Automated Add/Expiry of Group Membership

General discussion of using Adaxes for Active Directory management and administration
Post Reply
slowllama
Posts: 5
Joined: Fri Dec 07, 2018 7:00 am

Automated Add/Expiry of Group Membership

Tue Jan 29, 2019 1:26 pm

Hello,

My question potentially piggy-backs off of the following URL:

automated-expiry-of-group-membership-t2075.html

We have the need to add/remove users frequently to/from a specific AD group that allows users to connect to our systems remotely. The AD group is required to be added to each user who may need this temporary remote access. For instance, we have a weather event upon us in my area, and we will be passively closing our offices for 2 business days due to the weather event. Specific users will need remote access as we passively close our office. I would like to initially identify a specific range of users by name when adding the AD group, and identify a timeframe that they would have access to the AD group. When the timeframe outlined expires, we would like for a scheduled task to remove the AD group from the specific range of users that we originally added the AD group to.

Is this possible, and if so, how do I go about designing and implementing something like this in Adaxes?

Thanks in advance for any replies or assistance.

Jason

User avatar
Support2
Posts: 859
Joined: Mon Nov 14, 2016 4:03 am

Re: Automated Add/Expiry of Group Membership

Wed Jan 30, 2019 6:18 am

Hello Jason,

Yes, this can be done using a Custom Command, a Scheduled Task and PowerShell scripts. For details, have a look at the following article in our script repository: https://www.adaxes.com/script-repositor ... p-s493.htm.
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image Image

slowllama
Posts: 5
Joined: Fri Dec 07, 2018 7:00 am

Re: Automated Add/Expiry of Group Membership

Mon Feb 11, 2019 12:11 pm

I viewed the URL provided, and I created the Custom Command/Scheduled Task as described with the two PS scripts. When I run the command against a user, I get the following error:

"Method invocation failed because [softerra.adaxes.adsi.admuser] does not contain a method named Add".

Someone replied to my message left at the script repository URL stating that I need to use the script in a Custom Command configured for Group Object type. When I configure it this way, it does not appear to allow me to identify the users that will need to be added. That's where I am getting confused.

We would like to have a custom command in Adaxes Administrator which would allow us to select multiple users, and add them to the Remote Users AD group temporarily for 24 hours when we have issues with office closings due to weather. We would then like to have a scheduled task run every 24 hours and remove the users who were added to the Remote Users group on a temporary basis.

Thanks in advance for any replies sent.

User avatar
Support2
Posts: 859
Joined: Mon Nov 14, 2016 4:03 am

Re: Automated Add/Expiry of Group Membership

Tue Feb 12, 2019 4:25 am

Hello Jason,

The reply to your comment was provided by our Support Team. The Custom Command script from our repository should be executed on a group and temporarily add the user that initiated the process to the group. There is no possibility for an admin to use this solution for adding multiple users to a group on temporary basis.

For us to recommend a solution, please, specify the version of Adaxes you are currently using. To check that:
  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service.
  3. In the context menu, click Properties.
    Service.properties.png
    Service.properties.png (8.05 KiB) Viewed 90 times
  4. Adaxes version will be displayed on the General tab.
    Build.number.png
    Build.number.png (9.9 KiB) Viewed 90 times
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image Image

slowllama
Posts: 5
Joined: Fri Dec 07, 2018 7:00 am

Re: Automated Add/Expiry of Group Membership

Tue Feb 12, 2019 6:53 am

3.10.16008.0

Thank you.

User avatar
Support2
Posts: 859
Joined: Mon Nov 14, 2016 4:03 am

Re: Automated Add/Expiry of Group Membership

Tue Feb 12, 2019 9:04 am

Hello Jason,

Thank you for specifying.

You will need to use a Custom Command with parameters and a different script. For us to write the script, please, specify whether the command should always add users to the Remote Users AD group or the admin executing the Custom Command should have the possibility to select the group?
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image Image

slowllama
Posts: 5
Joined: Fri Dec 07, 2018 7:00 am

Re: Automated Add/Expiry of Group Membership

Tue Feb 12, 2019 9:10 am

Hello-

The way we can design this Custom Command would be to strictly apply users to the Remote Users AD group. We would not need to select any other group(s).

Please let me know if you have any other questions, thank you very much.

User avatar
Support2
Posts: 859
Joined: Mon Nov 14, 2016 4:03 am

Re: Automated Add/Expiry of Group Membership

Tue Feb 12, 2019 10:04 am

Hello Jason,

Thank you for the confirmation.

You will need to update the Custom Command (configured for Group object type) preciously created for the solution. Also, you can disable the Custom Command in the operations list for the Web Interface (the command will never be available in the left pane) and create an action that will be configured only for the Remote Users AD group and used to execute the Custom Command. For details, have a look at the following tutorials:
https://www.adaxes.com/tutorials_WebInt ... bjects.htm
https://www.adaxes.com/tutorials_WebInt ... nsPane.htm
To update the Custom Command:
  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand your service node.
  3. Navigate to Configuration\Custom Commands and select the command you need.
  4. In the Result Pane on the right, activate the Parameters tab and click New.
    Add.new.parameter.png
    Add.new.parameter.png (18.22 KiB) Viewed 73 times
  5. Select AD object picker and click Next.
    AD.object.picker.parameter.png
    AD.object.picker.parameter.png (9.45 KiB) Viewed 73 times
  6. Enter the parameter name and display name (e.g. userToAdd and User to add).
  7. Click Next.
  8. In the Object Selection section, click Configure.
    Configure.object.selection.png
    Configure.object.selection.png (5.27 KiB) Viewed 73 times
  9. In the Display only objects that match the following LDAP filter field, specify the following: sAMAccountType=805306368
  10. Select Allow multiple selection and click OK.
    Allow.users.only.png
    Allow.users.only.png (7.98 KiB) Viewed 73 times
  11. In the Value separator field, specify the separator that will be used for parameter values (e.g. semicolon).
    Specify.separator.png
    Specify.separator.png (11.63 KiB) Viewed 73 times
  12. Click Finish.
  13. Activate the Actions tab.
  14. Right-click the Run PoweShell script action and then click Edit Action.
    Edit.run.script.action.png
    Edit.run.script.action.png (7.66 KiB) Viewed 73 times
  15. Replace the script in the Script field with the below one. In the script:
    • $memberListProperty - specifies the LDAP name of the attribute that stores a list of temporary group members and the times when to remove them;
    • $durationInHours - specifies the duration of temporary membership (in hours).
    • $parameterName – specifies the name of the parameter (set on step 6) that will be used to select users for adding to group with the –param prefix;
    • $parameterValueSeparator – specifies the separator for parameter values entered on step 11.

    Code: Select all

    $memberListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
    $durationInHours = 24 # TODO: modify me
    $parameterName = "param-MyParam" # TODO: modify me
    $parameterValueSeparator = ";" # TODO: modify me
    
    # Get group records
    try
    {
        $records = $Context.TargetObject.GetEx($memberListProperty)
    }
    catch
    {
        $records = @()
    }
    
    # Add selected users to group
    $usersToAdd = $Context.GetParameterValue($parameterName)
    $endDate = [System.Datetime]::Now.AddHours($durationInHours)
    $endDateString = $endDate.ToString("MM/dd/yyyy hh tt")
    foreach ($dn in $usersToAdd.Split($parameterValueSeparator))
    {
        # Build path
        $user = $Context.BindToObjectByDN($dn)
        $guid = [Guid]$user.Get("ObjectGuid")
        $guidPath = "Adaxes://<GUID=$guid>"
        
        # Build record
        $record = "$guidPath $endDateString"
        
        # Add new record
        $addNewRecord = $True
        for ($i = 0; $i -lt $records.Length; $i++)
        {
            $path = ($records[$i] | Select-String -Pattern "Adaxes\:\/\/\<GUID=.+\>").Matches[0].Value
            if ($path -ne $guidPath)
            {
                continue
            }
            
            $records[$i] = $record
            $addNewRecord = $False
            break
        }
        
        if ($addNewRecord)
        {
            # Add a information on when to remove the user from the group
            $records += $record
            
            # Add user to the group
            $Context.TargetObject.Add($guidPath)
        }
    }
    
    # Update the list of members to remove
    $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $memberListProperty, $records)
    $Context.TargetObject.SetInfo()
  16. Click OK and save the changes.
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image Image

slowllama
Posts: 5
Joined: Fri Dec 07, 2018 7:00 am

Re: Automated Add/Expiry of Group Membership

Wed Feb 13, 2019 7:48 am

This works great, thank you. Now, do we need to set up a Scheduled Task to remove the users after 24 hours? I had made one previously, but when tested, it does not appear to remove the selected users.

Thank you very much.

User avatar
Support2
Posts: 859
Joined: Mon Nov 14, 2016 4:03 am

Re: Automated Add/Expiry of Group Membership

Wed Feb 13, 2019 8:27 am

Hello Jason,
slowllama wrote:
Wed Feb 13, 2019 7:48 am
Now, do we need to set up a Scheduled Task to remove the users after 24 hours?
Yes, the Scheduled Task is still required. It will remove users from the group when the time comes.
slowllama wrote:
Wed Feb 13, 2019 7:48 am
I had made one previously, but when tested, it does not appear to remove the selected users.
Most probably, the time to remove users from the group did not come yet. Also, make sure that the Scheduled Task is configured correctly.
  1. The task should be configured for Group object type.
  2. In the script executed by the Scheduled Task, the $memberListProperty variable should have exactly the same value as the same variable in the script executed by the Custom Command.
  3. The Activity Scope of the Scheduled Task should include the group on which the Custom Command was executed, not the group members.
As long as you are going to use the solution only for one group, the Scheduled Task can look like the following:
Scheduled.task.configuration.png
Scheduled.task.configuration.png (11.32 KiB) Viewed 43 times
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image Image

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 0 guests