PowerShell Custom Activity


i am new to password manager and are looking on an how to remove a user from a group during a workflow.

But how to know about the user that is currently running the workflow so that i can use, for example, the samaccountname for my script?

I tried the following but getting an error message in the log.

$username = $Request["Username"]

remove-adgroupmember "groupname" -member $username -confirm:$false

It seems to be, that the varialbe $username is empty.



  • PWM supports custom scripting officially. Therefore, PWM install package contains SDK, manuals, workflow examples (.zip) which (I expect) contain script examples how to access in-process variables inside PWM engine workflow.
  • I know. But it is not working or i do something the wrong way. Therefor my question.
  • Hello Frank,

    I'm not sure if you have figured this out yet or not, but I wrote the following code snippet that adds a user to a group via a Password Manager customer workflow step. I'll provide the whole snippet for completeness and this customer used the ARS management shell, but calling any PowerShell command should be possible.

    The section of the code you might be interested in is $workflow.UserInfo.ID. This code works with the user's GUID and not samAccountName. The UserInfo class does have a GetSamAccountName Method, so if you needed to use this attribute, it should be fairly easy to get.

    #Load ARS Management Shell, which needs to be installed on PM server
    Add-PSSnapin Quest.ActiveRoles.ADManagement
    Connect-QADService -service arsserver -proxy
    #Obtain the user's GUID
    $userguid = $workflow.userinfo.id
    #Utilize ARS MgmtShell commands to remove user from PM NotRegistered group
    Remove-QADGroupMember -identity 'target\QPM_NotRegistered' -member $userguid
    #Add user to the PM Registered group
    Add-QADGroupMember -identity 'target\QPM_Registered' -member $userguid
  • Hello Richard,
    no, i was not able to figure out how it is working. Your example is good, but i did not have the Roles Server running. And only with the powershell snapins, i could not get the username.

    I try to use the SDK help, but i did not get it. I try to use the example on the powershell handlers for custom web services to get the actual user who is running the workflow. But it is not working. I am sure that i am doing something wrong. But i did not get it.

    I am using the following example code:

    $username = $Request[“UserName”]

    if (“$username” –eq “”) {
    $Response.Write(“What is your username?”);
    } else {
    $Response.Write(“Hello, $username!”);

    But the username is empty.
  • I know this is an old post but as someone that was looking for a similar answer, I wanted to make sure that others stumbling across this post had an answer.

    To use the SamAccountName in the script, you can use:


  • I'm having the same trouble as Frank. I'm just trying to test using the custom web services in 5.9.3. I've cut and pasted the examples from out of the SDK and I'm not able to get username or domain. 

    I've tried:

    $userName = $Request.QueryString["user"]

    $userName = $Request.QueryString["UserName"]

    $userName = $Request.Query["UserName"]

    $userName is always $null

    Same for "domain"

    I have gotten the following code to work when I set $username and $domain to static values:

    $username = "myActualUsername"
    $domain = "myActualDomain"
    $connection = $global.GetDirectoryConnectionByName($domain)

    $user = $global.GetUserByName($connection, $username, [string[]]("objectGUID", "mail"))

    if ($user -eq $null) {
    throw "User $username not found in the domain $domain."

    $mail = $user[“mail”]
    $Response.Write(“User $username has the following email address: $mail”)

    This brings up my email, so I know it's working.

    I just can't seem to pull anything out with $Request.Query or $Request.QueryString

    I blindly tried this as well with no luck:


  • I was missing the part where you send what you're looking for in the URL which is explained in the readmes that accompany the examples in the SDK

    Form and open the following URL:
    - pmserver - name of the computer on which the Password Manager Service is installed.
    - service_URL - URL specified when creating the custom web service.
    - user_sAMAccountName - sAMAccountName of a user to whom a passcode is assigned.
    - domain_FQDN - fully qualified domain name of a domain to which the user belongs. Note: a connection to this domain must be configured in Password Manager.
    - passcode - the passcode assigned to the user.

    username and domain were empty because I wasn't sending them.