This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add a user to an Admin group, then automatically remove them in X days.

    Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is there any way a workflow triggered from an AD action can grant temporary group access?

  • Hello,

    This needs to be done via the 'ScheduledOperation-SetTime' control, however in workflows, there is currently no method to set a calculated time value as configuring controls in a workflow only allows for a static value.

    You can use the following example to create a script that perform the removal of the user being added to the group after a certain amount of days though.

    $groupDN = '' #get the group DN from the workflow
    $member = '' #get the member from the workflow
    $days = 5 #days to schedule the removal
    $time = (Get-Date).AddDays($days).ToUniversalTime()
    $hash = @{}
    Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash

    Please refer to the SDK, searching for 'Retrieving data from workflow context' to learn how to retrieve the groupDN and member from the workflow.

    You would place the script in the workflow after the operation of the member being added.

    I hope this helps.
  • In your existing workflow, are you using a built-in activity to perform the member-add or a script?

    You could add a step like this in a script activity to set the expiration of the group membership:

    Remove-QADGroupMember -proxy -identity $Request.GUID -Member $GroupMember -Control @{'ScheduledOperation-SetTime'="2018-04-13T08:00:00Z"}

    The latter bit would automatically remove the user from the group at the time specified.

    I included the time explicitly here so you can see the required format.

  • I use a built-in activity. So I would add that line of code as a script? Does it take the user and group from the parameters of the workflow?
  • Would depend a bit on what launches the workflow - is it the member-add action?
  • I will add the above as a script "as is" because it seems to be exactly what we need. Thank you.
  • If the target group and target members are being specified by a parameter on the workflow, you can retrieve those in the script using the following:


    $groupDN = $workflow.Parameter('groupDN')
    $member = $workflow.Parameter('memberDN')
  • My use of the $Request.GUID for the Identity assumes that it's the group membership change that is triggering your workflow. You will still need to determine / calculate the name of the added member ($GroupMember) by parsing it out of the attribute change data in the $Request (i.e. the AR transaction).
  • This is what I will add to the workflow:

    function onPostModify($Request)
    $groupDN = $workflow.Parameter('groupDN') #get the group DN from the workflow
    $member = $workflow.Parameter('memberDN') #get the member from the workflow
    $days = 5 #days to schedule the removal
    $time = (Get-Date).AddDays($days).ToUniversalTime()
    $hash = @{}
    Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash