Automatically deprovision temporary users

Hi everybody,

In our environment we need to create temporary users in active directory and deprovision them after X hours (with a maximum of 12 hours).

We thought of using AD group temporary memberships.

Specifically, when a user is created, it is added to the AD group with a membership lasting the necessary hours, after which, when it expires, with the removal, a change workflow is triggered and start the deprovision.

We are having trouble extracting the user that is actually removed from the workflow. Is there a way to get this information so we can trigger deprovision on the specific user?

Thanks in advice,

Andrea

Parents

0 JohnnyQuest 7 hours ago

The code found in this post will be helpful.

Specifically, the removed user is identified thus:

$Request.Attributes.Get("member") - i.e. the modification of the member attribute of the target group.

So in your case, you could do something like this:

Foreach ($RemovalUser in $Request.Attributes.Get("member") )
{
Deprovision-QADUser -proxy -Identity $RemovalUser
}

Note that in the post, the script is checking for added or removed members based on the control code found in the $Request transaction. In your case you are looking for the ControlCode '4'
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest 7 hours ago

The code found in this post will be helpful.

Specifically, the removed user is identified thus:

$Request.Attributes.Get("member") - i.e. the modification of the member attribute of the target group.

So in your case, you could do something like this:

Foreach ($RemovalUser in $Request.Attributes.Get("member") )
{
Deprovision-QADUser -proxy -Identity $RemovalUser
}

Note that in the post, the script is checking for added or removed members based on the control code found in the $Request transaction. In your case you are looking for the ControlCode '4'
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data