter = '(&(objectCategory=computer)(primaryGroupID=516))'
}
TestScript filters to group id 517 and LDAP to 516. This should result in no Computer Group Memberships definition
@(
@{
ObjectCategory = "DomainController"
Group = "TestDc"
}
)
Group 'TestDc' does exist and is empty
PS Output:
PS1> Import-Module ADMF -Force
PS1> Get-AdmfContext
Name Version Weight Store Description
---- ------- ------ ----- -----------
Default 1.0.0 10 Adm Default AD Settings for ADM
PS1> Test-AdmfDomain -Ctx adm
[12:34:48][Resolve-DomainController] Resolved domain controller to use. Operating against WBF-V0540.adm.isceco.admin.ch
[12:34:53][Test-AdmfDomain] Skipping tests to verify OrganizationalUnits as there is no configuration data available
[12:34:53][Test-AdmfDomain] Executing tests to verify Groups against WBF-V0540.adm.isceco.admin.ch
[12:34:54][Test-AdmfDomain] Skipping tests to verify Users as there is no configuration data available
[12:34:54][Test-AdmfDomain] Skipping tests to verify ServiceAccounts as there is no configuration data available
[12:34:54][Test-AdmfDomain] Executing tests to verify GroupMembership against WBF-V0540.adm.isceco.admin.ch
[12:34:54][Test-AdmfDomain] Skipping tests to verify Acls as there is no configuration data available
[12:34:54][Test-AdmfDomain] Executing tests to verify AccessRules against WBF-V0540.adm.isceco.admin.ch
[12:34:59][Get-SchemaGuidMapping] Processing Schema Guids for domain: WBF-V0540.adm.isceco.admin.ch (This may take a while)
[12:35:14][Get-PermissionGuidMapping] Processing Permission Guids for domain: WBF-V0540.adm.isceco.admin.ch (This may take a while)
[12:35:18][Test-AdmfDomain] Skipping tests to verify PasswordPolicies as there is no configuration data available
[12:35:18][Test-AdmfDomain] Skipping tests to verify Object as there is no configuration data available
[12:35:18][Test-AdmfDomain] Skipping tests to verify WmiFilter as there is no configuration data available
[12:35:18][Test-AdmfDomain] Skipping tests to verify GroupPolicies as there is no configuration data available
[12:35:18][Test-AdmfDomain] Executing tests to verify GroupPolicyPermissions against WBF-V0540.adm.isceco.admin.ch
[12:35:21][Test-AdmfDomain] Skipping tests to verify GroupPolicyOwners as there is no configuration data available
[12:35:21][Test-AdmfDomain] Skipping tests to verify GroupPolicyLinks as there is no configuration data available
[12:35:21][Test-AdmfDomain] Skipping tests to verify DomainLevel as there is no configuration data available
Server Type ObjectType Identity Changed
------ ---- ---------- -------- -------
WBF-V0540.adm.isceco.admin.ch Add GroupMembership TestDc þ computer þ WBF-V0540$ {Add: WBF-V0540$ -> TestDc}
WBF-V0540.adm.isceco.admin.ch Update AccessRule DC=adm,DC=isceco,DC=admin,DC=ch {Create: S-1-1-0}
Heya @dbeugger , The TestScript and the LDAPFilter need to be applied in lockstep. Different components use ObjectCategories in a different matter, so some may use the TestScript while others use the LDAPFilter. It is not that both properties must be present, but so that the system can use whatever is more convenient from a performance perspective.
In case of group memberships, it uses the LDAPFilter to build a list of intended members, then compares it to the actual members, which is why you get that result.
Hi @FriedrichWeinmann I have found that you have to specify at least Name, ObjectClass and either Filter or LDAPFilter. My goal is to assign all users from different OU hierarchies to a single group. My ObjectCategory looks like this:
@{
Name = 'OC-User-T0-All'
ObjectClass = 'user'
Property = @('distinguishedName')
Filter = '*'
TestScript = { $args[0].distinguishedName -match 'OU=(TA|T0),DC=' }
}
However, this will assign all (more than 360) AD objects (container, organizationalUnit, group,...) to the group. This looks like ObjectClass and TestScript have no influence.
I have set that of ObjectClass to 'xx'. This gives the same result.
I have changed the FIlter to'objectCategory -eq "CN=Person,CN=Schema,CN=Configuration,%DomainDN%"'
. This results in 0 objects. If I replace %DomainDN% hardcoded, all user accounts (krbtgt, Guest, ....) are listed. TestScript still does not work.
I also tried a -LIKE with distinguishedName in the filter. But that doesn't seem to be supported by Get-AdObject.
Am I doing something wrong?
I have problems to get my own Object Categories working with TestScript. The logic in TestScript did not filter.
I tried your example
This way a got all DC's. Then i changed in TestScript the number to 517, I expected no DC, but i got all again. I changed it toTestScript = { $false }, the same result. Did I miss something?