Custom PowerShell on users who are added/removed from group

Question

Is there a way to run a custom powershell command on the users who are added or removed from a group?

Answer 1

Hello,

Yes, it is possible.

1. Create a Business Rule that will be executed after adding/removing members from a group. For information on how to create such a Business Rule, see Send E-mail on Adding Members to Specific Groups.

2. Add Run a program or PowerShell script action to the Business Rule.

3. To get the distinguished name (DN) of the member that was added or removed, use the %member% value reference. Using the DN you can bind to the directory object representing the member.
   Example:

    $member = $Context.BindToObjectByDN("%member%")
    $member.AccountDisabled = $True
    $member.SetInfo()
   

For more information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

Comments

So when I was testing that %member% the code was running when the member was added/removed but %member% was containing a member of the group (The same member each time) and not the member that was removed/added. Any ideas on why that would be happening?

---

That was a bug that we fixed a long time ago.

---

OK, I've upgraded to 3.3.8703.0 and am still seeing the same thing. %member% contains a member of the group and NOT the user that was added or removed from the group. How should I troubleshoot this further?

Thanks

---

Hello,

Our QA team have tested it and they claim that everything works properly.
Please provide more details. When is the script executed? Also, please provide the text of your script.

---

BTW, if your Business Rules is triggered after removing a member, you need to use the following code:

$memberDN = $Context.GetModifiedPropertyValue("member")
$member = $Context.BindToObjectByDN($memberDN)
...

---

I've setup the below powershell command to run both before and after the group is updated and the result is identical both when removing and adding a user to a group for both before and after. The output for $Context.GetModifiedPropertyValue("member") is empty. %member% contains a member of the group but not the member that was added/moved and %sAMAccountName% contains the groups SAM Account.

Could you please provide the source code that the QA team used to test this?

Import-Module Adaxes
Import-Module ActiveDirectory

Set-StrictMode -version 2
$ErrorActionPreference = "Stop"

$member = "%member%"
$samAccountName = "%sAMAccountName%"
$Context.LogMessage("Member:"+ $member, "Information")
$Context.LogMessage("SamAccountName:"+ $samAccountName, "Information")

$modifiedMember = $Context.GetModifiedPropertyValue("member")
$Context.LogMessage("Modified:"+ $modifiedMember, "Information")

Remove-Module Adaxes
Remove-Module ActiveDirectory

---

Hello,

It appeared that the fix for getting the DN of the removed member is not included in the latest release. That's why it works correctly on our side and doesn't work for you. Sorry, my bad.

The following code will work for you:

$memberDN = $Context.Action.PropertyList.Item("member").Values[0].CaseIgnoreString
$Context.LogMessage("Member DN: $memberDN", "Information")

$member = $Context.BindToObjectByDN($memberDN)
$samAccountName = $member.Get("samAccountName")
$Context.LogMessage("SamAccountName: $samAccountName", "Information")

BTW, your Business Rule must be executed before or after adding or removing a member from a group:

---

That code does not work. I get the following error:

Property 'PropertyList' cannot be found on this object. Make sure that it exists.

I presume the error is on this line:
$memberDN = $Context.Action.PropertyList.Item("member").Values[0].CaseIgnoreString

---

Hello,

When is your Business Rule triggered?

The thing is that the PropertyList property appears for the $Context.Action property only when an object is updated, i.e. if the Business Rule is triggered before or after adding or removing a member from a group or before or after updating a group.