Add users to groups in the course of deprovisioning

Dear all,

following challenge:

We've got a script checking if users that are deprovisioned are present in multiple ancillary systems. This is checked based on different AD criterias, e.g. presence of certain fields or even group memberships.

Check results in an E-Mail being produced stating in which systems the user was found. This all is working fine.

However, I would like to enhance the check by adding the users to different groups depending on the identified ancillary system.

Including this in the initial script wouldn't work as a later stage in the deprovisioning process is the standard step to remove the object from all groups.

Creating an additional script to be ran after removing from groups won't work either as at least one ancillary is detected by way of a group membership which won't be detected as groups were removed.

Any hint / brilliant idea as of how this could be achieved?

Thanks a lot for your inputs.

  • Couple of thoughts on this:

    1) The group removal rule allows for "Remove from all groups except..." type functionality - is it practical for you to use that to keep the deprovisioned user in some groups?

    2) I don't understand why having some memberships re-established / reinstated after the deprovisioning won't work for you?

  • You're the man

    Happy to get back to both remarks:

    1) that did the trick and permitted me to achieve what I was looking for.

    2) to explain: We have ancillary systems like lined out above. e.g. an additional E-Mail system which is not Exchange. It authenticates against AD but has it's own user database. So if I deprovision a user, he won't be able to logon, but the account will remain in the system. Also this system doesn't provide an API where I could dock on in the course of deprovisioning but this needs to be dealt with manually. I now add to different groups based on the inspected system during deprovisioning. Afterwards I can report and check on members of those groups and easily determine that those need some extra love :-)

    I hope I managed to explain properly and gain respective understanding. Pardon me, I'm not a native speaker when it comes to English :-)

  • Glad the "...except" thing worked out.

    Regarding the other system, I figured your need was something like you describe.  Having said that, it's still not clear to me why you couldn't re-add the user to the required groups after deprovisioning.  Particularly if you were to use the native PoSh cmdlets (they don't care if a user is in a deprovisioned state as the concept doesn't exist in native AD right?) - as long as the account is still there, you can add it to groups.  "Just saying".  Slight smile

    And BTW, your English is excellent.

  • As I'm getting the notion that you're quite interested into details, I'll try to shed some more light into that.

    Some, not all ancillary systems are detected based on group memberships within the PoSh I am running as part of the deprovisioning policy.

    Others I do determine by way of multiple attributes in AD.

    I check all of those systems, raise counters and update $message. $message and the counter will be used in the E-Mail which will be sent in a summary at the end of the script.

    I can add the account in another script I run after removing from all groups. However, I wouldn't be able to determine the other systems as group memberships are gone and attributes are cleared.

    I do add to different groups within the script based on the detected ancillary system. By way of that I can easily report about how many deprovisioned users are still existing in other systems.

    Process was adjusted in a way that in addition to remove in respective system account has to be removed from the corresponding group. As removal is manual, a manual removing doesn't add too much overhead.

    Adding back to the original groups isn't an option. e.g. the additional E-Mail system mentioned above would re-create the account if in the original group.

    As not all of the systems are detected by way of group memberships I would need helper groups anyway when it comes to reporting.

    However, maybe I am now in the position not be fully clear about your idea, maybe I am missing some brilliant alternative.

    P.S.: Thanks for the Kudos regaring my English :-)

  • Thanks for sharing this.

    I don't have any immediate ideas and I think that to dive any deeper would be beyond the scope of this Forum.

  • Since it sounds like you know which groups to check for the user having external application access, would it be an option to place the names of all the groups the user is a member of into a virtual attribute, prior to the user being being deprovisioned (removed from all groups). Then your post-deprovision script can check this attribute for the names of the specific application groups and respond accordingly.

  • No need to do so John. I managed to accomplish what I needed. I just replied again to details what I'm doing. Just wanted to add some more flesh.

  • It is not only groups, also attributes in AD for example.
    I went with creating groups named properly and only used for that purpose and excluded those from group removal in policy, so all good.