Hi,
I realize that this would be unsupported stuff, but I was hoping an ARS developer can shed some light on the dynamic group membership rules stored in the <DynamicGroupXML> tag in accountNameHistory of the group object.
I couldn't find any documentation on a method (CMDlet, script, ect) to dump the group membership rules in ARS so I wrote a script to parse out the
accountNameHistory attribute on the group objects. For the most part, I get the rules parsed ok out but I am unable to determine what OU base (searchroot) the LDAP is searching from. Where is this information stored? It does not appear in any of the attributes so I assumed it would be in the GUID for the query.
In a "Exclude/Include by Query" (0x1,0x2), I assumed the GUID specified refered to the objectGUID of the OU object (Seen as "JUST" in the picture above), but the GUID does not seem resolve to anything (see below example). So... tried searching the ARS database and found tons of references to WfSharedTasks and WfSharedOperations, but nothing too useful to indicate searchroot. Darn!
for example:
<?xml version="1.0"?>
<DynamicGroupXML Conditions="
[0x2;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Exclude by query, GUIDs are a mystery! nay!
[0x1;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Include by query, GUIDs are a mystery! nay!
[0x5;99b0e558-be46-43eb-80cb-72550b4235f3;] <--- Explicitly exclude user, GUIDs resolve to actual users, yay!
[0x4;995dafc1-cb59-4a5d-b25a-2b51d24fcce2;] <--- Explicitly include user, GUIDs resolve to actual users, yay!
[DG]" OriginatingService="97fd9b18-6024-4b74-936d-10efb2513c1b" TimeStamp="2013-06-24T09:00:01.0977348Z" HasNestedGroups="FALSE"/>
Any info to shed light on dumping membership rules would be much appreciated!!
thanks!
Chris