So I've got a weird one I'm hoping somebody can help me figure out.
I have a powershell script to watch for changes via DirSync and onPostModify validate the values of the managedBy attribute.
I've attached the script to a policy and selected the "Handle changes from DirSync control".
A shortened version of my script looks like so:
function onPostModify($Request)
{
# I only care about changes that happened outside of ARS
if ($Request.Parameter("RequestSource") -eq $Constants.EDST_MOD_SOURCE_AD ) {
# Only process requests for groups
if ($Request.Class -ne "group") {return}
# Only process changes to the managedBy attribute
$managedByRequestItem = $Request.GetPropertyItem("managedBy",$Constants.ADSTYPE_DN_STRING)
if ($managedByRequestItem -ne $null)
{
if ($managedByRequestItem.ControlCode -eq $Constants.ADS_PROPERTY_UPDATE)
{
# Validate the new value here
}
}
}
}
The problem is that when a user changes the value via ADUC the request seems to appear as a DELETE operation with the old value in the request. I never see an UPDATE request or the new name anywhere, unless I query the object.
Here is a sample of the Request when I turn on debugging. The red text is the old value.
<------------------- $Request XML ------------------------>
<?xml version="1.0" encoding="utf-16"?>
<ModifyRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" dn="CN=groupa,OU=Managed Groups,DC=contoso,DC=com" xmlns="urn:schemas-quest-com:ActiveRolesServer">
<Attributes>
<Attribute name="managedBy" operation="Delete" type="String">
<Values>
<Value>CN=smith1,OU=users,DC=contoso,DC=com</Value>
</Values>
</Attribute>
<Attribute name="ADsPath" operation="Replace" type="String">
<Values>
<Value>LDAP://dc1.contoso.com:636/CN=groupa,OU=Managed Groups,DC=contoso,DC=com</Value>
</Values>
</Attribute>
</Attributes>
<Controls>
<Control id="13">
<Values>
<Value>dc1.contoso.com</Value>
</Values>
</Control>
</Controls>
</ModifyRequest>
<------------------- $Request XML ------------------------>
Am I missing something here? How do I catch the update request and check the new value?
I figured I'd ask here before I opened a ticket with support.