Remove disabled users from groups

Question

Is there a way that anyone has been able to figure out to remove users no longer with the company from groups like ServiceNow? All ServiceNow groups in my environment begin with "ServiceNow - ". If the user has been in the disabled OU for more than 7 days, I want their ServiceNow groups to be pulled off of their account. What I am currently using today is set up like:

If the 'Account Expires' property is greater than or equal to '%datetime,+7d%' then
Remove the user from the 'ServiceNow - 1' group
Remove the user from the 'ServiceNow - 2' group
Remove the user from the 'ServiceNow - 3' group
etc

This is currently applied over the correct OU, but I would like for the script to pick up all items that begin with "ServiceNow - " instead of naming each individual group. We are constantly adding groups to ServiceNow and I don't want a new group to be missed.

All ServiceNow groups live in the same OU:
Canonical-Name = DomainName/Security Groups/ServiceNow Security Groups
Distinguished Name = OU=ServiceNow Security Groups,OU=Security Groups,DC=Domain,DC=Name,DC=org

Any help would be greatly appreciated!

-Dale

Answer 1

Hello Dale,
Yes, it is possible. To achieve what you need, use a Scheduled Task and the following PowerShell script:

# Get all groups user is a direct member of
$groupGuidBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$removedGroupNames = New-Object "System.Collections.ArrayList"
foreach ($guidBytes in $groupGuidBytes)
{
    # Bind to the group
    $groupGuid = [Guid]$guidBytes
    $group = $Context.BindToObject("Adaxes://<GUID=$groupGuid>")

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from 'ServiceNow' groups
    $groupName = $group.Get("cn")
    if (-not($groupName.StartsWith("ServiceNow")))
    {
        continue
    }
    $group.Remove($Context.TargetObject.AdsPath)
    $removedGroupNames.Add($groupName)
}
$removedGroupNames = [System.String]::Join("; ", $removedGroupNames)
$Context.LogMessage("Removed the user from the following groups: '$removedGroupNames'", "Information")

To create the Scheduled Task:

1. Launch Adaxes Administration Console.
2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
   
3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
   
4. Click Add Action.
5. Select Run a program or PowerShell script and paste the script into the Script field.
6. Enter a short description and click OK.
   
7. Double-click Always.
8. Select If <property><relation><value>.
9. Select If Account Expires greater or equal and click Edit.
   
10. Select plus 7 days and click OK twice.
    
11. Click Next and assign the Scheduled Task over the desired OU.
12. Finish creating the task.

Comments

Support2, this worked flawlessly! Thank you so much for the help!