Adaxes

Powershell Script with two jobs in it

0 votes

I have written a de-provisioning job as part of removing a terminated employee's access. This job disables the account, resets the password, sets the account description to specific verbiage, etc. Part of this job is a Powershell script that removes all group memberships from the AD account. This works great (I believe I was assisted with the script on this forum previously), and is as follows:

Import-Module Adaxes
$user = Get-AdmUser "%distinguishedName%" -Properties MemberOf
if ($user.MemberOf -ne $Null)
{
    foreach ($groupDN in $user.MemberOf)
    {
        Remove-AdmGroupMember $groupDN -Members $user  -Confirm:$False
    }
}

However, due to continued mistakes in removing access accidentally, a second script has been written to pipe out the user's AD group memberships to a .csv file with the AD username as the name of the file, for when I need to restore those group memberships. It's not an elegant solution, but it works. This script is as follows: 

Import-Module Adaxes
$user =  "%Username%"
$tempfile = "\\SERVERNAME\FOLDER" + $user + ".csv"
Get-AdmUser $user | Get-AdmPrincipalGroupMembership -AdaxesService ADAXESSERVERNAME | Select-Object name | Export-Csv -NoTypeInformation $tempfile

I have tried combining this "pipe user group membership" script into the de-provision script, so that I can just run the one job, but it doesn't work. What I want it to do is:

  1. Pipe out all of the user's AD group memberships to a USERNAME.csv file and store it on a server share.
  2. Remove all AD group memberships from the user's account.

Both scripts work individually, but combined, the script doesn't work. I have tried it in both Powershell by itself, and in the Adaxes tool as part of the de-provision job. Could I possibly get help with this? Thanks!

by (360 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

This script should do the job:

$tempfilePath = "\\SERVERNAME\FOLDER\%username%.csv" # TODO: modify me

# Get all groups that the user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the ID of the user's primary group
$primaryGroupId = $Context.TargetObject.Get("primaryGroupID")

$report = @()
foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    # Skip the group if it is the primary group for the user
    if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
    {
        continue
    }

    # Remove the user from the group
    $group.Remove($Context.TargetObject.AdsPath)

    # Add the group to the report
    $reportEntry = New-Object PSObject
    $reportEntry | Add-Member -Name Name -Value $group.Get("name") -MemberType NoteProperty
    $report += $reportEntry
}

# Save the report
$report | Export-Csv -Path $tempfilePath -NoTypeInformation
0

This works great! Once again, you guys are awesome. Thank you!

by (360 points)

Related questions

0 votes
1 answer
creating cpu - is it possible to check and change the CN via Powershell script if the entered CN is already used in AD?

For creating a computer object, we want to check if the entered CN is already used in our AD. And for that we want to use a powershell script. An other dot ... powershell script should be start before creating the computer object, right? Thanks for your help.

asked Jun 4 by KEME (80 points)
0 votes
1 answer
Help with two servers ( one internal and one in DMZ) with webservers

Hi so if I have the web-interface setup on my internal server where I did the full install but I also have setup a RODC in DMZ how can I "merge" so that the URLS given ... get the offline/unlock that shows up to link and show/work for the web server on the DMZ

asked Nov 4 by ckelley (40 points)
0 votes
1 answer
Is it possible to execute a disabled parameterised Custom Command from a Powershell script?

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19, 2020 by Martin (150 points)
0 votes
1 answer
PowerShell script with parameters, pass them to Custom Command

We've the following script we want to use in Adaxes to create as part of user creation, to ask if the user will need a AWS workspace, then asks employeetype for different ... "Error") exit(-1) } else { $Context.LogMessage("Created workspace", "Information") }

asked May 3 by Plusa (20 points)
0 votes
1 answer
Help with powershell script

Hi, we just recently installed Adaxes and would like to implement a PowerShell script that I have previously written which cleans up user objects if they have been manually ... to perform the operation Stack trace: at &lt;ScriptBlock&gt;, &lt;No file&gt;".

asked Oct 2, 2023 by Mark.Monaco (20 points)
3,548 questions
3,238 answers
8,232 comments
547,810 users