I would like to have a script that would delete users in Active Directory 120 days after the deprovision date.
↧
Delete user 120 days after deprovision date in Active Directory
↧
The attribute cannot be modified because it is owned by the system
Trying to utilize a virtual attribute of type DN and pump the values of a users "memberof" attribute into it at the time the virtual attribute is accessed. However, continuing to receive the following error: The attribute cannot be modified because it is owned by the system. Any thoughts?
Sub onPreGet(Request)
Const ADS_PROPERTY_UPDATE = 2
Const EDS_PROPERTY_APPEND = 3
groupAttribute = "edsvaMemberOfReplica"
If Request.Class <> "user" Then Exit Sub
If Not Request.IsAttributeRequested(groupAttribute) Then Exit Sub
Set user = GetObject(Request.ADsPath)
memberOf = user.GetEx("memberOf")
user.GetInfoEx Array(groupAttribute,"isSingleValued"),0
user.PutEx ADS_PROPERTY_UPDATE, groupAttribute, memberOf
user.Put "isSingleValued",False
user.SetInfo
Set user = Nothing
End Sub
↧
↧
Does deleting a VA delete all the associated data?
I have a virtual attribute in ARS (v6.0.4) with over 30K users that have a value popltated. If I delete the VA only, will it delete all the associated data of these users in SQL properly or will I need to delete the values from each user first, then delete the VA?
↧
Event Handler function for group Add/removes in A.D
Hi
I am using the event handler function "onPreModify" to check for any Active Directory group adds or removes, it should then run a Powershell script and export a list of the A.D group members to a text file.
It appears that the "onPreModify" doesn't detect group membership changes to a user account. It seems to work fine for user account properties such as description. Can anyone assist please.
Is there some additional Powershell code required? I am fairly new to Powershell and Acive Roles. We are on v6.8.
Many Thanks
Nick
↧
PowerShell: how to Raise Error with Window Popup?
PowerShell: how to Raise Error with Window Popup as described in ARS SDK for VBScript?
Err.Raise< Error Code> < Error Source> < Error Description>
- this create Popu
Err.Raise< Error Code> < Error Source> < Error Description>
- this create Popu
Sub onPreCreate(Request)
Err.Raise 1, "Administrative policy", strError
End Sub
thanks,
Aidar
↧
↧
Certain users and groups are non-clickable in Web interface
Awhile back, we setup a MU to grant Secondary Owners permissions to read all properties of groups and write Members and Description. We then specify our AAs as Secondary Owner for the DLs they should manage. This has worked great until recently. One AA has reported that she's unable to click on users or groups under the Member section of her DL, however she can click on groups under Member Of. If I login to the web interface on her computer, all is well. Any ideas what could be causing this?
↧
Whoami with powershell, $Request.whoami
Hello,
I want to findout who is starting the script. I want to move a group and findout who has start the moving.
My SamAccountName is t2rehst and the SamAccountName from Quest is Questadm.
My problem is, everytimeI use whoami, it allways show me DOMAIN/Questadm. My account t2rehst will never displayed.
If I use $Request.whoami, so I get the following information
" System.Void WhoAmI(System.String&, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 accountName, System.String&, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 dn="I use t
Can I use the PublicKeyToken?
I try for example
function onPreMove($Request)
{
$SID_QUESTADM = "SID S-1-5-21-2076390139-743132798-1575050150-90725"
#snapin for Quest
Add-PSSnapin Quest.ActiveRoles.ADManagement
if ($Request.Class -eq "group")
{
$user = whoami
$EventLog.ReportEvent(2,"user : $($user)")
$name = $Request.name
if ($name -match "G-AUDI-AG-DISTMng")
{
# only move if account is questadm (SID S-1-5-21-2076390139-743132798-1575050150-90725)
$user1 = whoami
$EventLog.ReportEvent(2,"user : $($user1)")
$user1 = Get-QADUser $user -IncludeAllProperties
$user1 = $user.SID
$EventLog.ReportEvent(2,"userSiD : $($user)")
if($user -ne $SID_QUESTADM)
{
$msg = "Group $($name) can't moved."
throw $msg
}
}
}
}
the Scipt shows me allways DOMAIN/Questadm though I hast start the script. I hope you can catch my problem.
woody
↧
Entitlement Profile of "Managed By" type - based on different attribute
I'm trying to create a custom Entitlement Profile for "Computer Asset" scenario.
There is a virtual attribute "edsvaPrimaryUser" on a Computer object that contains a reference to a User object (users' DN).
When I look at user's "Entitlement Profile", I would like to be able to see all Computer objects associated with that user via "edsvaPrimaryUser".
It is similar to the "Computer Owner" Entitlement Profile, but should use "edsvaPrimaryUser" attribute instead of the "managedBy" attribute.
Is it possible to accomplish this in ARS 6.7 or ARS 6.8?
↧
Generated password field not populated since upgrading to 6.8
Hi,
We have recently built a new ARS 6.8 server which is currently running along side our live 6.7 server, but have an issue where our temporary password field is not being populated. The scripts from the old server have all been copied across, and 6.8 successfully generates a random password when you create a new user, but it does not write the temp password to "edsvaGeneratedPassword".
This works fine on our old 6.7 server and is the last thing stopping us from making the full transition.
This is the current script (and it works on our old server):
function onPreCreate($Request) { if ($Request.Class -ne "user") { return } for ($i=0; $i -le $Request.PropertyCount; $i++) { if ($Request.Item($i).Name -eq "edsaPassword") { $Password = $Request.Get("edsaPassword") $Request.Put("edsvaGeneratedPassword",$Password) break } } }
Any ideas of things to check etc?
Thanks
↧
↧
Do not allow space character in SAMAccountName?
I have tried doing this but the policy doesnt work. Is there a special keystroke required to represent a space character in the "Logon Name (Pre-Windows 2000) must not contain these characters"?
I simply ticked that box, pressed space bar and thought that would be enough, but it doesnt stop spaces from being added in during account creation when a helpdesk person types in the username. This results in SAMAccountNames with spaces and profile paths with spaces.
Most of our accounts use auto generation of usernames, but we have a few such as resource accounts that need to be manually typed in.
↧
Difference between QAD and AD
Hello,
I want to know what is the difference between the cmdlet Quest QAD (like get-QADUser) and the cmdlet activedirectory (like get-ADuser)?
We have the impression that these commands do not work in the same way and that the CMDLET QAD uses more CPU resource than the version activates directory.
- In what case what is what you will recommend to use the one or other one of these methods?
- What is what somebody has already noticed of the problems of CPU tray with a script which uses the CMDLET QAD?
Thank you for your future answers and helps
↧
Server Hardware
I would like to inquire about some other setups that may be out there. Currently I have 3 ARS servers, 1 of the 3 hosts the webpage. All 3 of the servers host the administration service, the current specs for the domain and objects is around 25k. i had noticed that the server was using about 1.8 gb of ram, which has a total of 2. Keep in mind this is also virtual, the processor is intel xeon E5-2680 2.70ghz. We increased the ram to 4gb and have seen much more processor use and the ram about 1.5 gb. the server is server 2008 r2 on all 3 boxes.
↧
Scheduling of account disabling during deprovisioning
When a user account is deprovisioned, I want to move the account, scramble the password but then wait a week before the account is disabled. I was going to write a script that would create and schedule a batch file but was wondering if ARS has a scheduling function. One of the builtin policies can delete an object after x days.
Anyone know of a way to do this or is scheduled tasks the only way to go?
↧
↧
ARS Publisher Failed
We have (had) two ARS servers, a publisher and a subscriber. The publisher failed and is not coming back online.
I have follwed the instructions in Knowledge Article 64598 (https://support.quest.com/SolutionDetail.aspx?id=SOL64598) titled "Recovering Replication if the Publisher is not available". Although when I set the edsvaReplicationForceStandalone attribute to TRUE on the subscriber, nothing happens. I want to build another server, but I have no way to add it to the replication group until I can make the existing subscriber a publisher.
Please Help!
↧
Does deleting a VA delete all the associated data?
I have a virtual attribute in ARS (v6.0.4) with over 30K users that have a value popltated. If I delete the VA only, will it delete all the associated data of these users in SQL properly or will I need to delete the values from each user first, then delete the VA?
↧
Unix-enable group with GID Number less 1000
Hello everybody
We using ARS and QAS. I want to create a unix-enabled group with the ARS MMC with a GID Number of 555. This gives me the following error message:
ERROR Code: 80041266
Message: Corporate policy violation. The requested operation cannot be performed due to a violation in policy. UEG - Validation(120, 5) Common Routines: error in the Common Routines(453,9 ): This Group ID is less than 1000. Specify a different value for the Group ID.
Where can I configure that GID number less than 1000 can be used?
Many thanks for your help
Urs
↧
ASR Workflow calling Stored Procedure via PowerShell
Hi,
Hoping someone out there can help me with this.
I'm provisioning users with Quick Connect from a HR database to ActiveRoles Server, this part works great.
What I want to do now, is write the info about the newly provisioned user to a SQL database via a stored procedure, this is an internal telephone directory used on the intranet.
I've attempted to do this via a Workflow in ASR that calls a Powershell script. As below:
The script activity is as follows:
The user is created in ASR but not in the SQL database, errors in the EDM logs are generated via an error trap in the powershell script:
Workflow activity has reported an alert. Workflow name: Notify on User Provision from ESR Workflow GUID: 5a9aaae2-2fa3-4d2a-9bff-6a2bf3e8a495 Workflow instance GUID: 70a8dbfa-6869-4a40-a751-8fb70011eee0 Activity name: powerShellActivity1 Activity type: Quest.ActiveRolesServer.Workflow.Activities.PowerShellActivity.PowerShellActivity Script Module: Write User Provision Info To Staff Directory Details: At line: 8 char:6. Trapped Error: Cannot index into a null array..Exception.Message; More: System.Management.Automation.RuntimeException; Position At line:14 char:25 + $strFirstName = $srcObj[ <<<< "givenName"]
AND:
Execution of workflow instance failed. Workflow name: Notify on User Provision from ESR Workflow GUID: 5a9aaae2-2fa3-4d2a-9bff-6a2bf3e8a495 Workflow instance GUID: 70a8dbfa-6869-4a40-a751-8fb70011eee0 Operation ID: 1-45152 Operation GUID: 8eebe370-088b-42ab-8843-ef748a47da47 Operation: Create Object
Object name: Bilbo Baggins
Object parent container: domain.x.uk/x/x/x
Object type: user
Object GUID:
Initiator: DOMAIN\activerolesserver
Details:
At line: 8 char:6. Trapped Error: Cannot index into a null array..Exception.Message; More: System.Management.Automation.RuntimeException;
Position
At line:14 char:25
+ $strFirstName = $srcObj[ <<<< "givenName"]
↧
↧
Use ActiveRoles cmdlets to clear "comment" attribute (used by Password Manager by default)
***USE AT YOUR OWN RISK***
The following script reads a CSV file list of usernames and clears their "comment" attribute in Active Directory. This can be useful when dealing with Quest One Password Manager which uses the "comment" attribute, by default, to store user profile information. Please note that this script makes use of the ActiveRoles Management Shell cmdlets.
## Begin Script
function Get-ScriptDirectory
{
$Invocation = (Get-Variable MyInvocation -Scope 1).Value
Split-Path $Invocation.MyCommand.Path
}
$workingDirectory = Get-ScriptDirectory
$inputFilePath = Join-Path $workingDirectory "users.csv"
Import-Csv($inputFilePath) | ForEach-Object {
Set-QADUser -Identity $_.username -ObjectAttributes @{'comment'=$null}
#Get-QADUser -identity $_.username -includeAllProperties | Format-List comment
}
## End Script
The "users.csv" must be located in the same folder location as the script itself. The very first line of the "users.csv" file must only contain the word "username", all lower case. I have attached a blank "users.csv" as a template. Place each user's username on a new line below first line containing "username".
↧
How to create a Bulk Dynamic Groups in ARS?
I have ARS 6.7 with Exchange 2007; I have a requirment to create a bulk Groups in Active directory, about 500 groups.
The requirment is to create (Mail enabled Dynamic Security Group); I have LDAP query for each group. I can create it using GUI but it will take very long to create each group seperately.
Can some one help / guide how do i create using command line / script with in ARS?
Any help would be appreciated.
Thanks.
↧
ARS Builtin password script
Hi all,
customer asked me to change the Builtin password script to fulfill the following:
generate password with at least 7 characters/numbers/special characters. (OK, 7 is easy 
)
allowed are: only 1 uppercase character – only 1 number - only 1 special character – rest lowercase characters -> mixed -> means: e.g. the number can be somewhere from the first until the last put; same for the rest of the allowed things.
Does anyone has a solution for this request?
Tx
Markus
↧