Workflow to add a user to an Admin group, then automatically remove them in X days.

Question

Management has asked that we limit the time a user is a member of the Enterprise Admins group. I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow. Is there any way a workflow triggered from an AD action can grant temporary group access?

JohnnyQuest · Accepted Answer

In your existing workflow, are you using a built-in activity to perform the member-add or a script? You could add a step like this in a script activity to set the expiration of the group membership: Remove-QADGroupMember -proxy -identity $Request.GUID -Member $GroupMember -Control @{'ScheduledOperation-SetTime'="2018-04-13T08:00:00Z"} The latter bit would automatically remove the user from the group at the time specified. I included the time explicitly here so you can see the required format.

JohnnyQuest · Answer

My use of the $Request.GUID for the Identity assumes that it's the group membership change that is triggering your workflow. You will still need to determine / calculate the name of the added member ($GroupMember) by parsing it out of the attribute change data in the $Request (i.e. the AR transaction).

Nick.Dollimount · Answer

Hello, 
 
This needs to be done via the 'ScheduledOperation-SetTime' control, however in workflows, there is currently no method to set a calculated time value as configuring controls in a workflow only allows for a static value. 
 
You can use the following example to create a script that perform the removal of the user being added to the group after a certain amount of days though.

$groupDN = '' #get the group DN from the workflow 
$member = '' #get the member from the workflow 
$days = 5 #days to schedule the removal 
$time = (Get-Date).AddDays($days).ToUniversalTime() 
$hash = @{} 
$hash.add("ScheduledOperation-SetTime",$time) 
Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash

Please refer to the SDK, searching for 'Retrieving data from workflow context' to learn how to retrieve the groupDN and member from the workflow. 
 
You would place the script in the workflow after the operation of the member being added. 
 
I hope this helps.

Endpoint Privilege Management

Workflow to add a user to an Admin group, then automatically remove them in X days.