Modify script to filter temporary group access end time

I'm using this script to get the report for edsva-ScheduledLink-EndTime, however I want to filter which user having 10 day before the expiring the access. The idea is to send email notification to remind them that your access will be expiring in 10 days. Can someone help me to modify the script.

Add-PSSnapin Quest.ActiveRoles.ADManagement
$controls = @{}
$controls.Add("ScheduledLink-GetPending",1)
$controls.Add("ScheduledLink-GetStartEndTime",1)
Get-QADGroupMember -proxy -Identity Test_Wallpaper-User-TS-G -Control $controls -IncludedProperties edsva-ScheduledLink-StartTime,edsva-ScheduledLink-EndTime | select name, email, edsva-ScheduledLink-StartTime,edsva-ScheduledLink-EndTime

  • Hi Rizan

    Probably on of the easiest ways of doing this would be to use the "Get-QARSOperation" commandlet, which you could use to get all "Membership Change" operation types which are "Pending"

    IE:

    $PendingGroupChanges = Get-QARSOperation -OperationStatus Pending -OperationType GroupMembershipChange -Proxy

    So you can run something s

    Clear-host
    
    $DaysToRemoval = 10
    ##############
    $culture = [Globalization.CultureInfo]::InvariantCulture
    $PendingGroupChanges = Get-QARSOperation -OperationStatus Pending -OperationType GroupMembershipChange -Proxy
    ForEach($PendingGroupChange in $PendingGroupchanges)
    {
        
        $Date = $($PendingGroupChange.Controls | Where-Object {$_.id -eq "ScheduledOperation-SetTime"}).Value
        $ActionDate = [DateTime]::ParseExact($Date, "yyyyMMddHHmmss.f'Z'", $culture)
        $TimeSpan = New-TimeSpan –Start $(Get-Date) –End $ActionDate
        If(($PendingGroupChange.AttributeChanges.operation -eq "Delete") -and ($TimeSpan.TotalDays -lt $DaysToRemoval))
        {
            Write-Host "$($PendingGroupChange.id)"
            Write-Host "`tTarget Group: $($PendingGroupChange.TargetObjectInfo.DN)"
            Write-Host "`tAction: $($PendingGroupChange.AttributeChanges.Operation)"
    
            
            
            Write-Host "`tDate $ActionDate"
                Write-Host "`tUser:"
                ForEach($User in $PendingGroupChange.AttributeChanges.values)
                {
                    Write-Host "`t`t$($User)"
                }
        }
    }

    This should give you an output similar to the below:

  • Hi... Thanks for helping. Really appreciate it.  This more likely to remove the account. My plan is to filter those user access who is going to be removed in 10 days. Export it to csv with name and email address and I can run another script to send email to them. 

     

    Please help.

  • Clear-host
    
    $DaysToAction = 10
    $ActionType = "Delete"
    $LogFile = "$($env:USERPROFILE)\Desktop\Users being ($ActionType) within $($DaysToAction) days - $(Get-Date -Format "ddMMyyyyHHmm").csv"
    
    ##############
    
    #File Headers
    "Group;User;Email;Action;Date" | Out-File $LogFile
    
    
    $culture = [Globalization.CultureInfo]::InvariantCulture
    $PendingGroupChanges = Get-QARSOperation -OperationStatus Pending -OperationType GroupMembershipChange -Proxy
    ForEach($PendingGroupChange in $PendingGroupchanges)
    {
        
        $Date = $($PendingGroupChange.Controls | Where-Object {$_.id -eq "ScheduledOperation-SetTime"}).Value
        $ActionDate = [DateTime]::ParseExact($Date, "yyyyMMddHHmmss.f'Z'", $culture)
        $TimeSpan = New-TimeSpan –Start $(Get-Date) –End $ActionDate
        If(($PendingGroupChange.AttributeChanges.operation -eq $ActionType) -and ($TimeSpan.TotalDays -lt $DaysToAction))
        {
            Write-Host "$($PendingGroupChange.id)"
            Write-Host "`tTarget Group: $($PendingGroupChange.TargetObjectInfo.DN)"
            Write-Host "`tAction: $($PendingGroupChange.AttributeChanges.Operation)"
    
            
            
            Write-Host "`tDate $ActionDate"
                Write-Host "`tUser:"
                ForEach($User in $PendingGroupChange.AttributeChanges.values)
                {
                    Write-Host "`t`t$($User)"
    
                    $UserRecord = $null
    
                    try
                    {
                        $UserRecord = Get-QADUSer -Identity $User -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
                    }
                    catch
                    {
                        $UserRecord = $null
                    }
    
                    If($UserRecord)
                    {
                        "$($PendingGroupChange.TargetObjectInfo.DN);$($UserRecord.name);$($UserRecord.email);$($PendingGroupChange.AttributeChanges.operation);$ActionDate" | Out-File $LogFile -Append
                    }
                    Else
                    {
                        "$User not found in AD" | Out-File $LogFile -Append
                    }
                }
        }
    }

  • Hi Rizan

    I don't follow what you mean by "This more likely to remove the account", the value of "Delete" in the script is the action being performed against the users membership of the group (aka Remove).

    The updated script extend on the function to get the users "Name" and "Email" address attribute, and outputs to file.