Adaxes

Delting groups on user

0 votes

Hello! We doing some changes to our company this days, and we need to delete and add a lot of groups on the users. I was going to use this script to remove all access groups on the user (Greate to have a log, if the user is missing some access, we can easily see what access he had)

$filePath = "C:\Reports\Useradm\Disabledusers\%username%.txt" # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$file = New-Item -Path $filePath -ItemType File

# Save the report to the file
Add-Content $file $report.ToString()

My Problem. We have a system that only syncs every 24 hour for some reason, so we cant remove the groups that gives access to this system. I am having problems implementing a do not delete variable in this script for other then the primary group sadly, is this something you guys could help me solve?

And a bonus question :) What is the best way of deleting and adding new groups true Adaxes? I am now (before moving user) removing all groups and then (after moved) it will add all groups based on Location, title, department and Division.
I see some add access based on templates users(Is this only how you are used to do things, or is there a best practice in Adaxes?)

Thanks for any help :)
Best regards
Tomada

by (50 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

I am having problems implementing a do not delete variable in this script for other then the primary group sadly, is this something you guys could help me solve?

Sure, find the updated script below. In the script, the $groupNamesToSkip variable specifies an array of groups from which users must not be removed. Each group in the array is identified by its sAMAccountName. 

$filePath = "C:\Reports\Useradm\Disabledusers\%username%.txt" # TODO: modify me
$groupNamesToSkip = @("MyGroup1", "MyGroup2") # TODO: modify me

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")

$groupsToSkip = New-Object "System.Collections.Generic.HashSet[System.String]"
$groupNamesToSkip | %%{$groupsToSkip.Add($_)}
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
    # Skip special groups
    if ($groupsToSkip.Contains($group.Get("sAMAccountName")))
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$file = New-Item -Path $filePath -ItemType File

# Save the report to the file
Add-Content $file $report.ToString()

Is this only how you are used to do things, or is there a best practice in Adaxes?

Your solution with two Business Rules is absolutely fine, you do not need to change anything.

As an alternative, you can use a single script to add and remove users from groups in a Business Rule triggering After Moving a User. In this case, the rule triggering Before Moving a User will not be required.

0

Thanks so much for the quick reply. This works like a charm when you specify the group, but this application has over 50 groups, so i tried wild carding it, but that did not work, it removes the group anyways.
Am i doing something wrong, or is this not possible?

Groups: ApplicationName-DivisionName1, ApplicationName-DivisionName2, ApplicationName-DivisionName3, and so on.

I was hopeing it would work something like this :)

$groupNamesToSkip = @("ApplicationName-*") # TODO: modify me
by (50 points)
moved by
0

Hello,

Yes, it is possible, but requires changes to the script. We have updated the script to meet your needs, find it below.

$filePath = "C:\Reports\Useradm\Disabledusers\%username%.txt" # TODO: modify me
$groupNamesToSkip = @("MyGroup1", "MyGroup2", "ApplicationName-*") # TODO: modify me

function SkipGroup($patterns, $sAMAccountName)
{
    foreach ($pattern in $patterns)
    {
        if ($sAMAccountName -like $pattern)
        {
            return $True
        }
    }

    return $False
}

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

# Create a plain text report
$report = New-Object "System.Text.StringBuilder"
$report.Append("The user was removed from the following groups:")

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the user's Primary Group
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }
    # Skip special groups
    $sAMAccountName = $group.Get("sAMAccountName")
    if (SkipGroup $groupNamesToSkip $sAMAccountName)
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $report.AppendLine()
    $report.Append($group.Get("name"))
}

# Create a new text
$file = New-Item -Path $filePath -ItemType File

# Save the report to the file
Add-Content $file $report.ToString()
by (289k points)
moved by
0

Wow Create! Thanks again!
With support like this, I start to believe world peace is possible! :D ;)

by (50 points)
moved by
0

Hello,

Thank you for your good words! We do appreciate it a lot.:)

by (289k points)
moved by

Related questions

0 votes
1 answer
Rule based groups based on users attributes

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.5k points)
0 votes
1 answer
Powershell: Managing groups between on-premises and M365

For all our shared mailbox in Exchange we create security groups to manage the sendas, send on behalf and full access permissions. Users go via the web interface and select the ... should I now use? Unless there is a better approach I am open to ideas.

asked Dec 22, 2023 by MikeBeattie (110 points)
0 votes
1 answer
Scheduled taks on all rulebased groups

Hi, I would like to check and change description of all rule-based groups. My idea: Run a scheduled task and check for "GroupMembershipUpdateRecirrenceType" or "Membership Type". ... value can only be a string? But I get this error, only numbers allowed?

asked Jun 5, 2023 by wintec01 (1.5k points)
0 votes
1 answer
Can Azure/O365 only accounts be added to groups / business units based on attributes?

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3, 2022 by adaxes_user2 (40 points)
0 votes
1 answer
Business Rule - Send email for add or remove on rule-based groups

I am trying to create a business rule to send an email to the manager of the group when a member is added or removed from a rule-based group. I have created the business rule and it works for other groups but not for a rule-based group. Can this be done?

asked Jul 19, 2021 by mark.it.admin (2.3k points)
3,552 questions
3,242 answers
8,243 comments
547,828 users