named users in portal via ad groups

07-14-2016 04:08 AM
Occasional Contributor III

If you have named users who have been removed from an ad group, he won't have access to group content but still has valid named user account. Is there a way to delete his named user account automatically once he is dropped from the ad group?

0 Kudos
2 Replies
MVP Esteemed Contributor

I guess that is not possible yet.

If a member is deleted directly from the identity store, the member is retained in the portal. You will need to delete the member manually in the portal.

Think Location
Occasional Contributor III

But I believe you can script the user removal with Python.

The PortalPy library on Github I believe has the tools for doing this.

And I would imagine that ArcPython (in beta) will have similar functionality.

The ArcREST library might also help.

When I say script it, I mean you could have a python script that you could pass the user name to and have it remove the user.

That's quasi-automated in my mind.

Somehow to fully automate, you have to get AD to trigger a function or maybe you could hook to AD and watch the groups and when a name drops off, auto remove it or ...  I have not worked with AD in python but this lib looks pretty simple:

Tim Golden's Python Stuff: Active Directory Cookbook


ldap-groups 2.5.3 : Python Package Index

That would mean keeping a table of groups in a file and users in the groups (basically duplicating the AD tree for the groups you are enabling in Portal) and running a nightly or weekly process to watch for changes.

Maybe the PortalAdmin tools from GeoJobe have something?