• State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 11958 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add a user to an Admin group, then automatically remove them in X days.

kletourneau
over 6 years ago

    Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is there any way a workflow triggered from an AD action can grant temporary group access?

Parents
  • +1 over 6 years ago

    In your existing workflow, are you using a built-in activity to perform the member-add or a script?

    You could add a step like this in a script activity to set the expiration of the group membership:

    Remove-QADGroupMember -proxy -identity $Request.GUID -Member $GroupMember -Control @{'ScheduledOperation-SetTime'="2018-04-13T08:00:00Z"}

    The latter bit would automatically remove the user from the group at the time specified.

    I included the time explicitly here so you can see the required format.

Reply
  • +1 over 6 years ago

    In your existing workflow, are you using a built-in activity to perform the member-add or a script?

    You could add a step like this in a script activity to set the expiration of the group membership:

    Remove-QADGroupMember -proxy -identity $Request.GUID -Member $GroupMember -Control @{'ScheduledOperation-SetTime'="2018-04-13T08:00:00Z"}

    The latter bit would automatically remove the user from the group at the time specified.

    I included the time explicitly here so you can see the required format.

Children
No Data