Automated Add/Expiry of Group Membership

Question

Hello,

My question potentially piggy-backs off of the following URL:

Automated Expiry of Group Membership

We have the need to add/remove users frequently to/from a specific AD group that allows users to connect to our systems remotely. The AD group is required to be added to each user who may need this temporary remote access. For instance, we have a weather event upon us in my area, and we will be passively closing our offices for 2 business days due to the weather event. Specific users will need remote access as we passively close our office. I would like to initially identify a specific range of users by name when adding the AD group, and identify a timeframe that they would have access to the AD group. When the timeframe outlined expires, we would like for a scheduled task to remove the AD group from the specific range of users that we originally added the AD group to.

Is this possible, and if so, how do I go about designing and implementing something like this in Adaxes?

Thanks in advance for any replies or assistance.

Jason

Answer 1

Hello Jason,

Yes, this can be done using a Custom Command, a Scheduled Task and PowerShell scripts. For details, have a look at the following article in our script repository: https://www.adaxes.com/script-repositor ... p-s493.htm.

Comments

I viewed the URL provided, and I created the Custom Command/Scheduled Task as described with the two PS scripts. When I run the command against a user, I get the following error:

"Method invocation failed because [softerra.adaxes.adsi.admuser] does not contain a method named Add".

Someone replied to my message left at the script repository URL stating that I need to use the script in a Custom Command configured for Group Object type. When I configure it this way, it does not appear to allow me to identify the users that will need to be added. That's where I am getting confused.

We would like to have a custom command in Adaxes Administrator which would allow us to select multiple users, and add them to the Remote Users AD group temporarily for 24 hours when we have issues with office closings due to weather. We would then like to have a scheduled task run every 24 hours and remove the users who were added to the Remote Users group on a temporary basis.

Thanks in advance for any replies sent.

---

Hello Jason,

The reply to your comment was provided by our Support Team. The Custom Command script from our repository should be executed on a group and temporarily add the user that initiated the process to the group. There is no possibility for an admin to use this solution for adding multiple users to a group on temporary basis.

For us to recommend a solution, please, specify the version of Adaxes you are currently using. To check that:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click your service.
3. In the context menu, click Properties.
   
4. Adaxes version will be displayed on the General tab.
   

---

3.10.16008.0

Thank you.

---

Hello Jason,

Thank you for specifying.

You will need to use a Custom Command with parameters and a different script. For us to write the script, please, specify whether the command should always add users to the Remote Users AD group or the admin executing the Custom Command should have the possibility to select the group?

---

Hello-

The way we can design this Custom Command would be to strictly apply users to the Remote Users AD group. We would not need to select any other group(s).

Please let me know if you have any other questions, thank you very much.

---

Hello Jason,

Thank you for the confirmation.

You will need to update the Custom Command (configured for Group object type) previously created for the solution. Also, you can disable the Custom Command in the operations list for the Web Interface (the command will never be available in the left pane) and create an action that will be configured only for the Remote Users AD group and used to execute the Custom Command. For details, have a look at the following tutorials:
https://www.adaxes.com/tutorials_WebInt ... bjects.htm
https://www.adaxes.com/tutorials_WebInt ... nsPane.htm
To update the Custom Command:

1. Launch Adaxes Administration Console.

2. In the Console Tree, expand your service node.

3. Navigate to Configuration\Custom Commands and select the command you need.

4. In the Result Pane on the right, activate the Parameters tab and click New.
   

5. Select AD object picker and click Next.
   

6. Enter the parameter name and display name (e.g. userToAdd and User to add).

7. Click Next.

8. In the Object Selection section, click Configure.
   

9. In the Display only objects that match the following LDAP filter field, specify the following: sAMAccountType=805306368

10. Select Allow multiple selection and click OK.
    

11. In the Value separator field, specify the separator that will be used for parameter values (e.g. semicolon).
    

12. Click Finish.

13. Activate the Actions tab.

14. Right-click the Run PoweShell script action and then click Edit Action.
    

15. Replace the script in the Script field with the below one. In the script:

    • $memberListProperty - specifies the LDAP name of the attribute that stores a list of temporary group members and the times when to remove them;
    • $durationInHours - specifies the duration of temporary membership (in hours).
    • $parameterName – specifies the name of the parameter (set on step 6) that will be used to select users for adding to group with the –param prefix;
    • $parameterValueSeparator – specifies the separator for parameter values entered on step 11.

     $memberListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
     $durationInHours = 24 # TODO: modify me
     $parameterName = "param-MyParam" # TODO: modify me
     $parameterValueSeparator = ";" # TODO: modify me
    
     # Get group records
     try
     {
         $records = $Context.TargetObject.GetEx($memberListProperty)
     }
     catch
     {
         $records = @()
     }
    
     # Add selected users to group
     $usersToAdd = $Context.GetParameterValue($parameterName)
     $endDate = [System.Datetime]::Now.AddHours($durationInHours)
     $endDateString = $endDate.ToString("MM/dd/yyyy hh tt")
     foreach ($dn in $usersToAdd.Split($parameterValueSeparator))
     {
         # Build path
         $user = $Context.BindToObjectByDN($dn)
         $guid = [Guid]$user.Get("ObjectGuid")
         $guidPath = "Adaxes://<GUID=$guid>"
    
         # Build record
         $record = "$guidPath $endDateString"
    
         # Add new record
         $addNewRecord = $True
         for ($i = 0; $i -lt $records.Length; $i++)
         {
             $path = ($records[$i] | Select-String -Pattern "Adaxes\:\/\/<GUID=.+\>").Matches[0].Value
             if ($path -ne $guidPath)
             {
                 continue
             }
    
             $records[$i] = $record
             $addNewRecord = $False
             break
         }
    
         if ($addNewRecord)
         {
             # Add a information on when to remove the user from the group
             $records += $record
    
             # Add user to the group
             $Context.TargetObject.Add($guidPath)
         }
     }
    
     # Update the list of members to remove
     $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $memberListProperty, $records)
     $Context.TargetObject.SetInfo()

16. Click OK and save the changes.

---

This works great, thank you. Now, do we need to set up a Scheduled Task to remove the users after 24 hours? I had made one previously, but when tested, it does not appear to remove the selected users.

Thank you very much.

---

Hello Jason,

Now, do we need to set up a Scheduled Task to remove the users after 24 hours?

Yes, the Scheduled Task is still required. It will remove users from the group when the time comes.

I had made one previously, but when tested, it does not appear to remove the selected users.

Most probably, the time to remove users from the group did not come yet. Also, make sure that the Scheduled Task is configured correctly.

1. The task should be configured for Group object type.
2. In the script executed by the Scheduled Task, the $memberListProperty variable should have exactly the same value as the same variable in the script executed by the Custom Command.
3. The Activity Scope of the Scheduled Task should include the group on which the Custom Command was executed, not the group members.

As long as you are going to use the solution only for one group, the Scheduled Task can look like the following: