Can a user object added to a group be designated as the $Request object in a script module?

This feels like a strange question, because I feel the answer should be "no, do it another way," but:

In a change workflow with the starting operation condition "Add or remove member from group," can the added/removed user be made the $Request object or otherwise put "in process" in a OnPostModify PowerShell script?

The objective is to trigger the workflow whenever a user is added or removed to a group, then target the newly added/removed user object and modify a extended attribute for other uses in the enterprise.

I'm relatively certain the "function onPostModify($Request)" parameter is targeting the group, and I haven't been able to find any examples of changing the target to the user added or removed, if that's even possible.

I have looked into a workflow with a Modify user properties: MemberOf starting operation condition, but I didn't get very far with because I am not certain using the filtering conditions "...from request changes" means what I think it means.

Is there a clean way to do this?

  • When a user is added to a group, the $Request target object is the group.

    What you need to do is extract the added member from the Request and then perform work on that.

    This forum post might prove helpful to you.


  • Thanks, Johnny, and sorry for the late reply. We were able to overcome this by like you suggested, then determining the controlcode of the action with this query:

     $GroupsDN = $Request.Get("distinguishedName")
        for($i = 0; $i -lt $Request.PropertyCount; $i++){
            $item = $Request.Item($i)
            if($item.controlcode -eq 3){#IF "add" user to group then write attribute
    
                $tarOU = #determine the target OU#
                $Variable = (Get-ADUser -SearchBase $tarOU -Filter {userprincipalname -like "Search filter.*"} -Properties mail | select mail).mail
                foreach($taruser in $Request.Attributes.Get("member")){Set-QADUser $taruser -objectAttributes @{attribute=$Variable}}
            }
            if($item.controlcode -eq 4){#IF "remove" user from group then clear attribute
                foreach($taruser in $Request.Attributes.Get("member")){Set-QADUser $taruser -objectAttributes @{attribute=$null}}
            }
        }

    This way, we determined if the action was an "add" or "remove" user from group (control code 3 = add user, control code 4 = remove user), then targeted the "member" of the request and modify the desired attribute.

    Hopefully this is helpful to someone else in the future.