ARS Workflow - Deny Adding user to group

Question

Hi, would anyone be able to help out with this conundrum? 
 We have 2 x security groups that provide access to resources. 
 However, we want to prevent a user being a member of both groups at any one time. 
 So if a user is a member of Group A they are to be denied being added to Group B. 
 Any ideas and help greatly appreciated. 
 Thanks 
 Steve

Terrance.Crombie · Answer

This would have to be implemented as a scripted solution. 
 
The "Members" attribute of a Group is multi-valued and contains DN's of all of the Users. This attribute would have to be parsed in order to perform the operation which you desired. 
 
The tricky part is, the $Request object which is passed when Group Memberships change would be the target Group object, not the User or Group object going into the target Group. 
 
Your script will have to retrieve the "members" attribute of the $DirObj object and the "members" attribute of the $Request object, then compare them to figure out what is different. The difference will be the new User or Group which is added. Then, you can use the "-Match" conditional operator to see if that User or Group already exists in the other Group of interest. 
 
It's possible, but complicated.