• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 93 subscribers
  • Views 7134 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you add/delete AD group memberships using a script

Eric Dau
over 7 years ago

I am trying to write a script (or can use process step) that will remove all of a person's AD group memberships when an attribute changes.  The script I wrote identifies the correct groups but just running a delete on the ADSAccountinADSGroup record is not working.  A sql trace on the session is showing an insert into dialogprocess prior to the delete statement running when using Manager to remove the group but I can only see the bind variables, not the actual values being inserted.

Does anyone know how to accomplish this or another way it can be done?

Thanks

Eric 

  • 0 over 7 years ago
    Just as a starting question, are all the group memberships you are trying to remove, direct memberships? Or are some of them requested, or inherited due to role assignments of the person. In the later cases, deleting the memberships from the table ADSAcountInADSGroup will not help.

    And, and would be helpful if you share the version of the product you are using.
  • 0 over 7 years ago
    The group memberships I am trying to remove are all direct assignments (most added through synchronization from AD into IDM). We are running Identity manager 6.1.3.
  • 0 over 7 years ago
    Please check if there are entries with the same combination of UID_ADSAccount and UID_ADSGroup in the table ADSAccountInADSGroupTotal. If so, what is the value of the property VI_Inherite?
  • 0 over 7 years ago
    Hello Markus

    Thanks much for your help and I apologize for my delay in response. This question pertains to a a development effort and we are having some production issues.

    All of the groups I would like to remove from adsaccountinadsgroup have a viinherite value of 1 in adsaccountinadsgrouptotal.
  • 0 over 7 years ago

    Maybe you could post you script to help you out as deleting a group membership is normally no problem at all.

    Forgive me my stupid questions but just some more areas to check as I never seen that before.

    • Is the AD domain the group is from set to be synchronized by Identity Manger and not set to be read-only?
    • What is the property FullSyncState of the entries in ADSAccountInADSGroup and ADSAccountInADSGroupTotal set to?