Quantcast
Channel: Software Communities : Popular Discussions - ActiveRoles
Viewing all 1277 articles
Browse latest View live

Selective authentication between 2 domains

June 24, 2013, 1:32 am
$
0
0

Hello,

 

Domain A and domain B have a trust with selective authentication.

When we add a group from domain B  to the security settings from a computer in domain A we get a popup for authentication in domain B.

 

problem.PNG

 

I am trying to automate this with the questtools but I came accross the following problem

 

Add-QADPermission 'CN=Some Group in Domain A,CN=Users,DC=ads,DC=hogent,DC=be' -Account 'DOMAINB\SOME USER' -Rights 'GenericAll' -Connection $domainA

Script gives an error that it has no rights to lookup 'DOMAINB\SOME USER'

 

Add-QADPermission 'CN=Some Group in Domain A,CN=Users,DC=ads,DC=hogent,DC=be' -Account 'DOMAINB\SOME USER' -Rights 'GenericAll' -Connection $domainB

Script finds the user 'DOMAINB\SOME USER'

Script gives an error that 'DOMAINB\SOME USER' cannot be added because the connection $domainB has no rights to edit the AD from Domain A

 

 

I allready tried with the SID from DOMAINB\SOME USER, but it still needs to lookup the identity

I also allready tried first getting the user DOMAINB\SOME USER --> parse in in an object (GET-QADUSER), then add it with Add-QADPermissions , but this doesn't work either.

 

Is there anyway to bypass the popup we get in the GUI?

 

Regards

Stijn

Search

Use ActiveRoles cmdlets to clear "comment" attribute (used by Password Manager by default)

June 3, 2013, 1:30 pm
$
0
0

***USE AT YOUR OWN RISK***

 

The following script reads a CSV file list of usernames and clears their "comment" attribute in Active Directory.  This can be useful when dealing with Quest One Password Manager which uses the "comment" attribute, by default, to store user profile information.  Please note that this script makes use of the ActiveRoles Management Shell cmdlets.

 

 

## Begin Script

function Get-ScriptDirectory

{

$Invocation = (Get-Variable MyInvocation -Scope 1).Value

Split-Path $Invocation.MyCommand.Path

}

 

 

$workingDirectory = Get-ScriptDirectory

 

 

$inputFilePath = Join-Path $workingDirectory "users.csv"


Import-Csv($inputFilePath) | ForEach-Object {

Set-QADUser -Identity $_.username -ObjectAttributes @{'comment'=$null}

#Get-QADUser -identity $_.username -includeAllProperties | Format-List comment

}

## End Script

 

 

 

 

The "users.csv" must be located in the same folder location as the script itself.  The very first line of the "users.csv" file must only contain the word "username", all lower case.  I have attached a blank "users.csv" as a template.  Place each user's username on a new line below first line containing "username".

Deprovision Exchange Policy Script Failing

June 17, 2013, 3:34 am
$
0
0

Trying to set a policy that on-deprovision disables activesync error below:

 

Administrative Policy returned an error. Deprovisioning policy failure. The 'Script Execution' policy encountered an error when deprovisioning a user. Failed to execute the script 'Disable Exchange Services'. The term 'Set-Mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 

Code below:

 

function onDeprovision($Request)

{

if ( $Request.Class -ne "user" ) { return }

$userName = $DirObj.Get("sAMAccountName")

$fileName = "$userName"

Set-CASMailbox -Identity $fileName -ActiveSyncEnabled $false

}

 

I've also tried set-mailbox which doesn't work with same error. help?

Running scripts via EDMS provider Active Roles

February 22, 2007, 5:45 am
$
0
0
I am trying to run a vbscript using the EDMS provider to enable or disable a specific user account in AD. The account running the script is not a domain admin or Quest administrator but does have the right to make the change in Active Roles. When I run the script it gives an error on the GetObject line saying invalid syntax. I believe this translates to access denied.

Is there some other permissions I need to grant in order to make this run?? I am using Active Roles v5.2.5.

Thanks

Deprovisioning doesn't clear all OCS attributes

June 20, 2013, 2:53 am
$
0
0

I want to clear all the OCS attributes (msRTCSIP-*) on deprovisioning but it would only clear the msRTCSIP-OptionFlags one. Is there a reason for that?

I'm running ARS 6.7.0 without the OCS addon. I don't want to install the OCS module as we are not delegating access rights to that. I really just want to purge those attributes.

Exchange tasks not working in new server

June 21, 2013, 6:28 am
$
0
0

Hi,

 

We have currently have a 6.8 web server running fine and have introduced a another web server for load balancing. This new server is fine except for when you try to create exchange tasks such as a mailbox or security group with exchange attributes. We get this error on the web server:

 

"•Administrative Policy returned an error. Exchange Server-related operation failed. Administration Service requires Exchange 2007 Management Tools or Exchange 2010 Management Tools to perform this operation. Install Exchange Management Tools on the computer running the Administration Service. "

 

I have installed the Exchange 2007 management tools with the latest service packs and all windows updates. You can manually create exchange objects through the exchange console on this server. The server is successfully running the 6.8 Service

 

 

Any other suggestions? Thanks

Launch Powershell script from ARS Web Interface

May 27, 2013, 6:34 am
$
0
0

Sorry if I'm missing something obvious (we've just recently deployed ActiveRoles Server), but I cant seem to find an easy way to launch a standalone powershell script from within the ActiveRoles server Web Interface.

 

I have a simple script which exports a list of user objects from our Deprovisioned Users OU to a CSV file, and I'd like our Help Desk staff to be able to launch this script from the WEB UI by clicking a custom menu item like "Generate Deprovisioned Users Report"

 

Can anyone point me in the direction of any existing documents that show me how to do this?

Policy Script to Update Country based on PhysicalDeliveryOfficeName

June 25, 2013, 11:17 am
$
0
0

Hello,

 

I am new to ARS, but I am trying to add a new policy script that will take the first two characters of the PhysicalDeliveryOfficeName and populate the Contry based on those characters. Not really sure where exactly to get started here. I have looked at the policy and it seems like I need to add this as a script, which is fine and I am very comfortable with both vbscript and powershell, but not exactly sure where/how to grab specific fields from ARS in this sense like I would with a normal powershell script running against say a user object.

 

Any pointers are welcomed and appreciated.

Search

ARS 6.8 Workflow to move user to OU

June 26, 2013, 4:48 am
$
0
0

We are using QC to provision user accounts to a certain OU. I am trying to configure a workflow to move the new users to there correct OU. I am looking to move them based on Department to there correct OU. The OU's are named after each department. So far the workflow that I am trying to use doesn not seem to be putting the call to the script I created. I have the script as a function. If I try just using the workflow without a script I dont see anything happening. The trigger is create user.

 

Thanks in advance for any suggestion.

Dynamic Group Membership Rules Dump Question

June 25, 2013, 10:47 am
$
0
0

Hi,

I realize that this would be unsupported stuff, but I was hoping an ARS developer can shed some light on the dynamic group membership rules stored in the <DynamicGroupXML> tag in accountNameHistory of the group object.

 

I couldn't find any documentation on a method (CMDlet, script, ect) to dump the group membership rules in ARS so I wrote a script to parse out the

accountNameHistory attribute on the group objects. For the most part, I get the rules parsed ok out but I am unable to determine what OU base (searchroot) the LDAP is searching from. Where is this information stored? It does not appear in any of the attributes so I assumed it would be in the GUID for the query.

 

find_window.png

 

In a "Exclude/Include by Query" (0x1,0x2), I assumed the GUID specified  refered to the objectGUID of the OU object (Seen as "JUST" in the picture above), but the GUID does not seem resolve to anything (see below example). So... tried searching the ARS database and found tons of references to WfSharedTasks and WfSharedOperations, but nothing too useful to indicate searchroot. Darn!

 

for example:

<?xml version="1.0"?>

<DynamicGroupXML Conditions="

[0x2;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Exclude by query, GUIDs are a mystery! nay!

[0x1;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Include by query, GUIDs are a mystery! nay!

[0x5;99b0e558-be46-43eb-80cb-72550b4235f3;] <--- Explicitly exclude user, GUIDs resolve to actual users, yay!

[0x4;995dafc1-cb59-4a5d-b25a-2b51d24fcce2;] <--- Explicitly include user, GUIDs resolve to actual users, yay!

[DG]" OriginatingService="97fd9b18-6024-4b74-936d-10efb2513c1b" TimeStamp="2013-06-24T09:00:01.0977348Z" HasNestedGroups="FALSE"/>

 

Any info to shed light on dumping membership rules would be much appreciated!!

 

thanks!

Chris

Set user password via powershell script

January 10, 2013, 2:40 am
$
0
0

Hello,

 

i'm using a custom script to generate and assign a random password to users.

 

Let's say we have user pippo with password 'test', i execute the following script (via ARS workflow):

 

function onInit($context) {

    $context.UseLibraryScript("Library - password generation")

    }

 

function onPreModify($Request) {

     $newpass = RandomPassword -length 5 -pattern "NNNNN" # custom function for password generation

 

     $Request.put("edsvaTempPwd",$newpass) # i have to use a virtual attribute to temporarily store the password in clear-text since i need to notify via mail the new password to the user's boss

     $Request.put("edsaPassword",$newpass )

     $Request.put("edsaPasswordNeverExpires",$false)

     $Request.put("edsvaUserMustChangePasswordAtNextLogon",$true)

     }

     

But the password is not changed, pippo can still access to workstations with old password 'test'. Am i missing something?

 

Thanks,

Andrea

Script for Powershell in order to pull data from AD

April 9, 2012, 1:20 pm
$
0
0

Hi All, im new to powershell and need to extract out some data.

 

I need every employee that is ACTIVE along with this criteria...

 

samAccountname

employeeID

department

status

mail

title

 

I got the correct names out of Active Roles, but now i need to run this in powershell and dump it to a CSV, can anyone generate a script for this?

 

Thanks!

Artie

Secondary owner distribution list update permissions

June 26, 2013, 10:30 am
$
0
0

Hi, I have a number of distribution lists that I would like to setup secondary owners for. I can populate the edsvaSecondaryOwners field fine and that's great, but the actual function of secondary owners being able to update the membership list of the group is not working (edsvaSecondaryOwnersCanUpdateMembershipList property is checked). These are exchange 2010 distribution lists, is there a setting I need to configure through exchange first?

 

Note, if I add a user as a manager of the group, they can update the distribution list when the edsvaManagerCanUpdateMembershipList property is checked even when no additional exchange options have been set. Why isn't it working for secondary owners?

 

Thanks

Upgrading from GPOAdmin version 5.01

June 27, 2013, 10:52 am
$
0
0

We are looking to replace the Windows 2008 R2 server where GPOAdmin version 5.01 is installed.  The plan I was thinking about is to build a new server running Windows 2012 SP1 and install GPOAdmin version 5.6 and import the configuration settings from our current server.  Then, from the release notes for GPOAdmin version 5.6, I see this:

 

Note the following when upgrading to Quest GPOADmin version 5.6:

  • When you upgrade the Server, you must also upgrade the Client, GPMC Extension, and Watcher Service to version 5.6.   
  • The supported upgrade paths are from versions 5.4 and 5.5.   
  • To view Unix settings in GPOADmin, Quest Authentication Services must be installed after GPOADmin is installed. See solution article SOL82849.

Note: If you are upgrading from a version prior to 5.4, the upgrade to version 5.6 will make the following changes. These changes will be made due to the Enhanced Workflow Approval implemented in 5.4. Careful consideration of the results of these changes should be made before you perform the upgrade. Your upgrade process will:

  • Remove the required number of approvals set on any object or container. 
  • Remove all references to the Approver role set on any object or container. 
  • Remove the Approve right defined in any role. 
  • Replace the ModifyNumberOfApprovals right with the new ModifyApprovalsWorkflow right.

 

From these notes, it almost appears that I might be better off just doing a clean installation of GPOADmin on the new Windows 2012 server and reconfigure all of the containers, approvers, etc. from scratch and reregister all of the policies...  Know this will lose the current history information and will have to clean up the working copies from SYSVOL.

 

Any thoughts if I'm on the best path to get from here to there?

 

Thanks.

 

- David

In Need of Assistance For a PostCreate Script Module

June 26, 2013, 1:21 pm
$
0
0

I think this may be pretty easy, but since I am very weak in the PowerShell department, I thought I may put this out there to see if anyone can help.

 

In my ARS provisioning policy, I have added the Authentication Services plugin that Unix Enables my new user and assigns a UID value to the 'uidNumber' attribute. I want to execute a script module that can look at that value, convert it to hex, and write the hex value to the 'gecos' attribute.

 

Any help would be greatly appreciated!

 

Thanks!

Joey

Search

Don't get your connections crossed

June 28, 2013, 5:58 am
$
0
0

I recently ran into some strange results while writing an audit script.  A user from domain A was listed as a member of the Domain Admins group from Domain B - thats not possible!  Then I noticed another users DN was in Domain A but the NTAccountName attribute was DomainB\<userName>.

 

So whats going on then? 

 

I guessed that SIDHistory was coming into play here.  Personally I hate SIDHistory but trying to get others to not to use it is next to imppossible.  Everyone like to take the easy route and just import SIDHistory.  In testing years back I remember that looking at the local administrator group on a server would show different user IDs as you moved the server from one domain to another and in a multimaster domain model (I think that was what it was called - it was so long ago now) the user name could change from one refresh to another as what really happens is the SID is used to lookup the user and the user displayed is dependent on the trust and DC at the end of the trust you use to resolve the name.

 

How to fix this then?  Well actually it's simple just make sure you are explicit in your connection strings when using the quest cmdlets. 

 

for each domain you want to interogate I usually setup a connection (or I do now :-))

if I need alternate credentials then I use Get-Credentials

$domainACreds = get-credentials

$domainBCreds = get-credentials

$arsCredentials = get-credentials

$domainAconnection = Connect-QADService -service "domainA.com" -credentials $domainAcreds

$domainBconnection = Connect-QADService -service "domainB.com" -credentials $domainBcreds

$arsConnection  = Connect-QADService -service  "arsServer.domainA.com" -credentials $arsCredentials

 

then when you use a cmdlet just use the -connection parameter with the requisite connection variable.  This also allows a single line of code if you preceed it with a switch statement checking for the user domain.

 

Switch ( $member.DomainName ) {

"DomainA" { $connectionToUse = $domainAconnection ; break }

"DomainB" { $connectionToUse = $domainBconnection ; break  }

Default { Write-Host "Connection Unknown " -ForegroundColor Yellow -BackgroundColor Black }

} # Switch ( $member.DomainName ) {

 

If you don't do this then the cmdlet uses the last connection used so if you were expecting results from domainA and the last connection was to domainB you won't get back any accounts from domainA. 

 

Using this also appears to fix the SIDHistory "bug" which kicked off this whole discussion.

 

If you are just using the proxy connection then you can use the -searchroot parameter to target a specific domain otherwise that too can produce unexpected results when searching using non fully qualifies attributes, e.g searching for <username> instead of <domain>\<username>.  the former will return as many matches as it can across all managed domains. 

 

For those of you with single domains it's still good practice to do this I think as you never know when a merger or acquisition will break one of your scripts or worse the script works but is silently ignoring users becasue it's not handling the naming conflicts well. 

Exchange 2003 to Exchange 2010

June 28, 2013, 6:31 am
$
0
0

Hi Guys.

 

Looking for some advice and guidance. Right now we are running ARS 6.8 and MS Exchange 2003 and are currentley getting close to moving our first office over to Exchange 2010 on the backend. Right now i have the following setup

 

UK

 

2 x Active Roles Administration Services

 

1 x Active Roles WI

 

 

|

|

SQL Replication from UK to US

|

|

 

1 x Active Roles Administration Services

 

1 x Active Roles WI

 

So based on the above setup is there anything i need to do in order to support Exchange 2010? I was thinking and i might be wrong that i need another Admin Service with the Exchange 2010 tools installed?

 

How would you handle the two different versions of Exchange with ARS?

 

Thanks in advance

Undelete ?

June 30, 2013, 12:42 am
$
0
0

Is there an option to perform an Undelete ?, I didn't think there was , unless via script and surely that would involve AD recovery for a user ?  I notivced the OnPostUnDelete & OnPreUnDelete ? So what are these for?

 

Thanks

Import-csv and empty fields

August 10, 2010, 4:39 pm
$
0
0
I have an Excel file that I save as a csv to update users' offices, phone numbers, etc. Some of the fields in the CSV are blank. Blank fields will remove existing phone numbers and populating the blank fields with $null results in $null being set as the phone number.

import-csv "c:\admin\test\teamtest.csv"|foreach {set-qaduser -id $_.displayname -office $_.office -phonenumber $_.phonenumber}

How can I make import-csv bypass setting (or clearing) any value for a blank field?

I'm using Active Roles 1.4.

Thank you,
Robert

Secondary owner distribution list update permissions

June 26, 2013, 10:30 am
$
0
0

Hi, I have a number of distribution lists that I would like to setup secondary owners for. I can populate the edsvaSecondaryOwners field fine and that's great, but the actual function of secondary owners being able to update the membership list of the group is not working (edsvaSecondaryOwnersCanUpdateMembershipList property is checked). These are exchange 2010 distribution lists, is there a setting I need to configure through exchange first?

 

Note, if I add a user as a manager of the group, they can update the distribution list when the edsvaManagerCanUpdateMembershipList property is checked even when no additional exchange options have been set. Why isn't it working for secondary owners?

 

Thanks

Viewing all 1277 articles
Browse latest View live
Search