Remove Member Of

Thanks, Terrance. I have tidied it up a little based on your suggestions. I will come back to the -LdapFilter issue. 

It is almost like this script, when run through ARS is not picking up

$Username = $DirObj.get("samaccountname") 

If I hard code the username name in the script using $Username = "TestUser" then it works and I see the throw message.  

function T0Asset($Request) {

#Obtain the SamAccountName of user account being changed. 
$Username = $DirObj.get("samaccountname")
$ManagedUnit = "CN=Test,CN=Managed Units,CN=Configuration"

# Function to check if a user is a member of a specific Managed Unit
function Is_UserInManagedUnit {

    # Check if the user is a member of the Managed Unit
    $isMember = Get-QADUser -SearchRoot $ManagedUnit | Where-Object { $_.SamAccountName -eq $Username }

    if ($isMember) {
        Write-Host "true"
        return $true
    }
    else {
        Write-Host "false"
        return $false
    }
}

# Main logic
if (Is_UserInManagedUnit -User $Username) {

    throw "$Username is a T0 asset. Access Denied"
    #Write-Host "User $Username is a member of the Managed Unit $ManagedUnit. Cannot add to any security groups."

}
else {
            Write-Host "$Username non T0 User. Access Approved"
    
}

}

You're trying this in a Change Workflow, correct? And not an Automation Workflow?

Hi. Yes, that is correct in a change workflow. 

Then, the $Request and $DirObj objects should exist.

Test that and confirm. Write them to a file and make sure that they have what you need:

$Request | Out-file C:\Temp\Request.txt

$Request | Get-Member |Out-file C:\Temp\Request.txt -append

$DirObj | Out-file C:\Temp\DirObj.txt

$DirObj | Get-Member | Out-file C:\Temp\DirObj.txt -append

You'll likely need to dig into several attributes of the objects in order to see and confirm the attributes and methods.

Thanks. I now have the output from the commands. While I can see the security group the account is being added to, its not display what username from the dirobj

I assume this should be in the output? 

No, most of the real attributes won't be in the $DirObj object. It's essentially a pointer to the directory object which you can use as a springboard to get what you need.

If it has any attributes and it has the necessary methods, then it should work.

I'll run a sanity check in my lab with a small script and I'll confirm expected functionality.

Can you provide a screenshot of the Workflow so that I can see how you are calling the script?

I did also think/try to grab the username from the workflow saved object properties and then try to grab that via 

$Username = $workflow.SavedObjectProperties("T0").get("SamAccountName")

Same issue through, its not firing 

Ooooh.

Okay, I see where you may be having some issue.

The $Request object is created with an object that is related to the Active Directory operation being performed. This operation is "Add member to a group". In this context, the $Request object and $DirObj will have references to the group, not to the added member.

I think that this could be implemented without a script at all, honestly. I configured a Change Workflow in my lab to prevent adding users to a group if those users were present in a Managed Unit, and it seems to work properly.

https://imgur.com/a/BVbA2qW

Boom. Now, on the face of it, that works fantastically. I need to do some more testing, but it did block me from adding groups to users who are in that Managed Unit.

Thanks mate. I really appreciate you taking the time here today

Hi. So this setup seems to work great when searching for Users in a MU and am able to block stop a user being added to a group. 

The issue I have now which is along the same track is that I need to stop Member Of in the same way. I can open a Group and then add that group to another group. No matter how I try to get this working along the same lines nothing seems to work. 

Any suggestions on stopping member of in the same way?