0 votes

I have written a de-provisioning job as part of removing a terminated employee's access. This job disables the account, resets the password, sets the account description to specific verbiage, etc. Part of this job is a Powershell script that removes all group memberships from the AD account. This works great (I believe I was assisted with the script on this forum previously), and is as follows:

Import-Module Adaxes
$user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
if ($user.MemberOf -ne $Null)
{
    foreach ($groupDN in $user.MemberOf)
    {
        Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
    }
}

However, due to continued mistakes in removing access accidentally, a second script has been written to pipe out the user's AD group memberships to a .csv file with the AD username as the name of the file, for when I need to restore those group memberships. It's not an elegant solution, but it works. This script is as follows:

Import-Module Adaxes
$user =  "%Username%"
$tempfile = "\\SERVERNAME\FOLDER" + $user + ".csv"
Get-AdmUser $user | Get-AdmPrincipalGroupMembership -AdaxesService ADAXESSERVERNAME | Select-Object name | Export-Csv -NoTypeInformation $tempfile

I have tried combining this "pipe user group membership" script into the de-provision script, so that I can just run the one job, but it doesn't work. What I want it to do is:

  1. Pipe out all of the user's AD group memberships to a USERNAME.csv file and store it on a server share.
  2. Remove all AD group memberships from the user's account.

Both scripts work individually, but combined, the script doesn't work. I have tried it in both Powershell by itself, and in the Adaxes tool as part of the de-provision job. Could I possibly get help with this? Thanks!

by (360 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

This script should do the job:

$tempfilePath = "\\SERVERNAME\FOLDER\%username%.csv" # TODO: modify me

# Get all groups that the user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the ID of the user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$report = @()
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove the user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $reportEntry = New-Object PSObject
    $reportEntry | Add-Member -Name Name -Value $group.Get("name") -MemberType NoteProperty
    $report += $reportEntry
}

# Save the report
$report | Export-Csv -Path $tempfilePath -NoTypeInformation
0

This works great! Once again, you guys are awesome. Thank you!

Related questions

0 votes
1 answer

For creating a computer object, we want to check if the entered CN is already used in our AD. And for that we want to use a powershell script. An other dot ... powershell script should be start before creating the computer object, right? Thanks for your help.

asked Jun 4 by KEME (80 points)
0 votes
1 answer

Hi so if I have the web-interface setup on my internal server where I did the full install but I also have setup a RODC in DMZ how can I "merge" so that the URLS given ... get the offline/unlock that shows up to link and show/work for the web server on the DMZ

asked Nov 4 by ckelley (40 points)
0 votes
1 answer

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19, 2020 by Martin (150 points)
0 votes
1 answer

We've the following script we want to use in Adaxes to create as part of user creation, to ask if the user will need a AWS workspace, then asks employeetype for different ... "Error") exit(-1) } else { $Context.LogMessage("Created workspace", "Information") }

asked May 3 by Plusa (20 points)
0 votes
1 answer

Hi, we just recently installed Adaxes and would like to implement a PowerShell script that I have previously written which cleans up user objects if they have been manually ... to perform the operation Stack trace: at &lt;ScriptBlock&gt;, &lt;No file&gt;".

asked Oct 2, 2023 by Mark.Monaco (20 points)
3,588 questions
3,277 answers
8,303 comments
548,092 users