Automatically Set Temporal Membership when Adding Member to Group

The following configuration will allow you to automatically set a temporal membership for a specific group. In this example, we will be setting temporal date for it to be removed after 3 days.

The first step is to configure the script module. Create a new PowerShell Policy Script Module, naming it appropriately, and save the following script text to it:

# BEGIN SCRIPT #
function temporalGroupMembership($Request){
    $users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
    $groupDN = $Request.Get("distinguishedName")

    $time = (Get-Date).AddDays(3).ToUniversalTime() # Modify here for the amount of time.
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)


    foreach($userDN in $users){
        Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
    }
}
# END SCRIPT #

The next step is to create and configure an Change Workflow. Create a new Change Workflow, naming it appropriately.

  • Configure the Workflow Options and Start conditions as follows:
    • Configure the Operation Conditions as Add Member to Group
    • Configure the Filtering Conditions as Distinguished Name of Workflow Target [EQUALS] Fixed object in directory (browse to the desired group)
  • Drag over a Save Object Properties activity and place it below the Operation Execution
  • Double-click the Save Object Properties activity to open its properties
  • Change the Name of the activity to AddedMembers
    This is important as it needs to match exactly what's in the script module.
  • Change the Activity target to Requested Changes
    Drop-down > Object from workflow data context > Requested Changes
  • For Target Properties, you can clear the list and then add back only the Members attribute.
  • Click OK
  • Drag over a Script activity and place it below the previous activity.
  • Double-click the script activity to open its properties.
  • For Script to use, you can click the Browse button and select the script module that you created at the beginning.
  • Click the Function to run drop-down and select temporalGroupMembership
  • Click OK
  • Click the Save Changes button

The workflow should be enabled by default and is now ready for use. As soon as you add any members to the specified group, they will configured as temporal for the time configured in the script.

Parents
No Data
Reply Children
No Data