[Help] Deprovisioning - Remove from all groups EXCEPT [xyz]

Question

Hi all,

I need some help with this builtin script. It's a good foundation for what I'd like to do but I need to be able to keep the user in two groups (one, really, if it exists).

I need to keep them in:

* Domain Users
* MLGX Users (this is our Metalogix Archive Manager group).

If they are a part of the MLGX group, I want them to keep that group membership. If the MLGX group membership is not seen, do nothing and simply keep them in the Domain Users group only.

Also, I'd like to see if the following is possible (please see the screenshot)
The rule is: If there is a manager, set forwarding to the manager.
How can I add: If there is no manager, e-mail IT and notify the team that forwarding was not set. (unless there is a better method to achieving this, some kind of output log of the tasks completed on the deprovisioned user)..

Thank you!

Comments

Reviewing this in some more depth, is it also possible to remove any phone partnerships with Exchange? What I want is to disable the user's access to e-mail IMMEDIATELY when we receive notification of their termination as part of this Deprovisioning.

-- I think I found the answer to this particular question.

Answer 1

Hello Adrian,

I need some help with this builtin script. It's a good foundation for what I'd like to do but I need to be able to keep the user in two groups (one, really, if it exists).

Find the updated script below.

$groupNamesToSkip = @("MLGX Users")

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)
    $groupName = $group.Get("cn")

    # Skip the group if it is the user's Primary Group
    if (($group.Get("primaryGroupToken") -eq $primaryGroupId) -or ($groupNamesToSkip -contains $groupName))
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
    $Context.LogMessage("Removed the user from group '$groupName'", "Information")
}

How can I add: If there is no manager, e-mail IT and notify the team that forwarding was not set. (unless there is a better method to achieving this, some kind of output log of the tasks completed on the deprovisioned user)..

You can achieve this by adding another set of actions and conditions to the Scheduled Task. To do so:

1. Launch Adaxes Administration Console.
2. Navigate to Configuration\Scheduled Tasks and select the task.
3. Click Add action to a new set in the Result Pane.
   
4. Select Send e-mail notification.
5. Specify Action Parameters and click OK.
   
6. Double-click Always.
7. Select If <property><relation><value>.
8. Select If Manager is empty.
   
9. Click OK and save the changes.

Comments

You guys rock!! I'm going to test this tomorrow. Thank you so much!