0 votes

I have written a de-provisioning job as part of removing a terminated employee's access. This job disables the account, resets the password, sets the account description to specific verbiage, etc. Part of this job is a Powershell script that removes all group memberships from the AD account. This works great (I believe I was assisted with the script on this forum previously), and is as follows:

Import-Module Adaxes
$user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
if ($user.MemberOf -ne $Null)
{
    foreach ($groupDN in $user.MemberOf)
    {
        Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
    }
}

However, due to continued mistakes in removing access accidentally, a second script has been written to pipe out the user's AD group memberships to a .csv file with the AD username as the name of the file, for when I need to restore those group memberships. It's not an elegant solution, but it works. This script is as follows:

Import-Module Adaxes
$user =  "%Username%"
$tempfile = "\\SERVERNAME\FOLDER" + $user + ".csv"
Get-AdmUser $user | Get-AdmPrincipalGroupMembership -AdaxesService ADAXESSERVERNAME | Select-Object name | Export-Csv -NoTypeInformation $tempfile

I have tried combining this "pipe user group membership" script into the de-provision script, so that I can just run the one job, but it doesn't work. What I want it to do is:

  1. Pipe out all of the user's AD group memberships to a USERNAME.csv file and store it on a server share.
  2. Remove all AD group memberships from the user's account.

Both scripts work individually, but combined, the script doesn't work. I have tried it in both Powershell by itself, and in the Adaxes tool as part of the de-provision job. Could I possibly get help with this? Thanks!

by (360 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

This script should do the job:

$tempfilePath = "\\SERVERNAME\FOLDER\%username%.csv" # TODO: modify me

# Get all groups that the user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the ID of the user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$report = @()
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove the user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $reportEntry = New-Object PSObject
    $reportEntry | Add-Member -Name Name -Value $group.Get("name") -MemberType NoteProperty
    $report += $reportEntry
}

# Save the report
$report | Export-Csv -Path $tempfilePath -NoTypeInformation
0

This works great! Once again, you guys are awesome. Thank you!

Related questions

0 votes
1 answer

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19, 2020 by Martin (50 points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (100 points)
0 votes
1 answer

Hi, I'm currently facing a problem where I want to set up a powershell script that should report all accounts (enabled, disabled, expired) matching a specific employeeType ... something else, just the plain Info Can you help me with this? kind regards Ingemar

asked Sep 4, 2015 by ijacob (960 points)
0 votes
0 answers

I know Adaxes has a module in it that uses e-mail verification in the password self-service policies. Can the verification system be used for anything other than an AD password ... to have a custom task run, but only after e-mail or text verification? Thanks!

asked Jul 27, 2015 by rlemaster (20 points)
0 votes
1 answer

I am currently using the following (previously support provided) script as part of the deprovisioning process, to remove a user from all groups: Import-Module Adaxes $user = ... can restore the users groups if they are accidently deleted by the above script.

asked May 17, 2015 by Infounlim (470 points)
2,807 questions
2,541 answers
6,615 comments
65,132 users