Active Directory Management Framework

Configuration driven Active Directory management.

Object Categories


Object categories are a way to apply settings to a type of object based on a ruleset / filterset. For example, by registering an object category “Domain Controllers” (with appropriate filters / conditions), it becomes possible to define access rules that apply to all domain controllers, but not all computers.

To define an Object Category in a Context, create .psd1 (NOT .json) files in the domain/objectcategories folder.

Example Configuration

An object category targeting Domain Controllers:

    Name = 'DomainController'
    ObjectClass = 'computer'
    Property = @('PrimaryGroupID')
    TestScript = { $args[0].PrimaryGroupID -eq 516 }
    LDAPFilter = '(&(objectCategory=computer)(primaryGroupID=516))'



The name of the category. Must be unique. Will NOT be resolved.


The ObjectClass of the object. This is the AD attribute of the object. Each object category can only apply to one class of object, in order to protect system performance.


The properties needed for this category. This attribute is used to optimize object retrieval in case of multiple categories applying to the same class of object.


Scriptblock used to determine, whether the input object is part of the category. Receives the AD object with the requested attributes as input object / argument.

Use $args[0] to refer to the input AD object to be tested.


ParameterSet: Filter

A filter used to find all objects in AD that match this category.


ParameterSet: LdapFilter

An LDAP filter used to find all objects in AD that match this category.


Optional: Yes Default: %DomainDN%

The path under which to look for objects of this category.

This parameter uses name resolution.


How deep to search for objects of this category under the chosen searchbase. Supported Values:

Subtree All items under the searchbase. (default)
OneLevel All items directly under the searchbase.
Base Only the searchbase itself is inspected.

Notes on Filters

Object Categories are applied in two ways:

Depending on how any other Component works, either a filter or the TestScript is used. Thus it is recommended, that both conditions evaluate the same way - Components will not use both ways to validate an object and results may be inconsistent if TestScript and Filter resolve to different results.