Adding users to groups via the AR Management Shell (Add-QADGroupMemeber -proxy), when the user is already a member of the given group, generates duplicate Change History entries.
Our cmdlet mirrors the native PowerShell cmdlet (cmdlet: 'Add-adgroupmember'), which accepts re-adding of objects to the group's membership even thought they are already members. And this is by design.
But the Change History entry duplication is a product defect (TF00729078).
WORKAROUND
To prevent change history from having records from having duplicate entries while re-adding members to a group via Management Shell (Add-QADGroupMemeber cmdlet):
1) Create a new script module by going to the container AR MMC > Configuration > Script Modules. Right click New > Script Module;
2) Give an appropriate/desired name to the script and select ‘Powershell’ as the Script language;
3) Select ‘Policy Script’. DO NOT select any event handlers and click finish;
4) Open the script module and paste the following script:
function onPreModify($Request)
{
if ( $Request.class -eq "group" )
{
if($Request.Get('member'))
{
$user = [string]$Request.Get('member')
$groupname = $Request.ADsPath
$groupname = $groupname.Replace("EDMS://","")
if ((Get-QADUser $user -IncludedProperties memberof).memberof -like $groupname)
{
$Request.Put('member','')
}
}
}
}
5) Create a new ‘Provisioning policy’. Select ‘Script Execution’ in the ‘Select policy to configure’;
6) Select the script module created during steps 1-4;
7) Apply the policy to the appropriate scope;
Running the Add-QADGroupMemeber cmdlet should now return an error when trying to add members already existing in the group and the event is not logged in the change history.
STATUS:
This will be fixed on a future release of the product.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center