PowerShell Workflow - Remove from Group

Hi Craig, I am very interested in seeing how you created the workflow to remove users from groups after an hour. In my case, I would like to remove users after they have been in the group for 30 days. Are you able to post these settings? Thanks in advance!

Hi Craig, I am very interested in seeing how you are removing users from groups after an hour. In my case, I would like to remove users from a group after they have been a member for 30 days. Are you able to post these settings? Thanks in advance!

Hi. 

I will grab all the details tomorrow and let you know how I did it. I use this to remove people from groups after and hour or days and it works well. 

The Temporal Group memberships (automatic timed removal of members) is controlled by these properties:

edsva-ScheduledLink-StartTime

edsva-ScheduledLink-EndTime

So when you add users to a group, you set these properties which queues the removal operation for execution at the "...EndTime"

Here's an article about this

Hi. So the way we do it is this and your milage may vary on it. 

We have a tick box on the ARS Web page that when ticked will set a BOOLEAN VA to TRUE. The first workflow picks up that the VA is TRUE and stops it pending an approval from a manager. If the Manager approves the user is added to say GroupNameA

See first workflow



Then we have a second workflow where the operation is Add member to group




The start conditions are below. Object Type Group , Operation Add member to group and then on the filter set distinguishedName of Workflow target and then select the group 




On the workflow there is a Save Object properties object. You want the Activity Target as Requested Changes

Then the Target Properties as Member 

Also on that Workflow is a script object. Below is a 60 minute script 

function temporalGroupMembership($Request){
    $users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
    $groupDN = $Request.Get("distinguishedName")

    #$time = (Get-Date).AddDays(3).ToUniversalTime() # Modify here for the amount of time.
    $time = (Get-Date).AddMinutes(60).ToUniversalTime() # Modify here for the amount of time.
    
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)


    foreach($userDN in $users){
        Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
    }
}
# END SCRIPT #

or a two days code. Just amend as you need. 

function temporalGroupMembership($Request){
    $users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
    $groupDN = $Request.Get("distinguishedName")

    #$time = (Get-Date).AddDays(3).ToUniversalTime() # Modify here for the amount of time.
    $time = (Get-Date).AddMinutes(2880).ToUniversalTime() # Modify here for the amount of time.
    
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)


    foreach($userDN in $users){
        Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
    }
}

When the above runs. if you look in the group you will see your user account has 60 minute or 2 days or what ever you have decided to use. The icon in the group will have a little clock icon to show you its a temp membership 

Thank you so much for taking the time! I really appreciate your help!

Hi. I posted the steps above. Just change the 2 Days Powershell script to 30 days. 

Just change to this $time = (Get-Date).AddMinutes(43200).ToUniversalTime()