0 votes

Is there a way that anyone has been able to figure out to remove users no longer with the company from groups like ServiceNow? All ServiceNow groups in my environment begin with "ServiceNow - ". If the user has been in the disabled OU for more than 7 days, I want their ServiceNow groups to be pulled off of their account. What I am currently using today is set up like:

If the 'Account Expires' property is greater than or equal to '%datetime,+7d%' then
Remove the user from the 'ServiceNow - 1' group
Remove the user from the 'ServiceNow - 2' group
Remove the user from the 'ServiceNow - 3' group

This is currently applied over the correct OU, but I would like for the script to pick up all items that begin with "ServiceNow - " instead of naming each individual group. We are constantly adding groups to ServiceNow and I don't want a new group to be missed.

All ServiceNow groups live in the same OU:
Canonical-Name = DomainName/Security Groups/ServiceNow Security Groups
Distinguished Name = OU=ServiceNow Security Groups,OU=Security Groups,DC=Domain,DC=Name,DC=org

Any help would be greatly appreciated!


by (120 points)

1 Answer

0 votes
by (244k points)
selected by
Best answer

Hello Dale,
Yes, it is possible. To achieve what you need, use a Scheduled Task and the following PowerShell script:

# Get all groups user is a direct member of
$groupGuidBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$removedGroupNames = New-Object "System.Collections.ArrayList"
foreach ($guidBytes in $groupGuidBytes)
    # Bind to the group
    $groupGuid = [Guid]$guidBytes
    $group = $Context.BindToObject("Adaxes://<GUID=$groupGuid>")

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)

    # Remove user from 'ServiceNow' groups
    $groupName = $group.Get("cn")
    if (-not($groupName.StartsWith("ServiceNow")))
$removedGroupNames = [System.String]::Join("; ", $removedGroupNames)
$Context.LogMessage("Removed the user from the following groups: '$removedGroupNames'", "Information")

To create the Scheduled Task:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
  3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
  4. Click Add Action.
  5. Select Run a program or PowerShell script and paste the script into the Script field.
  6. Enter a short description and click OK.
  7. Double-click Always.
  8. Select If <property><relation><value>.
  9. Select If Account Expires greater or equal and click Edit.
  10. Select plus 7 days and click OK twice.
  11. Click Next and assign the Scheduled Task over the desired OU.
  12. Finish creating the task.

Support2, this worked flawlessly! Thank you so much for the help!

Related questions

0 votes
1 answer

Hello, We want users to be removed from critical groups when account is disabled. Is it possible to do this with Adaxes?

asked Jul 25, 2011 by sdd5533 (100 points)
0 votes
1 answer

I'd like to allow users to remove themselves from groups that they are already members of. Currently I have a business rule in place thats only allowing the OU Owners ... user is a member of the adm-groupname' then allow then to remove themselves.

asked Apr 30, 2020 by sirslimjim (480 points)
0 votes
1 answer

I created a task to delegateremoving users from distribution groups but i am not able to see a list of groups. The same settings are being used in teh add to distribution group which works correctly. settings:

asked Jan 23 by Derek.Axe (460 points)
0 votes
1 answer

Hi all, I need some help with this builtin script. It's a good foundation for what I'd like to do but I need to be able to keep the user in two groups (one, ... this, some kind of output log of the tasks completed on the deprovisioned user).. Thank you!

asked Nov 30, 2017 by adriank (100 points)
0 votes
1 answer

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29, 2022 by abisaigomezm (40 points)
2,999 questions
2,716 answers
210,063 users