cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Remove all AD groups from a user

Go to solution
former_member2987
Active Contributor

on ‎02-16-2015 7:06 PM

0 Kudos

Hi there,

I have a requirement that as part of the deprovisioning process, to remove all AD Group memberships except for Domain Users.

Has anyone done this before?  All of my attempts on this have failed.

Thanks,

Matt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jared_kobe
Participant
‎02-16-2015 8:04 PM
0 Kudos

Matt,

Are you storing all of the AD Groups as privileges? Just curious as to how complicate a scenario we are talking about.

We do not sync all our AD Groups, but this was something that was requested of us when disabling AD users. I used a two step process.

In task one, I have a To Identity Store for the user that uses a script to retrieve the "memberof" attribute from AD and replace the separator from the LDAP function with a "|". This is then written to a multivalue attribute on the user's identity.

In task two, I have a To Generic that has a script that cycles all of the entries of the multivalue attribute, calling the deprovisioning task to remove an individual group from the user. In this script, you can set rules to skip certain groups.

If that would work for you, I can give you the full details, but those are the broad strokes.

Jared

Show replies
Show replies
former_member2987
Active Contributor
‎02-16-2015 9:32 PM
0 Kudos

Hi Jared,

Unfortunately these are all coming from an AD Reconciliation so they are not established as Privileges.

Life would be so much simpler then...

Matt

jared_kobe
Participant
‎02-16-2015 9:40 PM
0 Kudos

Matt,

When is the reconciliation happening and how is it stored? We do ours on the fly when we are removing the groups.

And yes, privileges would be nice. We have WAY to many groups for that here though.

Jared

Answers (4)

Answers (4)

Steffi_Warnecke
Active Contributor
‎02-16-2015 9:41 PM
0 Kudos

The only other thing I can think of is using a powershell script, that is triggered by IDM. We use one to remove a user from all his mailing lists when he leaves the company, because we don't manage those via IDM either.

Regards,

Steffi.

Show replies
Show replies
former_member2987
Active Contributor
‎02-17-2015 12:32 AM
0 Kudos

I've thought about this as well, and it might be my last resort.

Matt

Former Member
‎02-16-2015 9:22 PM
0 Kudos

We usually use a batch job with a ToIdentityStore pass for this.

Source tab: depending on the process either a request object or the valid date (or whatever) is used to determine when all users which shall be processed on each day (scheduled nightly if time dependent or called using uRunJobNow if prcessed on the same day)

Destination: All PRIV:GROUP's of the users are selected with a {D} using a script (plus any other privileges like Java or SAP or ...)

Additionally we use our own plugins to handle the deprovisioning.

If you are not syncing all groups, use batch job with a FromLDAP and a filter on all users which shall be deprovisioned or re-calling the job (using two jobs alternatively)

Show replies
Show replies
former_member2987
Active Contributor
‎02-16-2015 9:35 PM
0 Kudos

Hi Domink,

This is part of a deprovisioning workflow, so I don't think that approach will work too well. (Batch job)

Thanks,

Matt

jaisuryan
Active Contributor
‎02-16-2015 8:16 PM
0 Kudos

Hi Matt,

Just wondering if this will work, haven't tested yet, If the groups are assigned as Privs then in the deprovisioning task, we can use {R} or {M} operator

"MXREF_MX_PRIVILEGE {R}<PRIV:AD:DOMAIN_USER>|{R}<PRIV_AD_ONLY>"

or

"MXREF_MX_PRIVILEGE {M}<PRIV:AD:DOMAIN_USER>|{M}<PRIV_AD_ONLY>"


As per definition goes, it should remove all the Privs 1st and then add only domain and ONLY priv. Let me know if it works.

Kind regards,

Jaisuryan

Message was edited by: Jai Suryan

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎02-16-2015 7:56 PM
0 Kudos

Hello Matt,

could here work a similar approach like for the other deprovisioning: to deprovision all groups and as a next step provision the "domain users group" back?

There is a script, that checks which groups have to be assigned or removed. Maybe you could copy and edit this, so that it always skips this specific group?

Just a bit of brainstorming. We don't have something like this in our system (yet? ^^).

Regards,

Steffi.

Show replies
Show replies
former_member2987
Active Contributor
‎02-16-2015 9:34 PM
0 Kudos

Hi Steffi,

Unfortunately you can't drop all Groups from an AD user.  AD doesn't like that at all.  I also tried just replacing the group attribute with the DN for the Domain Users group, but that didn't work either.

Thanks for the brainstorming!

Matt

Ask a Question