• State Not Answered
  • Replies 3 replies
  • Subscribers 63 subscribers
  • Views 1891 views
  • Users 0 members are here
Options
Related

How to get a Temporal End Date when new member added to a group

nperrine
over 4 years ago

I have a script that will set a temporal end date to 1 year from that date for certains groups when no date is entered.  What I am struggling to find is a way to grab the end date if one is entered.  We do not want anyone to put someone in a Group for longer than a certain period (we have a few like 1 week. 2 weeks or a year).  Is there a way to grab that date so I can use a script to check when a group member is added?  I use the below for after they are in the group but i'm not having any luck in using this on the PostModify in my policy.  It keeps returning no date. 

Script in Policy that does not return the

    $group = $request.GUID

    $member = $request.getex("member")

$EndTime = "edsva-ScheduledLink-EndTime"  
$DateEntered = Get-QADGroupMember -Identity $group -Proxy -Control @{'ScheduledLink-GetStartEndTime'=1} -IncludedProperties  $EndTime | where {($_.dn) -eq $member} | Select-Object $EndTime
    

If I run the above for a group and user with a temporal end date I get data back.  But as I said if it's run from the postmodify group portion of a policy script the $DateEntered comes back blank.  Is it because it's not committed yet so it can't look it up?  Is there a way to grab it with a $request.xxxx ?

  • 0 9 months ago

    This is a very old post, but I've got the same issue.  It's like the temporal group membership is updated after the member is added.  Did you ever find a solution for this?

    As a workaround, I'll most likely use a scheduled workflow instead.

  • 0 9 months ago

    Hi  

    If your only interesting in pending group membership changes, you can use the "Get-QARSOperation" command, as we can add the OperationType and OperationStatus parameters to only retrieve pending changes.

    $PGMs = Get-QARSOperation -OperationType GroupMembershipChange -OperationStatus Pending -proxy

ForEach($PGM in $PGMs)
{
    $Operation = $PGM.ID
    $Group = $PGM.TargetObjectInfo.DN
    $OperationTime = ($PGM.Controls | Where-Object {$_.ID -eq "ScheduledOperation-SetTime"}).Value
    $Format = "yyyyMMddHHmmss.0Z"

    $dateString = $OperationTime
    $utcDate = [DateTime]::MinValue
    if ([DateTime]::TryParseExact($dateString, $format, $null, [System.Globalization.DateTimeStyles]::AssumeUniversal, [ref]$utcDate)) {
        $Time = $utcDate.ToLocalTime()
    }


    $OperationType = $PGM.AttributeChanges.Operation
    $Members = $PGM.AttributeChanges.values

    ForEach($Member in $Members)
    {
        $Record = [string]::Format("{0} - {1} - {2} - {3} - {4}",$Operation,$Group,$Time,$OperationType,$Member)
        Write-Host $Record
    }
}

    For example, my "Helpdesk Group" has 4 members, some with temporal add and/or remove, or they're a member

    Running this will result in a couple of records (grouped by the Operation ID)

    In this instance, 2 (1-2419 and 1-2437)

    1-2419 lists the temporal removes, and 1-2347 the temporal adds

  • 0 9 months ago in reply to Stu.Pollock

    Just to clarify, the reason there are two requests is because I set these memberships in a single action (added them all, then clicked apply), Active Roles then submitted some internal requests for common add's and removes.

    In total there were actually 4 requests, where 1-2420 and 1-2348 completed, as both were added Immediately (opposed to at some scheduled time)