Dynamic Group - Temp Membership

Here is my work first workflow. When the VA McTest1 is set to TRUE this will fire off an approval notification. Once approved the account is automatically added to the Dynamic group and the VA McTest2 is stamped with the date and time +1 for this test

McTest2 VA Date and time settings. I have tried pretty much any combination here

Here i have the second workflow. Searching AD

I am searching for any users inside a security group

So if any users are found then set McTest1 to False as this will remove them from the Dynamic Group and then clear McTest2 VA which was the time

My If Else 

The problem is in your If/Else branch. You are using the wrong conditional. The timestamp will absolutely never be "equal" to the current timestamp plus 1. Instead, you should be checking to see if the timestamp is "greater than" the current day plus 1.

Also, I'd move the conditional check into the filter of your search. It would be much more efficient to simply return the objects that you care about, rather than returning everything and then looping through them, checking each one. You can remove the If/Else entirely. 

Can i just confirm you mean less or equal not greater? Thanks for the heads up on that point though as that was changed in error. When i set to less or equal it now removes the account. I am not sure what else might have changes as yesterday i had that set. Either way thanks for the pointer. 

Thank you. Will check it out 

"I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions?"

Some useful tips, that are not always applicable in all cases, to help verify a Search has been configured properly:

Using the 'Add Report Section' can sometime be useful for seeing what has been found by a Search activity. Add something like the Display Name (depending on the object type) of the found object to the activity and the Display Name of each found object will appear in the Run History of the Workflow.

The LDAP query of the Search being conducted is also in the workflow's Run History. Copy this and paste it into the Advanced tab of a Custom Search in the MMC to also see if any results are found.

Thank you so much Richard for the help

Sorry, I had the logic backwards. Yes, the conditional should be less or equal

Hi. I am now trying to use this same workflow logic on another group but ideally i need the account to a member of the group for a number of hours. The most i can select is + or - One day but not hours. Is there another way i could achieve this?

Try setting up an "additive" group.  "<GroupName> (Additive)" and set the dynamic group to include members of this "additive" group.  Then setup a change WF that for users added to the additive group that their membership becomes temporal.

function temporalGroupMembership($request)
{
$users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
$groupDN = $Request.Get("distinguishedName")

$time = (Get-Date).AddDays(2).ToUniversalTime() # Modify here for the amount of time.
$hash = @{}
$hash.add("ScheduledOperation-SetTime",$time)

foreach($userDN in $users){
Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
}
}