Working with group changes using Powershell

Trapping the add or remove can be easily implemented with a change workflow.

These are configured under Configuration | Poilices | Workflow

I would add two:  

1) One with the start condition add group member

2) One with the start condition remove group member

Here's a snippet of code that you would add into AR as a Policy Script module and then reference this same code in a script activity contained in each of the change workflows suggested above.

function FindMembers ($Request)
{

# Script works just the same whether dealing with added or removed members

$Members = @()

# Pull the updated member list from the AR transaction

# Returns array of distinguished names

$Members = $Request.GetEx("Member")

# Sample action - dump added or removed members to a file

$Members | %{Add-Content "Members_Chg_Dump.txt" $_}

Add-Content "Members_Chg_Dump.txt" $("=" * 50)

}

Hi,

I have been on this script on and off and have come up with a few questions

• How can I dump all of the attributes from $Request? I tried using "$Request | Select * | Out-File <path to file", but I could only see stuff like "Member".
• Is there a way for me to access who actually made the change? Do I need to reference the change log for this?

Regards,

Todd

Hello Todd,

There's a lot of great information in the Active Roles SDK help file. It is located in the SDK folder where Active Roles was installed. For starters, search the help file for IADsPropertyList. Within the returned results, there is a specific page that describes how to enumerate the attributes in the Request object by using $Request.PropertyCount. Also, at the bottom of that page, there is another example of determining group membership operations and prohibiting the removal from a group. You can search for 'Prohibit Removing the Group Members' to find this exact page.

To answer your specific question about getting the delegated admin who made a change, you would do it like this in a Policy Script:

Function CaptureUser ($Request)

{

$UserSamAccount = ""

$UserDN = ""

$Request.whoami([ref]$UserSamAccount,[ref]$UserDN)

Add-Content "Some file.txt" $UserSamAccount

Add-Content "Some file.txt" $UserDN

}

You can embed this as a Script Activity in a Change Workflow that reacts to a user property change (for example)

The value will get passed to the two variables mentioned.  

Hope this helps.

To answer your specific question about getting the delegated admin who made a change, you would do it like this in a Policy Script:

Function CaptureUser ($Request)

{

$UserSamAccount = ""

$UserDN = ""

$Request.whoami([ref]$UserSamAccount,[ref]$UserDN)

Add-Content "Some file.txt" $UserSamAccount

Add-Content "Some file.txt" $UserDN

}

You can embed this as a Script Activity in a Change Workflow that reacts to a user property change (for example)

The value will get passed to the two variables mentioned.  

Hope this helps.

Hi,

This did the trick. I was able to get everything working the way I wanted.

I integrated it with Microsoft Teams, so now I have the group change alerts going directly to a Teams channel.

Thank you for your help and explanations JohnnyQuest