workflow to add a user to a group using temporal group access

Question

i need to remove and add accounts to a group after 24 hours for a business reason. Example: User requests for exception ; the exception is granted only by removing the account from a group; the exception expires in 24 hours and the account need to be added manually back to the same group. 
 This is done manually today. I would like to automate this using ARS workflows. user requests for exception ; AD admin will remove the user account form group ; this removal should force the admin to setup temporal group membership settings to add the account after 24 hours. so, the entire flow is automated. 
 any idea how to set this up?

Nick.Dollimount · Accepted Answer

Hi Kannan, This should be doable via a workflow and a PowerShell script module. First, you'll create a workflow that you would run manually (not triggered on AD change). Configure the workflow to have a parameter called userDN . This should prompt to browse for a user object. This will be the user that will be removed and added back at a later time. Next, you'll create a new PowerShell script module with the following: ## BEGIN SCRIPT ## function temporaryGroupMemberRemoval($Request){ # Workflow has parameter called userDN that browses for user object. $userDN = $workflow.Parameter("userDN") $groupDN = "" # Static DN of group. # Remove the user from the group right away. Remove-QADGroupMember -Identity $groupDN -Member $userDN # Create hash table to be used for scheduled operation control on add member. # The time is calculated for 24 hours from the current time. $time = (Get-Date).AddHours(24).ToUniversalTime() $hash = @{} $hash.add("ScheduledOperation-SetTime",$time) # Add the user back to the group using the scheduled operation control. Add-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash } ## END SCRIPT ## In the script above, input the DN of the group for the $groupDN variable. In your workflow, drag over a Script activity and configure it to run the above script module. You can of course, modify the script to also send an email to the user to notify them of the change, including the time they will be added back to the group using the $time variable. I hope this helps! -Nick