Skip to content

Active Directory Construct File

The construct.xml file allows you to set up rules when generating groups in Active Directory. The rules below dictates the construct for two different constructnames, default (which is fallback if none is specified) and distributiongroup.

For constructname default it will generate property name based on displayNamePrintable and a three letter location, if that name already exist in active directory it will instead generate samaccountname and name based on the value of displayNamePrintable and location and add a sequence number.

<?xml version="1.0" encoding="utf-8"?>
<constructs>
  <activity function="New-ZPADGroup" constructname="default">
    <configuration>
      <path value="OU=Groups,OU=Test,DC=DEV,DC=LOCAL" />
    </configuration>
    <construct attribute="name" unique="true">
      <rule>('grp-{0}-{1}' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable)).tolower()</rule>
      <rule>foreach ($i in 1..100) { ('grp-{0}-{1}-{2}' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable),$i.tolower() }</rule>
    </construct>
  </activity>
  <activity function="New-ZPADGroup" constructname="distributiongroup">
    <configuration>
      <path value="OU=Groups,OU=Test,DC=DEV,DC=LOCAL" />
    </configuration>
    <construct attribute="name" unique="true">
      <rule>('dl-{0}-{1}' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable)).tolower()</rule>
      <rule>foreach ($i in 1..100) { ('dl-{0}-{1}-{2}' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable),$i).tolower() }</rule>
    </construct>
    <construct attribute="mail" unique="true">
      <rule>('dl-{0}-{1}@example.com' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable)).tolower()"</rule>
      <rule>foreach ($i in 1..100) { ('dl-{0}-{1}-{2}@example.com' -f ($Parameters.location).substring(0,3),$(Convertto-PFFriendlyCharacter -string $Parameters.displayNamePrintable),$i).tolower() }</rule>
    </construct>
  </activity>
</constructs>

Activity Rule (construct child element)

Use powershell code to construct rules that will be used to generate possible values for the specified attribute. Each rule can generate one or more value(s) and it will go through each until it find a value that matches the uniqueness specified.

You may use $Parameters, which is a hashtable filled with all input parameters, and you may also use $ to use any previously generated attribute's value.

Activity consist of two attributes (function and constructname) and two possible child elements (construct and configuration)

.EXAMPLE
  Generate new Group Names from rules in contructs.xml: 
  ".\Provider extensions\Active Directory\Shared modules\ActiveDirectory\constructs.xml"

  New-ZPADGroup `
      -Config $config `
      -Description "A Test Group" `
      -DisplayName "Test Group" `
      -GroupCategory Security `
      -GroupScope Global `
      -HomePage www.testgroup.local `
      -Parameters @{displayNamePrintable="Cotonso";location="Florida"} `
      -ConstructName default

.EXAMPLE
  Generate new Distribution Groups from rules in contructs.xml: 
  ".\Provider extensions\Active Directory\Shared modules\ActiveDirectory\constructs.xml"

  New-ZPADGroup `
      -Config $config `
      -Description "A Test Group" `
      -DisplayName "Test Group" `
      -GroupCategory Distribution `
      -GroupScope Univeral `
      -HomePage www.testgroup.local `
      -Parameters @{displayNamePrintable="Contoso";location="Florida"} `
      -ConstructName distributiongroup

Function and Construct Name (activity attributes)

They are both used to dictate which construct rules to use.

Function should as of now always be New-ZPADGroup, but in the future this will be usable on more functions.

Constructname could be any string, but should preferably describe usage. (For example distributionlist, software)

<activity function="New-ZPADGroup" constructname="distributiongroup">

Configuration (activity child element)

Currently it is only possible to configure path. This is overwritten if path is supplied as an input parameter.

<configuration>
    <path value="OU=Groups,OU=Test,DC=DEV,DC=LOCAL" />
</configuration>"

Construct (activity child element)

Construct consist of three attributes (attribute, unique and blacklistpath) and one child element (rule)

  • Attribute - Specifies the attribute to construct
  • Unique - Specifies whether or not to check if the attribute needs to be domain-unique. It is also possible to specify "ou" which will only verify the attribute does not exist in specified PATH.
  • Blacklistpath - There is also a possibility to add certain "blacklist"-words which will prevent certain combinations from being generated. It is possible to add this key to every attribute. In the example above the file points to a blacklist.txt located in the module-directory. But it is possible to place it anywhere as long as it can be access by the backend account. One blacklist-word per line, and you may use * for wildcard.
Blacklist.txt
*inappropriate*
obscene*