0 votes

Is there a way that anyone has been able to figure out to remove users no longer with the company from groups like ServiceNow? All ServiceNow groups in my environment begin with "ServiceNow - ". If the user has been in the disabled OU for more than 7 days, I want their ServiceNow groups to be pulled off of their account. What I am currently using today is set up like:

If the 'Account Expires' property is greater than or equal to '%datetime,+7d%' then
Remove the user from the 'ServiceNow - 1' group
Remove the user from the 'ServiceNow - 2' group
Remove the user from the 'ServiceNow - 3' group
etc

This is currently applied over the correct OU, but I would like for the script to pick up all items that begin with "ServiceNow - " instead of naming each individual group. We are constantly adding groups to ServiceNow and I don't want a new group to be missed.

All ServiceNow groups live in the same OU:
Canonical-Name = DomainName/Security Groups/ServiceNow Security Groups
Distinguished Name = OU=ServiceNow Security Groups,OU=Security Groups,DC=Domain,DC=Name,DC=org

Any help would be greatly appreciated!

-Dale

by (120 points)

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello Dale,
Yes, it is possible. To achieve what you need, use a Scheduled Task and the following PowerShell script:

# Get all groups user is a direct member of
$groupGuidBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$removedGroupNames = New-Object "System.Collections.ArrayList"
foreach ($guidBytes in $groupGuidBytes)
{
    # Bind to the group
    $groupGuid = [Guid]$guidBytes
    $group = $Context.BindToObject("Adaxes://<GUID=$groupGuid>")

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from 'ServiceNow' groups
    $groupName = $group.Get("cn")
    if (-not($groupName.StartsWith("ServiceNow")))
    {
        continue
    }
    $group.Remove($Context.TargetObject.AdsPath)
    $removedGroupNames.Add($groupName)
}
$removedGroupNames = [System.String]::Join("; ", $removedGroupNames)
$Context.LogMessage("Removed the user from the following groups: '$removedGroupNames'", "Information")

To create the Scheduled Task:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
  3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
  4. Click Add Action.
  5. Select Run a program or PowerShell script and paste the script into the Script field.
  6. Enter a short description and click OK.
  7. Double-click Always.
  8. Select If <property><relation><value>.
  9. Select If Account Expires greater or equal and click Edit.
  10. Select plus 7 days and click OK twice.
  11. Click Next and assign the Scheduled Task over the desired OU.
  12. Finish creating the task.
0

Support2, this worked flawlessly! Thank you so much for the help!

Related questions

0 votes
1 answer

Hello, We want users to be removed from critical groups when account is disabled. Is it possible to do this with Adaxes?

asked Jul 25, 2011 by sdd5533 (100 points)
0 votes
1 answer

I'd like to allow users to remove themselves from groups that they are already members of. Currently I have a business rule in place thats only allowing the OU Owners ... user is a member of the adm-groupname' then allow then to remove themselves.

asked Apr 30, 2020 by sirslimjim (480 points)
0 votes
1 answer

https://www.adaxes.com/script-repository/remove-all-group-memberships-for-a-user-account-s33.htm I found this script but it only removes 365 groups, security groups, and ... user from all shared mailboxes they are a member of when disabling a user. Thanks!

asked Sep 8, 2023 by silicondt (60 points)
0 votes
1 answer

I would like to have a script that removes the offboarded users from all teams groups

asked Jan 3 by bodson (20 points)
0 votes
1 answer

Hello! how do i manage do get adaxes to remove all groups from the user after one month? We have a Business Rule where you can add an end of Date when the Account ... value field the powershell script works but not with the +1 Month. Thanks for your help!

asked Jun 14, 2023 by eww ag (140 points)
3,326 questions
3,026 answers
7,727 comments
544,683 users