0 votes
  1. Every role-based-group starts with "arbg-"
  2. Users should only be in 1 arbg- group

To enforce this, on any user change I would like to remove them from any "arbg-" group they are currently in and re-add them based on the original logic (department number, Job title, etc)

In effect this is the powershell command Get-ADPrincipalGroupMembership -Identity <SamAccount> | Select Name | Where-Object {$_.Name -Like 'ARBG*'}

by (110 points)

1 Answer

0 votes
by (294k points)

Hello,

It can be done using a business rule triggering After adding a member to a group and the below PowerShell script. The rule will look like the following: image.png

$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", "%distinguishedName%")

$searcher = $Context.BindToObject("Adaxes://%member%")
$searcher.SearchFilter = "(&(objectCategory=group)(name=arbg-*)(!$filterPart))"
$searcher.SearchScope = "ADS_SCOPE_BASE"
$searcher.PageSize = 500
$searcher.AttributeScopeQuery = "memberOf"

try
{
    # Execute search
    $searchIterator = $searcher.ExecuteSearch()
    $searchResults = $searchIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        return
    }

    foreach ($searchResult in $searchResults)
    {
        $group = $Context.BindToObjectBySearchResult($searchResult)
        $group.Remove("Adaxes://%member%")
    }
}
finally
{
    # Release resources
    if ($searchIterator){ $searchIterator.Dispose() }
}
0

With LDAP Filters no longer being supported with 2023.2, what is the proper script using Criteria?

I want a custom command that runs the script on all users the command is being ran against to remove all group the member is a part of that start with "BTPAM."

0

Is it possible to get an updated version of this script, I could use it aswell.

0

Hello,

Here is the updated script using criteria instead of the LDAP filter.

# Build criteria
$criteria = New-AdmCriteria "group" -Expression {(name -startsWith "arbg-") -and (distinguishedName -ne "%distinguishedName%")}

# Search parameters
$searcher = $Context.BindToObject("Adaxes://%member%")
$searcher.Criteria = $criteria
$searcher.SearchScope = "ADS_SCOPE_BASE"
$searcher.PageSize = 500
$searcher.AttributeScopeQuery = "memberOf"

try
{
    # Execute search
    $searchIterator = $searcher.ExecuteSearch()
    $searchResults = $searchIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        return
    }

    foreach ($searchResult in $searchResults)
    {
        $group = $Context.BindToObjectBySearchResult($searchResult)
        $group.Remove("Adaxes://%member%")
    }
}
finally
{
    # Release resources
    if ($searchIterator){ $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

Hi , i have move action I want ADAXES to Remove user from group named like this ADG1 and add user to ADG2 if user moved from OU ADG1 to ADG2 , ... member of group named like this shift_check_in_1 i want to remove and add anohter group named shift_check_in_2

asked Dec 5 by vagifazari (450 points)
0 votes
1 answer

In the de-provisioning process, I need to remove all users from all Office 365 groups (UnifiedGroups). I tried to adapt this script but unsuccessfully. https://www.adaxes.com/script-repositor ... -s360.htm Is there any way to do this?

asked Sep 22, 2019 by flaviodouglas (70 points)
0 votes
1 answer

HI Support, I'm looking for a business Rule that remove a user from a couple of groups after the User is added to a group. ie 1. The User MaxMi is added to the ... not able to create a powershell scripts for removing the added user from the other Groups. Thx,

asked Jan 4, 2016 by Napoleon (700 points)
0 votes
1 answer

Hi Guys, I'm trying to clean all users from Local Group test_group, and next new bunch of users form TXT fiel, by executing the following script as a scheduled task Import-Module ... .txt I have only 600 users. Do you have any idea how to improve this script?

asked Feb 27, 2015 by axmaster (510 points)
0 votes
1 answer

Hello! how do i manage do get adaxes to remove all groups from the user after one month? We have a Business Rule where you can add an end of Date when the Account ... value field the powershell script works but not with the +1 Month. Thanks for your help!

asked Jun 14, 2023 by eww ag (140 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users