Working on backup and restore scripts for Directory Manager

Products Directory Manager Discussions & Questions
,
1

I am working on a script that will allow me to create a backup of our Directory Manager groups. I am having a hard time finding documentation that describes how to retrieve some of the necessary group properties using PowerShell. This is the command I am using to create groups. I was able to find some of the properties in the PowerShell documentation. I found others by looking at the property names in the ElasticVue metadata and using trial and error with the get-group and get-smartgroup commands. Can someone tell me how to retrieve the hardcoded properties: ObjectTypes, DataSourceUserName, DataSourcePassword, DataSourceName, TableOrView and DataSourceType?

        New-SmartGroup -SamAccountName $samAccountName `
                -Name $name `
                -OrganizationalUnit $ou `
                -GroupScope $groupScope `
                -Type $groupType `
                -SecurityType $groupSecurity `
                -SearchContainers $startPath `
                -ObjectTypes 'Users' `
                -Server $server `
                -DataSourceUserName 'username' `
                -DataSourcePassword 'password' `
                -DataSourceQuery $query `
                -DataSourceName 'DB' `
                -TableOrView 'DB.staff.Staff_curr_daily' `
                -KeyMapAD $newSmart.Imsgkeymapprovider `
                -KeyMapDB $newSmart.Imsgkeymapdb `
                -LdapFilter $ldapFilter `
                -DataSourceType 'Microsoft SQL Driver'
1 Like
2

The only required parameters are as follows:

  • SamAccountName
  • Name
  • OrganizationalUnit
  • GroupScope
  • Type
  • SecurityType

This is in the online documentation available here for this specific cmdlet:
New-SmartGroup

The specific parameters you are referring to are when you are establishing a smart group where a database is the referenced query. Is this smart group supposed to be a smart group from a database query? If not, then you would not need those properties which set the query parameters that are necessary to access an external database to determine membership. If the intention is just to create a regular group and not a smart group, you would use the New-Group cmdlet as documented here:
New-Group

3

We have a lot of smartgroups that use SQL queries to determine their membership. The script I am working on will be able to backup static groups as well as smartgroups. The code snippet I provided shows the minimum number of parameters necessary to recreate a smartgroup with functionality equivalent to the group that was backed up.

The following is an excerpt from the script I wrote to backup our production smartgroups to a csv file. In order to retrieve all of the information necessary to describe a smartGroup that uses a SQL query, I use the Get-SmartGroup cmdlet and pass a list of attributes to the AttributesToLoad parameter. Note that I was not able to find of the “imsg” attributes documented anywhere. I discovered by trial and error that I could take the attributes listed in the Elasticvue metadata, pass them using the AttributesToLoad parameter and get most of what I need. Unfortunately, I have not been able find a way to get some of the attributes describing a SQL smartgroup such as ObjectTypes, DataSourceUserName, DataSourcePassword, DataSourceName, TableOrView and DataSourceType.

$imsgAttributes = (
    'Domain',
    'DistinguishedName',
    "samaccountname",
    "grouptype",
    'ComputedGroupScope',
    'ComputedGroupType',
    'XGroupSecurity',
    "imsgstartpath",
    "imsgincludedisabledusers",
    "imsggroupenabled",
    "imsgcriteria",
    "imsgkeymapdb",
    "imsgexcludes",
    "imsgkeymapprovider",
    "imsggroupidconnectionstring",
    "imsggroupidstatement",
    "imsgincludes",
    "imsgscript",
    "imsgserverfilter",
    "imsgsearchservername",
    "imsgstorefilter",
    "imsgmanagedgrouptype",
    "imsgmembersupdatedon",
    "imsgmembersupdatedfrom",
    "imsgmembersupdatedstatus"
)

$smartGroups = @()

foreach ($group in $groups | Where-Object {$_.ManagedGroupType -eq 2}) {

    $criteria = Get-SmartGroup -Identity $group.SAMAccountName | Select-Object -ExpandProperty Criteria

    $smartGroup = Get-Object -Identity $group.SAMAccountName -AttributesToLoad $imsgAttributes
    $includes = ""
    $excludes = ""

    if ($smartGroup.imsgincludes -ne 'N/A') {
        
        $includes = ($smartGroup.imsgincludes | Get-ADUser | Select-Object -ExpandProperty SamAccountName) -join ','

    }

    if ($smartGroup.imsgexcludes -ne 'N/A') {
        
        $excludes = ($smartGroup.imsgexcludes | Get-ADUser | Select-Object -ExpandProperty SamAccountName) -join ','

    }

    $smartGroup | Add-Member -MemberType NoteProperty -Name Criteria -Value $criteria
    $smartGroup | Add-Member -MemberType NoteProperty -Name Includes -Value $includes
    $smartGroup | Add-Member -MemberType NoteProperty -Name Excludes -Value $excludes
    $smartGroups += $smartGroup

}
4

Hello Mark,

Apologize as I was travelling. I will review your script examined and see how we can best guide you.

UPDATE: You are correct, these pseudo attributes are not in our documentation and I will take that as feedback for documentation improvements.

NOTE: We also found an error in looking into this as well in that some attributes are not exposed in the attribute collection. We will open a support ticket on your behalf so that we can address this. I will be handing off this to our support organization to communicate with you and provide a support ticket to track with. Thank you for your patience.

@shimonek

1 Like
5

Sounds good. Thanks Jonathan.

6

Hi Jonathon,

I upgraded to version 11.1.25199.02 and applied patch #391865 as advised by your support team. I am now able to use the get-object command. I am able to get ObjectType value using imsgObjectType but I am still unable to retrieve some of the information needed to recreate a smartgroup programatically. Do you have documentation explaining how to retrieve DataSourceUserName, DataSourcePassword, DataSourceName, TableOrView and DataSourceType? I am able to retrieve the SQL connection string. Would it be possible to give that to new-smartgroup as a parameter? Unfortunately, this cmdlet isn’t very well documented.

7

Hello Mark, We’re in the process of testing. We appreciate your patience.

Daanish

8

Thanks Daanish.

Mark

9

Hello Mark,

I hope you are doing well.

I have reviewed your requirement to export information for the External Source–related GroupID pseudo attributes, such as ObjectTypes, DataSourceUserName, DataSourcePassword, DataSourceName, TableOrView, and DataSourceType.

In GroupID v11, the architecture has changed. Since data source connections are now created in the Admin Center, attributes such as DataSourcePassword, DataSourceName, and DataSourceUserName are no longer part of the object attributes in Elasticsearch. Instead, these attributes are now referenced in the SmartGroups by using the attribute imsgexternaldataproviderid.

That said, the remaining attributes related to External Sources are still present in Elasticsearch. I have updated and adjusted your previously shared query to account for the attributes that have changed.

Here is the updated script:

$imsgAttributes = @(
'targetaddress', 'msexchrecipienttypedetails', 'reporttooriginator', 'unauthorig', 'extensionattribute12', 'extensionattribute5', 'hidedlmembership', 'proxyaddresses', 'protocolsettings', 'objecttype', 'location', 'info', 'imsgstartpath', 'extensionattribute10', 'samaccountname', 'grouptype', 'imsggroupenabled', 'ismailbox', 'extensionattribute15', 'oofreplytooriginator', 'usncreated', 'whencreated', 'computedmanagedtype', 'extensionattribute1', 'ComputedGroupType', 'cn', 'msexchhidefromaddresslists', 'msexchrequireauthtosendto', 'distinguishedname', 'submissioncontlength', 'DistinguishedName', 'dlmemrejectperms', 'modifytimestamp', 'extensionattribute2', 'XGroupSecurity', 'authorigbl', 'imsgserverfilter', 'extensionattribute8', 'mdboverhardquotalimit', 'msexchhomeservername', 'delivcontlength', 'extensionattribute14', 'company', 'extensionattribute7', 'displayname', 'department', 'imsgexternaldataproviderid', 'imsgstorefilter', 'usnchanged', 'managedobjects', 'displaynameprintable', 'imsgcriteria', 'imsgmembersupdatedstatus', 'objectclass', 'Domain', 'managercanupdatemembershiplist', 'extensionattribute3', 'primarygrouptoken', 'authorig', 'lastknownparent', 'imsgexcludes', 'isrecycled', 'managedby', 'domain', 'imsggroupidconnectionstring', 'reporttoowner', 'extensionattribute6', 'forwardingaddress', 'extensionattribute11', 'imsgkeymapdb', 'xwhenchanged', 'member', 'isdeleted', 'msexchremoterecipienttype', 'mdbstoragequota', 'canonicalname', 'imsgmembersupdatedfrom', 'computedgrouptype', 'memberof', 'imsgincludedisabledusers', 'xgroupsecurity', 'mail', 'description', 'mdbusedefaults', 'xgroupexpirationpolicy', 'admindescription', 'objectcategory', 'imsgincludes', 'extensionattribute13', 'whenchanged', 'extensionattribute9', 'mailnickname', 'msexchcomanagedbylink', 'ComputedGroupScope', 'mdboverquotalimit', 'imsggroupidversion', 'ca_ismailenabledgroup', 'imgisexpired', 'imgisdeleted', 'createtimestamp', 'iscriticalsystemobject', 'imsgsearchservername', 'ismailenabled', 'name', 'msexchreciplimit', 'xgroupexpirationdate', 'wwwhomepage', 'imsgobjecttypes', 'objectsid', 'imsgkeymapprovider', 'msexchrecipientdisplaytype', 'imsggroupidstatement', 'legacyexchangedn', 'computedgroupscope', 'dlmemsubmitperms', 'msexchexpansionservername', 'showinaddressbook', 'imsgcreatedinversion', 'imsgscript', 'extensionattribute4', 'samaccounttype', 'imsgmanagedgrouptype', 'imsgmembersupdatedon', 'container', 'objectguid', 'owner', 'xadditionalowner'
)


$smartGroups = @()

foreach ($group in Get-Group -SmartFilter "(IMSGManagedGroupType=2)" -MaxItemsToDisplay 0) {

    $smartGroup = Get-Object -Identity $group.SAMAccountName -AttributesToLoad $imsgAttributes

    $includes = if ($smartGroup.imsgincludes) {
        $smartGroup.imsgincludes | ForEach-Object {
            try { (Get-User -Identity $_).sAMAccountName } catch { "$_ (unresolved)" }
        } -join ","
    }

    $excludes = if ($smartGroup.imsgexcludes) {
        $smartGroup.imsgexcludes | ForEach-Object {
            try { (Get-User -Identity $_).sAMAccountName } catch { "$_ (unresolved)" }
        } -join ","
    }

    $smartGroup | Add-Member -MemberType NoteProperty -Name "Criteria" -Value $criteria
    $smartGroup | Add-Member -MemberType NoteProperty -Name "Includes" -Value $includes
    $smartGroup | Add-Member -MemberType NoteProperty -Name "Excludes" -Value $excludes

 $smartGroups += $smartGroup

}

$smartGroups | Export-Csv -Path "C:\SmartGroup_Export.csv" -NoTypeInformation

Please let us know if this works for you or if you have any further questions or concerns.

Thanks,

Turab

10

Thanks Turab! I’ll update the thread once I have had a chance to get back to this. On a side note, I setup ElasticVue on the version 11 server but I don’t have the username/password. Can you give that to me?

11

Hi Mark, the support team will connect with you soon to help with your Elastic questions.

12

Hello Mark, Turab has shared the requested information with you via the Support ticket. Please let us know if you have any questions or need further assistance.

1 Like
14

Turab helped me get Elasticvue setup.

Thanks @daanish.sayyed

1 Like