0 votes

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the copy group membership option is selected)?

Currently I use a script in the "After creating a user" business rule to remove them from those security groups. However, the removal is not reflected in the Adaxes log in the same way as the account being added to the group, which I need for audit purposes.

by (70 points)

1 Answer

0 votes
by (227k points)

Hello Mark,

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the copy group membership option is selected)?

Unfortunately, there is no such possibility. Removing users from groups in a Business Rule triggering After crating a user is the correct approach to achieve what you need.

However, the removal is not reflected in the Adaxes log in the same way as the account being added to the group, which I need for audit purposes.

Most probably, the script performs the updates in AD directly and thus they are not reflected in Adaxes logs. Please, post your script here or send to us (support[at]adaxes.com) and we will update it to log group membership updates.

0

This is the (asyncronous) script I use to remove them after user creation:

$UserDN = "%distinguishedName%"

Start-Sleep -Seconds 60

#remove from all appropriate groups
$groups = Get-ADPrincipalGroupMembership -Identity $UserDN | ? {$_.distinguishedname -like "*OU=SpecificOU*"}

foreach ($group in $groups) {
    $GroupDN = $group.distinguishedName
    $Context.LogMessage("Removing from: $GroupDN", "Information")
    Remove-AdmGroupMember -Identity $GroupDN -Members $UserDN -Confirm:$false
}
+1

Hello Mark,

As we mentioned in the previous post, the script performs removal from group directly in AD avoiding Adaxes pipeline. For the pipeline to be applied, you need to specify the -AdaxesService and -Server parameters when executing the Remove-AdmGroupMember cmdlet. For details, have a look at the following SDK article: http://adaxes.com/sdk/Remove-AdmGroupMember. We updated the script accordingly, find it below. In the script, you need to replace the value of the -Server parameter with the required one.

$UserDN = "%distinguishedName%"

# Get DNs of current groups the user is member of
try
{
    $groupDNs = $Context.TargetObject.GetEx("memberOf")
}
catch
{
    $Context.LogMessage("User %name% is not a member of any groups.", "Information")
    return
}

# Remove from all appropriate groups
foreach ($groupDN in $groupDNs)
{
    if (-not($groupDN -like "*OU=SpecificOU*"))
    {
        continue
    }

    $Context.LogMessage("Removing from: $groupDN", "Information")
    Remove-AdmGroupMember -Identity $GroupDN -Members $UserDN -AdaxesService localhost -Server "dc.domain.com" -Confirm:$false
}
0

That works! The log is now showing the removals as well.

Thank you very much!

Related questions

0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
0 votes
0 answers

We are looking for a tool that can support a blacklist for password resets and that will enforce this blacklist to certain OU groups but not others, or potentially use a whitelist of users that it will not be enforced upon.

asked Mar 2, 2020 by zachThankYou (20 points)
0 votes
1 answer

How can I create a script that does these things For internal audit. objective Even removing all groups of a disconnected user, we will still know which groups the ... in the created group (audit)-sAMAccountName-access add the (user)-sAMAccountName in members

asked Jul 2 by alancardoso (20 points)
0 votes
1 answer

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages ... of a loophole for us as we require dual factor and use saml to accomplish this.

asked Oct 26, 2021 by mark.it.admin (2.1k points)
0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
2,800 questions
2,534 answers
6,605 comments
59,522 users