Automating Group Membership

Question

I've created a Scheduled Task and assigned it over a group of OUs that contain targeted User accounts. I'm attemping to Automate group membership based on Managers and thier Direct Reports similar to the following tutorial:

http://adaxes.com/tutorials_AutomatingD ... rtment.htm

I'm having difficulty figuring out how to ensure the Manager is added as member to the same group as the Direct Reports. The issue seems to be that the Manger in question has a differnt Manager populated than the Direct Reports and therefore not meeting the criteria to get added to the group.

Is there a better way to acheive this type of group membership?

Answer 1

You could create a rule 'Before updating a Group' where "the 'Managed By' property has changed"
It could run a powershell script to add the new manager and remove the old manager from the group:

Import-Module Adaxes

$group = Get-AdmGroup "%cn%" -Properties Members,ManagedBy

# Add new Manager
if ($group.Members -notcontains "%managedBy%")
{ 
   $group | Add-AdmGroupMember -Members "%managedBy%"
}

# Remove old Manager
if ($group.Members -contains $group.ManagedBy)
{ 
   $group | Remove-AdmGroupMember -Members $group.ManagedBy -Confirm:$false
}

How many automated groups are you looking at? You could have 1 'run a program or PowerShell script' to do most of it. You may want to add the condition that the user has a manager.

Basically have a hash table (could be moved to a CSV) that includes the username of the manager and the group they manage.

The script would go through and add the user to the group based on the table and also remove them if they change manager so they are only ever a member of 1 of these managed groups. Something like this should do it:

Import-Module Adaxes

# Hashtable of manager to groups
$managerTable = @{
# manager username= managers group
"BobSmith"="BobsSalesTeam"
"JaneDoe"="JanesMarketingTeam"
}

$user = "%distinguishedName%"
$manager = "%adm-ManagerUserName%"

# Does the manager have a group associated?
if ($managerTable.Get_Item($manager))
{
    # Manager found, get the group required
    $groupRequired = $managerTable.Item($manager)

    # Is the user a memeber of the required group?
    $group = Get-AdmGroup $groupRequired -Properties Members
    if ($group.Members -notcontains $user)
    {
        # No, lets add the user...
        Add-AdmGroupMember -Identity $groupRequired -Members $user
    }

    # lets make sure user is not member of another manager group (changed managers)
    foreach ($managerItem in $managerTable.Keys)
    {
        # Lets ignore the group they should be a member of
        if ($managerItem -ne $manager)
        {
            $group = Get-AdmGroup $managerTable.Item($managerItem) -Properties Members
            if ($group.Members -contains $user)
            {
                # User is a member and should be removed.
                $group | Remove-AdmGroupMember -Members $user -Confirm:$false
            }
        }
    }

}
else
{
    # Manager not found. Lets make sure user is not a memeber of any managed groups.
    foreach ($managerItem in $managerTable.Keys)
    {
        $group = Get-AdmGroup $managerTable.Item($managerItem) -Properties Members
        if ($group.Members -contains $user)
        {
            # User is a member and should be removed.
            $group | Remove-AdmGroupMember -Members $user -Confirm:$false
        }
    }
}

When the script runs over the manager it could make sure that the manager is also added to the group they manage. When the manager is changed in the script and they are no longer listed as the manager they would automatically get removed next time the script is run against them. Does that sound like what you are after?

Is there a requirement to have different groups based on both manager and the location of the employee? So the one manager could have a couple of groups based on different locations.

Comments

Hello,

The first solution that Nodeblue suggested will not work in this case. The thing is that the suggested script checks the Managed By property of a group. This property specifies the owner of the group in question. However, mdeflice asked for a solution that would check managers of users. User managers are specified in the Manager property of their accounts.

As to the solution requested, the easiest way to achieve your task would be to add a set of actions and conditions that would add the manager to the group. In the case that you provided as an example in your screenshot, you can check, for example, if the username equals to Vinnie Paul's username and add the user to the group, if it equals. To do this:

1. Launch Adaxes Administration Console.
2. In the Console Tree, navigate to the Custom Command that you've created and select it.
3. Click the Add action to a new set link.
   
4. Select the Add the user to a group action and click Select Group.
   
5. In the dialog box that appears select the group you need (e.g. AdaxesTestDallDG) and click OK two times.
6. Double-click Always.
7. Select the If <property> <relation> <value> condition.
8. Select User Logon Name (pre-Windows 2000) equals and type Vinnie Paul's SAMAccountName.
   
9. Click OK and save the Custom Command

Also, you will need to add a condition to the second set of actions and conditions that checks if the username does not equal to Vinnie Paul's username. This condition is required not to remove Vinnie Paul from the group. To add such a condition:

1. Select the second set of actions and conditions.
2. Click the Add Condition button.
   
3. In the dialog box that appears, select the If <property> <relation> <value> condition.
4. Select User Logon Name (pre-Windows 2000) does not equal and type Vinnie Paul's SAMAccountName.
   
5. Click OK and save the Custom Command.

You should end up with a Custom Command that is similar to this one:

However, if you want to further automate the process, you can use PowerShell scripts. For example, you can create a PowerShell script that will be launched from your Custom Command using the Run a program or PowerShell script action. Also, you can create a CSV file containing two columns. The first column will contain the name of a manager, and the second one will contain the name of the group that his team should be added to. When the PowerShell script runs, it will read the information from the CSV file and add the Manager specified in the CSV file and also his direct reports to the group specified for that manager in the second column. Also, the script can remove the members that no longer belong to the manager's team. Also, if you change a manager in the CSV file, he will also be removed from his group.

For examples on how to add or remove members to or from a group using PowerShell, see Adding and Removing Group Members. For examples on how to get group members, see Getting Group Members. Also, take a look at the Automatically Change Group Membership Using Scripts Tutorial. For an example on how to import a CSV file using PowerShell, see the Import CSV File Using PowerShellShell section in the Import User Accounts from a CSV File Tutorial. If you want, we can help you with the script.

---

Just be careful that you don't end up making more work for yourself. I have revised my earlier script to include the manager. The benefit with the script is that you only have to update the $managerTable any time you want to make changes. When the script is run against each user it will add and remove (including the manager) as required.

Import-Module Adaxes

# Hashtable of manager to groups
$managerTable = @{
# manager username = managers group
"BobSmith"="BobsAccountingTeam"
"JaneDoe"="JanesFinanceTeam"
"Greg"="TeamGreg"
}

$username = "%username%"
$user = "%distinguishedName%"
$manager = "%adm-ManagerUserName%"

# Is the user a manager?
$groupManaged = ""
if ($managerTable.Get_Item($username))
{
    # Get the group they own
    $groupManaged = $managerTable.Item($username)

    # Is the manager a memeber of the required group?
    $mgrGroup = Get-AdmGroup $groupManaged -Properties Members
    if ($mgrGroup.Members -notcontains $user)
    {
        # No, lets add the user...
        $mgrGroup | Add-AdmGroupMember -Members $user
    }
}

# Does the users manager have a group associated?
if ($managerTable.Get_Item($manager))
{
    # Manager found, get the group required
    $groupRequired = $managerTable.Item($manager)

    # Is the user a memeber of the required group?
    $group = Get-AdmGroup $groupRequired -Properties Members
    if ($group.Members -notcontains $user)
    {
        # No, lets add the user...
        $group | Add-AdmGroupMember -Members $user
    }

    # lets make sure user is not member of another manager group eg changed managers
    foreach ($managerItem in $managerTable.Keys)
    {
        # Lets ignore the group they should be a member of
        if ($managerItem -ne $manager)
        {
            # If the user is a member of the group and not the groups manager then remove them
            $group = Get-AdmGroup $managerTable.Item($managerItem) -Properties Members
            if (($group.Members -contains $user) -and ($groupManaged -ne $group.Name))
            {
                # User is a member and should be removed.
                $group | Remove-AdmGroupMember -Members $user -Confirm:$false
            }
        }
    }

}
else
{
    # Manager not found. Lets make sure user is not a memeber of any managed groups
    foreach ($managerItem in $managerTable.Keys)
    {
        # If the user is a member of the group and not the groups manager then remove the user from the group
        $group = Get-AdmGroup $managerTable.Item($managerItem) -Properties Members
        if (($group.Members -contains $user) -and ($groupManaged -ne $group.Name))
        {
            # User is a member and should be removed
            $group | Remove-AdmGroupMember -Members $user -Confirm:$false
        }
    }
}

---

Hello,

Nodeblue, the script that you've provided deals with managers only. Given this approach, you'll end up removing managers from the groups they need if, for example, a user manages a group, but, at the same time, is a member of another team managed by another group manager. Thanks for your active participation anyway, we really appreciate it.

---

I am still in the process of testing the Custom Commands using similar Condition perameters that were specified in the earlier post. It's a bit time consuming due to the number of groups and users however. So far my testing looks promising. Thank you both for providing information to this post!

---

Hello,

Nodeblue, the script that you've provided deals with managers only. Given this approach, you'll end up removing managers from the groups they need if, for example, a user manages a group, but, at the same time, is a member of another team managed by another group manager. Thanks for your active participation anyway, we really appreciate it.

Thanks Support for your reply, let me know if I am missing anything but from my testing it should deal with all scenarios. In my script if I am BobSmith and I manage the group BobsAccountingTeam but my manager is Greg the following should happen:

-- pseudo code --

BobSmith manages BobsAccountingTeam
JaneDoe manages JanesFinanceTeam
Greg manages TeamGreg

# Is the user a manager?
if (user is listed as a manager of a group) <-- Yes, BobsAccountingTeam
     if (user is not a member of managed group)
          Add user to group <-- BobSmith added to BobsAccountingTeam

# Does the users manager have a group associated?
if (manager is listed as a manager of a group) <-- Yes, my manager Greg manages TeamGreg
     if (user is not a member of managed group)
          Add user to group <-- BobSmith added to TeamGreg

foreach (managed groups) {
     if (group is not managed by users manager) { <-- True for BobsAccountingTeam as manager of group is not Greg
         if ((group contains the user) -and (user is not manager of the group)) { <-- False as BobSmith is the manager of the group
               Remove user from the group <-- Should not get here
          }

     }
}

No problem mdeflice, always good to have a few options up your sleeve.

---

I am still in the process of testing the Custom Commands using similar Condition perameters that were specified in the earlier post. It's a bit time consuming due to the number of groups and users however. So far my testing looks promising. Thank you both for providing information to this post!

Based on the conditions you posted I have made changes to use a CSV file and also include the country in working out what groups a user should be in. A user can only be a member of 2 listed groups, 1 they manage and 1 they are a member of.

CSV should look like:

Manager,Country,Group
BobSmith,AU,BobsAccountingTeam
JaneDoe,US,JanesFinanceTeam
Greg,CA,TeamGreg

The combination of manager and country need to be unique.

Import-Module Adaxes

# Path relative to your Adaxes server
$groupList = Import-Csv "C:\Lists\grouplist.csv"

$username = "%username%"
$user = "%distinguishedName%"
$manager = "%adm-ManagerUserName%"
$country = "%c%"

# Get the group that the user manages, if any
$groupManaged = ($groupList | Where { $_.Manager -eq $username } | Select-Object -Index 0).Group
# Get the group that is managed by the users manager and is in the same country
$groupRequired = ($groupList | Where { ($_.Manager -eq $manager) -and ($_.Country -eq $country) } | Select-Object -Index 0).Group

# Is the user managing a group?
if ($groupManaged)
{

    # Is the manager a memeber of the required group?
    $mgrGroup = Get-AdmGroup $groupManaged -Properties Members
    if ($mgrGroup.Members -notcontains $user)
    {
        # No, lets add the user...
        $mgrGroup | Add-AdmGroupMember -Members $user
    }
}

# Does the user belong to a group?
if ($groupRequired)
{

    # Is the user a memeber of the required group?
    $group = Get-AdmGroup $groupRequired -Properties Members

    if ($group.Members -notcontains $user)
    {
        # No, lets add the user...
        $group | Add-AdmGroupMember -Members $user
    }

    # lets make sure user is not member of another manager group (changed managers).
    foreach ($groupItem in $groupList)
    {
        # Lets ignore the group they should be a member of
        if ($groupItem.Manager -ne $manager)
        {
            $group = Get-AdmGroup $groupItem.Group -Properties Members
            if (($group.Members -contains $user) -and ($groupManaged -ne $group.Name))
            {
                # User is a member and should be removed.
                $group | Remove-AdmGroupMember -Members $user -Confirm:$false
            }
        }
    }

}
else
{
    # Manager not found. Lets make sure user is not a memeber of any managed groups.
    foreach ($groupItem in $groupList)
    {
        $group = Get-AdmGroup $groupItem.Group -Properties Members
        if (($group.Members -contains $user) -and ($groupManaged -ne $group.Name))
        {
            # User is a member and should be removed.
            Write-Host "Removed $user to " + $group.Name
            $group | Remove-AdmGroupMember -Members $user -Confirm:$false
        }
    }
}

---

Hello Nodeblue,

Thank you very much for your active participation, you've been very helpful! We really appreciate your interest in the product.