0 votes

Hello,

My question potentially piggy-backs off of the following URL:

Automated Expiry of Group Membership

We have the need to add/remove users frequently to/from a specific AD group that allows users to connect to our systems remotely. The AD group is required to be added to each user who may need this temporary remote access. For instance, we have a weather event upon us in my area, and we will be passively closing our offices for 2 business days due to the weather event. Specific users will need remote access as we passively close our office. I would like to initially identify a specific range of users by name when adding the AD group, and identify a timeframe that they would have access to the AD group. When the timeframe outlined expires, we would like for a scheduled task to remove the AD group from the specific range of users that we originally added the AD group to.

Is this possible, and if so, how do I go about designing and implementing something like this in Adaxes?

Thanks in advance for any replies or assistance.

Jason

by (100 points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Jason,

Yes, this can be done using a Custom Command, a Scheduled Task and PowerShell scripts. For details, have a look at the following article in our script repository: https://www.adaxes.com/script-repositor ... p-s493.htm.

0

I viewed the URL provided, and I created the Custom Command/Scheduled Task as described with the two PS scripts. When I run the command against a user, I get the following error:

"Method invocation failed because [softerra.adaxes.adsi.admuser] does not contain a method named Add".

Someone replied to my message left at the script repository URL stating that I need to use the script in a Custom Command configured for Group Object type. When I configure it this way, it does not appear to allow me to identify the users that will need to be added. That's where I am getting confused.

We would like to have a custom command in Adaxes Administrator which would allow us to select multiple users, and add them to the Remote Users AD group temporarily for 24 hours when we have issues with office closings due to weather. We would then like to have a scheduled task run every 24 hours and remove the users who were added to the Remote Users group on a temporary basis.

Thanks in advance for any replies sent.

0

Hello Jason,

The reply to your comment was provided by our Support Team. The Custom Command script from our repository should be executed on a group and temporarily add the user that initiated the process to the group. There is no possibility for an admin to use this solution for adding multiple users to a group on temporary basis.

For us to recommend a solution, please, specify the version of Adaxes you are currently using. To check that:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service.
  3. In the context menu, click Properties.
  4. Adaxes version will be displayed on the General tab.
0

3.10.16008.0

Thank you.

0

Hello Jason,

Thank you for specifying.

You will need to use a Custom Command with parameters and a different script. For us to write the script, please, specify whether the command should always add users to the Remote Users AD group or the admin executing the Custom Command should have the possibility to select the group?

0

Hello-

The way we can design this Custom Command would be to strictly apply users to the Remote Users AD group. We would not need to select any other group(s).

Please let me know if you have any other questions, thank you very much.

0

Hello Jason,

Thank you for the confirmation.

You will need to update the Custom Command (configured for Group object type) previously created for the solution. Also, you can disable the Custom Command in the operations list for the Web Interface (the command will never be available in the left pane) and create an action that will be configured only for the Remote Users AD group and used to execute the Custom Command. For details, have a look at the following tutorials:
https://www.adaxes.com/tutorials_WebInt ... bjects.htm
https://www.adaxes.com/tutorials_WebInt ... nsPane.htm
To update the Custom Command:

  1. Launch Adaxes Administration Console.

  2. In the Console Tree, expand your service node.

  3. Navigate to Configuration\Custom Commands and select the command you need.

  4. In the Result Pane on the right, activate the Parameters tab and click New.

  5. Select AD object picker and click Next.

  6. Enter the parameter name and display name (e.g. userToAdd and User to add).

  7. Click Next.

  8. In the Object Selection section, click Configure.

  9. In the Display only objects that match the following LDAP filter field, specify the following: sAMAccountType=805306368

  10. Select Allow multiple selection and click OK.

  11. In the Value separator field, specify the separator that will be used for parameter values (e.g. semicolon).

  12. Click Finish.

  13. Activate the Actions tab.

  14. Right-click the Run PoweShell script action and then click Edit Action.

  15. Replace the script in the Script field with the below one. In the script:

    • $memberListProperty - specifies the LDAP name of the attribute that stores a list of temporary group members and the times when to remove them;
    • $durationInHours - specifies the duration of temporary membership (in hours).
    • $parameterName – specifies the name of the parameter (set on step 6) that will be used to select users for adding to group with the –param prefix;
    • $parameterValueSeparator – specifies the separator for parameter values entered on step 11.
     $memberListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
     $durationInHours = 24 # TODO: modify me
     $parameterName = "param-MyParam" # TODO: modify me
     $parameterValueSeparator = ";" # TODO: modify me
    
     # Get group records
     try
     {
         $records = $Context.TargetObject.GetEx($memberListProperty)
     }
     catch
     {
         $records = @()
     }
    
     # Add selected users to group
     $usersToAdd = $Context.GetParameterValue($parameterName)
     $endDate = [System.Datetime]::Now.AddHours($durationInHours)
     $endDateString = $endDate.ToString("MM/dd/yyyy hh tt")
     foreach ($dn in $usersToAdd.Split($parameterValueSeparator))
     {
         # Build path
         $user = $Context.BindToObjectByDN($dn)
         $guid = [Guid]$user.Get("ObjectGuid")
         $guidPath = "Adaxes://<GUID=$guid>"
    
         # Build record
         $record = "$guidPath $endDateString"
    
         # Add new record
         $addNewRecord = $True
         for ($i = 0; $i -lt $records.Length; $i++)
         {
             $path = ($records[$i] | Select-String -Pattern "Adaxes\:\/\/<GUID=.+\>").Matches[0].Value
             if ($path -ne $guidPath)
             {
                 continue
             }
    
             $records[$i] = $record
             $addNewRecord = $False
             break
         }
    
         if ($addNewRecord)
         {
             # Add a information on when to remove the user from the group
             $records += $record
    
             # Add user to the group
             $Context.TargetObject.Add($guidPath)
         }
     }
    
     # Update the list of members to remove
     $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $memberListProperty, $records)
     $Context.TargetObject.SetInfo()
  16. Click OK and save the changes.

0

This works great, thank you. Now, do we need to set up a Scheduled Task to remove the users after 24 hours? I had made one previously, but when tested, it does not appear to remove the selected users.

Thank you very much.

0

Hello Jason,

Now, do we need to set up a Scheduled Task to remove the users after 24 hours?

Yes, the Scheduled Task is still required. It will remove users from the group when the time comes.

I had made one previously, but when tested, it does not appear to remove the selected users.

Most probably, the time to remove users from the group did not come yet. Also, make sure that the Scheduled Task is configured correctly.

  1. The task should be configured for Group object type.
  2. In the script executed by the Scheduled Task, the $memberListProperty variable should have exactly the same value as the same variable in the script executed by the Custom Command.
  3. The Activity Scope of the Scheduled Task should include the group on which the Custom Command was executed, not the group members.

As long as you are going to use the solution only for one group, the Scheduled Task can look like the following:

Related questions

0 votes
0 answers

Hi, is there a way to expire group membership via Adaxes? We would like to limit the user's membership in certain groups based on an expiry date. Idea so far ... both security groups and distribution groups. Any ideas? Thanks for your help. Greetings, Thomas

asked May 20, 2014 by esoAdxAdmin (650 points)
0 votes
1 answer

Hi there, I am trying creating a report in Adaxes a set of users and looking to add a few group names as column with value 'Yes' or 'No' based on if user is member of ... Value = "Yes" } else{ $Context.Value = "No" } Would appreciate any help in this aspect.

asked May 6, 2022 by Vish539 (460 points)
0 votes
1 answer

Is it possible using PowerShell to copy group memberships from an already existing user without copying 2 specific groups named for example test and test 1 ? We are currently ... groups are not included. I can share the PowerShell script if needed. KR, Cas

asked Oct 30, 2023 by Cas (200 points)
0 votes
1 answer

Hello, is it possible to update a user attribute (extensionAttribute5) with the name of the group (Name), the user was just added to? Example: In Group A gets a new ... A should be written in the attribute extensionAttribute5 of User A. Can you please help me?

asked Jun 27, 2023 by lohnag (160 points)
0 votes
1 answer

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
3,588 questions
3,277 answers
8,303 comments
548,084 users