0 votes

Is there a way to run a custom powershell command on the users who are added or removed from a group?

by (20 points)

1 Answer

0 votes
by (18.0k points)

Hello,

Yes, it is possible.

  1. Create a Business Rule that will be executed after adding/removing members from a group. For information on how to create such a Business Rule, see Send E-mail on Adding Members to Specific Groups.

  2. Add Run a program or PowerShell script action to the Business Rule.

  3. To get the distinguished name (DN) of the member that was added or removed, use the %member% value reference. Using the DN you can bind to the directory object representing the member.
    Example:

     $member = $Context.BindToObjectByDN("%member%")
     $member.AccountDisabled = $True
     $member.SetInfo()
    

For more information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

0

So when I was testing that %member% the code was running when the member was added/removed but %member% was containing a member of the group (The same member each time) and not the member that was removed/added. Any ideas on why that would be happening?

0

That was a bug that we fixed a long time ago.

0

OK, I've upgraded to 3.3.8703.0 and am still seeing the same thing. %member% contains a member of the group and NOT the user that was added or removed from the group. How should I troubleshoot this further?

Thanks

0

Hello,

Our QA team have tested it and they claim that everything works properly.
Please provide more details. When is the script executed? Also, please provide the text of your script.

0

BTW, if your Business Rules is triggered after removing a member, you need to use the following code:

$memberDN = $Context.GetModifiedPropertyValue("member")
$member = $Context.BindToObjectByDN($memberDN)
...
0

I've setup the below powershell command to run both before and after the group is updated and the result is identical both when removing and adding a user to a group for both before and after. The output for $Context.GetModifiedPropertyValue("member") is empty. %member% contains a member of the group but not the member that was added/moved and %sAMAccountName% contains the groups SAM Account.

Could you please provide the source code that the QA team used to test this?

Import-Module Adaxes
Import-Module ActiveDirectory

Set-StrictMode -version 2
$ErrorActionPreference = "Stop"

$member = "%member%"
$samAccountName = "%sAMAccountName%"
$Context.LogMessage("Member:"+ $member, "Information")
$Context.LogMessage("SamAccountName:"+ $samAccountName, "Information")

$modifiedMember = $Context.GetModifiedPropertyValue("member")
$Context.LogMessage("Modified:"+ $modifiedMember, "Information")

Remove-Module Adaxes
Remove-Module ActiveDirectory
0

Hello,

It appeared that the fix for getting the DN of the removed member is not included in the latest release. That's why it works correctly on our side and doesn't work for you. Sorry, my bad.

The following code will work for you:

$memberDN = $Context.Action.PropertyList.Item("member").Values[0].CaseIgnoreString
$Context.LogMessage("Member DN: $memberDN", "Information")

$member = $Context.BindToObjectByDN($memberDN)
$samAccountName = $member.Get("samAccountName")
$Context.LogMessage("SamAccountName: $samAccountName", "Information")

BTW, your Business Rule must be executed before or after adding or removing a member from a group:

0

That code does not work. I get the following error:

Property 'PropertyList' cannot be found on this object. Make sure that it exists.

I presume the error is on this line:
$memberDN = $Context.Action.PropertyList.Item("member").Values[0].CaseIgnoreString

0

Hello,

When is your Business Rule triggered?

The thing is that the PropertyList property appears for the $Context.Action property only when an object is updated, i.e. if the Business Rule is triggered before or after adding or removing a member from a group or before or after updating a group.

Related questions

0 votes
1 answer

Hi, I've tried to modify a existing report to my needs, without success. The requirement ist to see the add/moved from a group. Like here: Would this be possible with Adaxes? Thanks

asked Feb 20, 2023 by boris (530 points)
0 votes
1 answer

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
1 answer

I'm trying to automate adding users who are enrolled in MFA to an AD group. The scripts I found elsewhere here that do not work so I believe they may have been written against a prior Adaxes version or referencing a report that does not meet our needs.

asked May 31 by neal (50 points)
0 votes
1 answer

Is there a report which shows users who are not a member of a specific group?

asked May 3, 2023 by dgilmour (20 points)
0 votes
1 answer

We manage employee user accounts in our on-premise Active Directory and synchronize them to Azure Active Directory using Azure AD Connect. We'd like to be able to generate ... if this is possible so we can easily identify user accounts that are truly inactive.

asked May 9, 2023 by RickWaukCo (320 points)
3,577 questions
3,266 answers
8,282 comments
548,009 users