Working with group changes using Powershell

Hi,

Are there any example scripts floating around that show how to interact with changes made to groups using the script modules?

I am fairly familiar with working with User objects and "onPreCreate", "OnPostCreate" etc, but I don't have any examples of working with groups.

I am working on an Integration with Microsoft Teams where I would like to have a workflow trigger a Powershell script that sends alerts when a group is modified. Inside the notification it would have the group name that was changed, whether it was an add or delete, and the list of users that were added/modified.

If anyone knows of any examples floating around that they could share that would be awesome!

Cheers,

Todd

Parents
  • Trapping the add or remove can be easily implemented with a change workflow.

    These are configured under Configuration | Poilices | Workflow

    I would add two:  

    1) One with the start condition add group member

    2) One with the start condition remove group member

    Here's a snippet of code that you would add into AR as a Policy Script module and then reference this same code in a script activity contained in each of the change workflows suggested above.

    function FindMembers ($Request)
    {

    # Script works just the same whether dealing with added or removed members

    $Members = @()

    # Pull the updated member list from the AR transaction

    # Returns array of distinguished names

    $Members = $Request.GetEx("Member")

    # Sample action - dump added or removed members to a file

    $Members | %{Add-Content "Members_Chg_Dump.txt" $_}

    Add-Content "Members_Chg_Dump.txt" $("=" * 50)

    }

     

     

  • Hi,

    I have been on this script on and off and have come up with a few questions

    • How can I dump all of the attributes from $Request? I tried using "$Request | Select * | Out-File <path to file", but I could only see stuff like "Member".
    • Is there a way for me to access who actually made the change? Do I need to reference the change log for this?

    Regards,

    Todd

  • Hello Todd,

    There's a lot of great information in the Active Roles SDK help file. It is located in the SDK folder where Active Roles was installed. For starters, search the help file for IADsPropertyList. Within the returned results, there is a specific page that describes how to enumerate the attributes in the Request object by using $Request.PropertyCount. Also, at the bottom of that page, there is another example of determining group membership operations and prohibiting the removal from a group. You can search for 'Prohibit Removing the Group Members' to find this exact page.

  • To answer your specific question about getting the delegated admin who made a change, you would do it like this in a Policy Script:

    Function CaptureUser ($Request)

    {

    $UserSamAccount = ""

    $UserDN = ""

    $Request.whoami([ref]$UserSamAccount,[ref]$UserDN)

    Add-Content "Some file.txt" $UserSamAccount

    Add-Content "Some file.txt" $UserDN

    }

    You can embed this as a Script Activity in a Change Workflow that reacts to a user property change (for example)

    The value will get passed to the two variables mentioned.  

    Hope this helps.

  • I just realized that "$Request | Select * | Out-File <path to file" command dumped what I need. There is an attribute called OperationInitiatorSid.

    However, I can't seem to reference this in anyway. I tried dumping this attribute to a text file to see if I could work with it. It doesn't seem to work.

    Is there something special I need to do to interact with this attribute?

Reply
  • I just realized that "$Request | Select * | Out-File <path to file" command dumped what I need. There is an attribute called OperationInitiatorSid.

    However, I can't seem to reference this in anyway. I tried dumping this attribute to a text file to see if I could work with it. It doesn't seem to work.

    Is there something special I need to do to interact with this attribute?

Children
  • I got it working. This is something new I have never seen in Powershell before, like an array inside of an array.

    I referenced the OperationInitiatorSid by doing the following:

    $Initiator = $Request.OperationInitiatorSid

    This revealed that OperationInitiatorSid appears to be an array itself. So I grabbed the SID like this:

     $Initiator = $Request.OperationInitiatorSid.Value

    This then gave me the value I wanted.

    I know there is an easier way, but I am too stupid to figure out what that is right now. But this will give me the information that I need.

  • I personally don't find SIDs too friendly to work with - hence my recommendation above of the $Request.whoami approach which gives you the nice friendly samaccountname and distinguishedname of the initiator.  Slight smile

    FWIW, the "Value" you site above is in fact a property of the OperationInitatorSid property.  I hate working with values that are "buried" like that too. Slight smile

  • Hi JohnnyQuest,

    I 100% agree with you, working with SID is ugly. I was planning to do an AD lookup, and get the givenName and SN. I had read about the $Request.WhoamI, but was getting an error when trying to use it. I was obviously using it incorrectly. Thank you for showing an example, this will streamline my script a great deal!

    And thank you for correcting me on the terminology of "array" vs. "property'. I have never come across a property embedded inside of a property like this. It is an interesting way of presenting the data, but unfortunately my Powershell scripting skills are not up to the task of working with this type of data. Thank you for providing some examples, hopefully I can get it working.