• State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 12016 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add a user to an Admin group, then automatically remove them in X days.

kletourneau
over 6 years ago

    Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is there any way a workflow triggered from an AD action can grant temporary group access?

Parents
  • 0 over 6 years ago

    This appears to be a triggered workflow so having parameters wouldn't be as useful. The parameters would have to be static values since a triggered workflow doesn't provide the end user the opportunity to provide input.

    So, the following script module will do what you're looking to do without the need for parameters:


    function temporalGroupMembership($Request){
    for($i = 0; $i -lt $Request.PropertyCount; $i++)
       {
         $item = $Request.Item($i)
         $attr = $item.Name
         if ($attr -eq 'member'){
             $operation = $item.ControlCode
             if ($operation -eq $Constants.ADS_PROPERTY_APPEND){
                 $item.Values | %{
                        $groupDN = $Request.DN
                        $member = $_
                        $days = 5 #days to schedule the removal
                        $time = (Get-Date).AddDays($days).ToUniversalTime()
                        $hash = @{}
                        $hash.add("ScheduledOperation-SetTime",$time)
                        Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash
                 }
             }
             
         }
       }
}



    Since your workflow is being triggered based on any operation for that group, assuming that's to approve any and all changes, I added in a piece that makes sure it only runs the scheduled removal when a member is being added to the group. Other operations will be ignored.

Reply
  • 0 over 6 years ago

    This appears to be a triggered workflow so having parameters wouldn't be as useful. The parameters would have to be static values since a triggered workflow doesn't provide the end user the opportunity to provide input.

    So, the following script module will do what you're looking to do without the need for parameters:


    function temporalGroupMembership($Request){
    for($i = 0; $i -lt $Request.PropertyCount; $i++)
       {
         $item = $Request.Item($i)
         $attr = $item.Name
         if ($attr -eq 'member'){
             $operation = $item.ControlCode
             if ($operation -eq $Constants.ADS_PROPERTY_APPEND){
                 $item.Values | %{
                        $groupDN = $Request.DN
                        $member = $_
                        $days = 5 #days to schedule the removal
                        $time = (Get-Date).AddDays($days).ToUniversalTime()
                        $hash = @{}
                        $hash.add("ScheduledOperation-SetTime",$time)
                        Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash
                 }
             }
             
         }
       }
}



    Since your workflow is being triggered based on any operation for that group, assuming that's to approve any and all changes, I added in a piece that makes sure it only runs the scheduled removal when a member is being added to the group. Other operations will be ignored.

Children
No Data