Read the OCS mcRTCSIP-UserPolicy Attribute with PowerShell

How to read the OCS msRTCSIP-UserPolicy attribute with PowerShell. Everyone seems to have a problem figuring this one out. No surprise, it's not well documented.  I've already shown how read the msRTCSIP-UserPolicy attribute with Perl and VBScript, so here's how to do it in PowerShell.

OCS policies, are stored in an Active Directory object, that contains a policy-content attribute containing an XML snippet that contains the name of the policy and the policy settings.  OCS policies can be one of three types of policies: meeting, voice, or presence policies.

When you edit a user's OCS settings and select a meeting policy for that user, a reference to that policy (and references to any voice or presence policies also selected for that user) are stored in the user's msRTCSIP-UserPolicy attribute.  What gets written to the attribute depends on how many policies are selected for the user.  If just one policy is selected, a DNwithBinary object reference is written to the attribute.  If more than one policy is selected, an array of DNwithBinary object references is written to the attribute.

The DNwithBinary object has two properties: BinaryValue, and DNstring.  In the case of OCS policy references, the BinaryValue contains a bit mask that signifies the policy type, where 01000000 = Meeting Policy, 02000000 = Voice Policy, and 04000000 = Presence Policy.  The DNstring contains the distinguished name of the actual policy object in Active Directory.

In Perl or VBscript (languages that can access COM directly), the script has no problem accessing the properties of the DNWithBinary object, with the familiar syntax (e.g. policy.DNString), because COM has a typelib describing the DNwithBinary object.  However, PowerShell doesn't access COM directly, it uses .Net Interop, and the Interop Library lacks the definition for DNwithBinary.  So, we have to help PowerShell access those properties with some special syntax (you can't miss it, sticks out like a sore thumb).

The script connects to the user object using System.DirectoryServices and gets the msRTCSIP-UserPolicy attribute.  Then for each policy in the set, it gets the BinaryValue to figure out the policy type, and gets the DNstring.  It then uses the DNstring to connect to the policy object, gets the XML from the policy-content attribute, and digs out the name of the policy.

All that to display the name and type of each OCS policy applied to the user.

$user = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=myUser,CN=Users,DC=myDomain,DC=com")
$policyType=@{"1000" = "`t    Meeting Policy"; "2000" = "`t      Voice Policy"; "4000" = "`t   Presence Policy";}
"`nReading msRTCSIP-UserPolicy attribute for " + $user.displayName + "`n"
$policies = $user.Get("msRTCSIP-UserPolicy")
foreach($policy in $policies){
 $policyDN = [System.__ComObject].InvokeMember("DNString",[System.Reflection.BindingFlags]::GetProperty,$null,$policy,$null)
 $policyBIN = [System.__ComObject].InvokeMember("BinaryValue",[System.Reflection.BindingFlags]::GetProperty,$null,$policy,$null)
 foreach ($byte in $policyBIN){ $bits=$bits + [string] $byte }
 $policyObj = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $policyDN)
 $policyName=([xml] $policyObj.Get("msrtcsip-policycontent"))[0].InnerText
 "$($policyType[$bits]):  $policyName"


Post a Comment

Related Posts Plugin for WordPress, Blogger...