0 votes

I have written a de-provisioning job as part of removing a terminated employee's access. This job disables the account, resets the password, sets the account description to specific verbiage, etc. Part of this job is a Powershell script that removes all group memberships from the AD account. This works great (I believe I was assisted with the script on this forum previously), and is as follows:

Import-Module Adaxes
$user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
if ($user.MemberOf -ne $Null)
{
    foreach ($groupDN in $user.MemberOf)
    {
        Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
    }
}

However, due to continued mistakes in removing access accidentally, a second script has been written to pipe out the user's AD group memberships to a .csv file with the AD username as the name of the file, for when I need to restore those group memberships. It's not an elegant solution, but it works. This script is as follows:

Import-Module Adaxes
$user =  "%Username%"
$tempfile = "\\SERVERNAME\FOLDER" + $user + ".csv"
Get-AdmUser $user | Get-AdmPrincipalGroupMembership -AdaxesService ADAXESSERVERNAME | Select-Object name | Export-Csv -NoTypeInformation $tempfile

I have tried combining this "pipe user group membership" script into the de-provision script, so that I can just run the one job, but it doesn't work. What I want it to do is:

  1. Pipe out all of the user's AD group memberships to a USERNAME.csv file and store it on a server share.
  2. Remove all AD group memberships from the user's account.

Both scripts work individually, but combined, the script doesn't work. I have tried it in both Powershell by itself, and in the Adaxes tool as part of the de-provision job. Could I possibly get help with this? Thanks!

by (360 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

This script should do the job:

$tempfilePath = "\\SERVERNAME\FOLDER\%username%.csv" # TODO: modify me

# Get all groups that the user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the ID of the user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$report = @()
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove the user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $reportEntry = New-Object PSObject
    $reportEntry | Add-Member -Name Name -Value $group.Get("name") -MemberType NoteProperty
    $report += $reportEntry
}

# Save the report
$report | Export-Csv -Path $tempfilePath -NoTypeInformation
0

This works great! Once again, you guys are awesome. Thank you!

Related questions

0 votes
1 answer

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19, 2020 by Martin (100 points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (140 points)
0 votes
1 answer

Hi, we just recently installed Adaxes and would like to implement a PowerShell script that I have previously written which cleans up user objects if they have been manually ... to perform the operation Stack trace: at &lt;ScriptBlock&gt;, &lt;No file&gt;".

asked Oct 2, 2023 by Mark.Monaco (20 points)
0 votes
1 answer

Recently, Microsoft deprecated use of the remote PS sessions using version 1. We have since converted all of our scripts to version 2, but our nightly staff ... { # Close the remote session and release resources Disconnect-ExchangeOnline -Confirm:$false }

asked Nov 2, 2022 by MShep (80 points)
0 votes
1 answer

Hi, I'm currently facing a problem where I want to set up a powershell script that should report all accounts (enabled, disabled, expired) matching a specific employeeType ... something else, just the plain Info Can you help me with this? kind regards Ingemar

asked Sep 4, 2015 by ijacob (960 points)
3,326 questions
3,025 answers
7,723 comments
544,675 users