• State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 11963 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add a user to an Admin group, then automatically remove them in X days.

kletourneau
over 6 years ago

    Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is there any way a workflow triggered from an AD action can grant temporary group access?

  • 0 over 6 years ago
    That looks good as long as the parameters in the workflow are named appropriately as 'groupDN' and 'memberDN'.
  • 0 over 6 years ago

    I don't know how I would configure that

     

     

  • 0 over 6 years ago
    Under the Parameters tab. You add the named parameters.

    However, above (in response to me) you said that the addition of a member to a group triggers your workflow - meaning that it is a "change workflow".

    If this really is the case, then this would affect the implementation somewhat. Can you please clarify what the process looks like for us?

    i.e. does your current workflow have a configured start condition that waits for a group member add?
  • 0 over 6 years ago

    This appears to be a triggered workflow so having parameters wouldn't be as useful. The parameters would have to be static values since a triggered workflow doesn't provide the end user the opportunity to provide input.

    So, the following script module will do what you're looking to do without the need for parameters:


    function temporalGroupMembership($Request){
    for($i = 0; $i -lt $Request.PropertyCount; $i++)
       {
         $item = $Request.Item($i)
         $attr = $item.Name
         if ($attr -eq 'member'){
             $operation = $item.ControlCode
             if ($operation -eq $Constants.ADS_PROPERTY_APPEND){
                 $item.Values | %{
                        $groupDN = $Request.DN
                        $member = $_
                        $days = 5 #days to schedule the removal
                        $time = (Get-Date).AddDays($days).ToUniversalTime()
                        $hash = @{}
                        $hash.add("ScheduledOperation-SetTime",$time)
                        Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash
                 }
             }
             
         }
       }
}



    Since your workflow is being triggered based on any operation for that group, assuming that's to approve any and all changes, I added in a piece that makes sure it only runs the scheduled removal when a member is being added to the group. Other operations will be ignored.