• State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 11951 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add a user to an Admin group, then automatically remove them in X days.

kletourneau
over 6 years ago

    Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is there any way a workflow triggered from an AD action can grant temporary group access?

Parents
  • 0 over 6 years ago
    Hello,

    This needs to be done via the 'ScheduledOperation-SetTime' control, however in workflows, there is currently no method to set a calculated time value as configuring controls in a workflow only allows for a static value.

    You can use the following example to create a script that perform the removal of the user being added to the group after a certain amount of days though.



    $groupDN = '' #get the group DN from the workflow
    $member = '' #get the member from the workflow
    $days = 5 #days to schedule the removal
    $time = (Get-Date).AddDays($days).ToUniversalTime()
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)
    Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash



    Please refer to the SDK, searching for 'Retrieving data from workflow context' to learn how to retrieve the groupDN and member from the workflow.

    You would place the script in the workflow after the operation of the member being added.

    I hope this helps.
Reply
  • 0 over 6 years ago
    Hello,

    This needs to be done via the 'ScheduledOperation-SetTime' control, however in workflows, there is currently no method to set a calculated time value as configuring controls in a workflow only allows for a static value.

    You can use the following example to create a script that perform the removal of the user being added to the group after a certain amount of days though.



    $groupDN = '' #get the group DN from the workflow
    $member = '' #get the member from the workflow
    $days = 5 #days to schedule the removal
    $time = (Get-Date).AddDays($days).ToUniversalTime()
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)
    Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash



    Please refer to the SDK, searching for 'Retrieving data from workflow context' to learn how to retrieve the groupDN and member from the workflow.

    You would place the script in the workflow after the operation of the member being added.

    I hope this helps.
Children
No Data