Hi all,

I try to run a poweshell script from a policy rule, but get an error in the EDM Server log. Are there any one who can explain why this happens?

This is the beginning of the script:

function onPostModify($Request) {    $displayName = [string]$Request.Get('displayName')    $alias       = [string]$Request.Get('sAMAccountName')    # Same error > $alias       = $Request.Get('sAMAccountName')

...
}

Error:

Log Name:      EDM Server

Source:        EDM

Date:          03.08.2011 14:46:58

Event ID:      2000

Task Category: Policy

Level:         Error

Keywords:      Classic

User:         <removed>

Computer:      <removed>

Description:

Post-processing operation on object caused a policy violation.

Policy: Runs the script '<removed>'

Object: CN=Benjamin Test,OU=Users,DC=one,DC=two

Details: The 'Script Execution' policy encountered an error when running the script '<removed>'. Cannot validate argument on parameter 'Alias'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="EDM" />

    <EventID Qualifiers="49152">2000</EventID>

    <Level>2</Level>

    <Task>2</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2011-08-03T12:46:58.000Z" />

    <EventRecordID>314508</EventRecordID>

    <Channel>EDM Server</Channel>

    <Computer><removed></Computer>

    <Security UserID="<removed>" />

  </System>

  <EventData>

    <Data>Runs the script '<removed>'</Data>

    <Data>CN=Benjamin Test,OU=Users,DC=one,DC=two</Data>

    <Data>The 'Script Execution' policy encountered an error when running the script '<removed>'. Cannot validate argument on parameter 'Alias'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.</Data>

  </EventData>

</Event>

 

Need help with powershell script to select the smallest exchange DB for e-mail creation.

I am trying to add a script to my new user policy to select the smallest db to build the mail box.

I have the script selecting the correct db but it doesn't pass the value back to ARS for the mail box creation.

I have added event logging and can see the values being selected.

Then I get an error in the eventlogs, 

Details: The 'Script Execution' policy encountered an error when running the script 'test'.

At line: 85 char:34. Exception calling "SetEffectivePolicyInfo" with "3" argument(s): "Object reference not set to an instance of an object."



Here is line 85

85)  $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_DISPLAY_NOTE, "The value is offered by administrative policy")

86)  $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $arr)

}

}



Any assistance would be great!



I am also looking for a manual that explains how to get powershell script to work with ARS.

Like definitions to

$Constants.ADSTYPE_CASE_IGNORE_STRING

$Request.SetEffectivePolicyInfo

$Constants.EDS_EPI_UI_DISPLAY_NOTE

 $Constants.EDS_EPI_UI_GENERATED_VALUE



Hello,

we want to Upgrade our Active Roles in Lab from 6.7 to 6.8. The Administration Service and the MMC upgrade works as expected. Only the Web Interface Upgrade fails with an error.

Is there any log we can look why the installation failed??

Thanks,

Martin

I wonder, has anyone satisfactorily used Add-On Manager 1.0.0 in the Quest One ActiveRoles MMC 6.8.0.4269?

When I attempt to add an add-on I receive a message “Failed to install the add-on.  The same or higher version of this add-on is already installed.   Version of new add-on: 0.0.1 Version of the installed add-on: 0.0.1”

I have attempted changing the add-on's file name and editing the <Version major="0" minor="0" build="1" /> XML element to <Version major="1" minor="1" build="1" /> but it just gives the same message with the different version.   None of the objects included in the .arsaddon file are present in the ActiveRoles configuration so there is no clash over content

If I create a new add-on and then use the "Install add-on from file" command - the Failed to install the add on due to version already installed message is generated 

Would be interested if anyone else has had this error and if it's a silly mistake by me or a problem with 6.8 MMC

Rgds - Martyn

Hey Group,

I am new here, but this is a great community!  We have a need to notify some people when accounts will be deleted and this report has to include a couple of attributes of the user account. We've been searchin for a way to do this and the only value that seems to make sense to use for the report is the "evsadeletiondate" that is stamped on accounts after they run through the deprov process.

ANyone know if there is a script or report that will do this, but it has to be the same day or just before the account is deleted as we log certain information like fax numbers, mobile, office location, and so forth. 

I am new to powershell so I haven't figured out how to write a script that would pull the info and then filter out the items I need, etc.

Thank you!
Jake

Hi,

I realize that this would be unsupported stuff, but I was hoping an ARS developer can shed some light on the dynamic group membership rules stored in the <DynamicGroupXML> tag in accountNameHistory of the group object.

I couldn't find any documentation on a method (CMDlet, script, ect) to dump the group membership rules in ARS so I wrote a script to parse out the

accountNameHistory attribute on the group objects. For the most part, I get the rules parsed ok out but I am unable to determine what OU base (searchroot) the LDAP is searching from. Where is this information stored? It does not appear in any of the attributes so I assumed it would be in the GUID for the query.

In a "Exclude/Include by Query" (0x1,0x2), I assumed the GUID specified  refered to the objectGUID of the OU object (Seen as "JUST" in the picture above), but the GUID does not seem resolve to anything (see below example). So... tried searching the ARS database and found tons of references to WfSharedTasks and WfSharedOperations, but nothing too useful to indicate searchroot. Darn!

for example:

<?xml version="1.0"?>

<DynamicGroupXML Conditions="

[0x2;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Exclude by query, GUIDs are a mystery! nay!

[0x1;83b37ab7-c599-45d2-abc3-1d586fc743d0;<some_super_long_ldap_filter>] <--- Include by query, GUIDs are a mystery! nay!

[0x5;99b0e558-be46-43eb-80cb-72550b4235f3;] <--- Explicitly exclude user, GUIDs resolve to actual users, yay!

[0x4;995dafc1-cb59-4a5d-b25a-2b51d24fcce2;] <--- Explicitly include user, GUIDs resolve to actual users, yay!

[DG]" OriginatingService="97fd9b18-6024-4b74-936d-10efb2513c1b" TimeStamp="2013-06-24T09:00:01.0977348Z" HasNestedGroups="FALSE"/>

Any info to shed light on dumping membership rules would be much appreciated!!

thanks!

Chris

We use FIM for our provisioning/deprovisioning process. Since ARS attribute 'edsvaDeprovisionType' will automatically clear as soon as a user is deprovisisonined (flips from 1 to null), FIM can't use the attribute to programmatically deprov a user since it does not import null values. So, we used our own VA that stays on a value (1 or 0) for the deprov status and that works great (see script below).

We have since upgraded ARS to a version that supports the undo deprovision and are in the same boat again. ARS uses the 'edsvaUnDeprovision' attribute to trigger an undo, however, it immedaitely goes to a null value upon completion, which will not work with FIM.

Sense it has been a while since we've had this in place, I'm a little rusty, as well as, the new version (6.8) may have a better way to script it than we do today. Anyone have any ideas on modifying the script below to now incorporate an "UNDO" deprov process that FIM can use (and if needed, clean up the current script for deprov)? Also, I'm fine with suggestions on flipping it to using PowerShell instead as well.

Option Explicit

Dim strAMPM

' ================================================================================
' Script:  Deprovisioning VA Management

'
' This script implements the amcvaDeprovision virtual attribute used to control
' deprovisioning and reactivation of user accounts in ARS from FIM
'

' ================================================================================

' Custom errors used in this script
Const AMC_ERR_DEPROVISION_CMD = 1

' Names of custom attributes
Const AMC_DEPROVISION_VA = "amcvaDeprovision"

' Names of ARS attributes
Const ARS_DEPROVISION_TYPE = "edsvaDeprovisionType"
Const ARS_DEPROVISION_STATUS = "edsvaDeprovisionStatus"
Const ARS_DEPROVISION_DELETE_DATE = "edsvaDeprovisionDeletionDate"

' ================================================================================
' ARS event handlers
' ================================================================================

Sub onPreModify(Request)

    Dim deprovisionCommand

    ' Only manage the amcvaDeprovision attribute for 'user' objects
    If Request.Class <> "user" Then Exit Sub

    ' Verify whether the VA amcvaDeprovision is modified
    deprovisionCommand = Request.Get(AMC_DEPROVISION_VA)
    If VarType(deprovisionCommand) <> vbEmpty Then
   
        EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
            "(onPreModify) deprovisionCommand = " & deprovisionCommand

        Select Case deprovisionCommand
            Case 0
                ' Reactivate a deprovisioned user object
                Reprovision(Request)
           
            Case 1
                ' Start deprovisioning for this user object
                Deprovision(Request)
               
            Case Else
                ' Unknown command. Generate a fatal error
                Err.Raise vbObjectError + AMC_ERR_DEPROVISION_CMD, AMC_DEPROVISION_VA, _
                    "Invalid deprovision command value: " & deprovisionCommand
        End Select
    End If
   
End Sub

Sub onPostGet(Request)

    ' Only manage the amcvaDeprovision attribute for 'user' objects
    If Request.Class <> "user" Then Exit Sub

    ' Verify whether the VA amcvaDeprovision is requested
    If Request.IsAttributeRequested(AMC_DEPROVISION_VA) Then
        ' Get the requested deprovisioning status
        GetDeprovisionStatus(Request)
    End If

End Sub

' ================================================================================
' Deprovision
'
' This function triggers deprovisioning of the user object in ActiveRoles Server
' ================================================================================

Sub Deprovision(Request)

    EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
        "(Deprovision) Trigger deprovisioning for user " & Request.Name

    ' Trigger deprovisioning of the user object in ARS by setting the value of the
    ' edsvaDeprovisionType attribute to 1
    DirObj.Put ARS_DEPROVISION_TYPE, 1
    DirObj.SetInfo
   
End Sub

' ================================================================================
' Reprovision
'
' This function reactivates a previously deprovisioned user object in
' ActiveRoles Server
' ================================================================================

Sub Reprovision(Request)

    Dim currentDate, dateString

    EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
        "(Reprovision) Reactivate deprovisioned user " & Request.Name

    ' Clear ARS deprovisioning status attributes
    Request.PutEx ADS_PROPERTY_CLEAR, ARS_DEPROVISION_STATUS, vbNullString
    Request.PutEx ADS_PROPERTY_CLEAR, ARS_DEPROVISION_DELETE_DATE, vbNullString

    ' Set the description attribute
'    currentDate = Now
'    dateString = Month(currentDate) & "/" & _
'        Day(currentDate) & "/" & _
'        Year(currentDate) & " " & _
'        Hour(currentDate) & ":" & _
'        Minute(currentDate) & ":" & _
'        Second(currentDate)

currentDate = now()

If DatePart("h",currentDate) >= 12 Then
strAMPM = "PM"
Else
strAMPM = "AM"
End If

dateString = Right("0" & DatePart("m",currentDate),2)      & "/" & _
             Right("0" & DatePart("d",currentDate),2)      & "/" & _
             Right("000" & DatePart("yyyy",currentDate),4) & " " & _
             Right("0" & DatePart("h",currentDate),2)      & ":" & _
             Right("0" & DatePart("n",currentDate),2)      & ":" & _
             Right("0" & DatePart("s",currentDate),2)      & " " & _
             strAMPM

    Request.Put "description", "Reactivated - " & dateString

End Sub

' ================================================================================
' GetDeprovisionStatus
'
' This function returns the deprovisioning status for the user account
' ================================================================================

Sub GetDeprovisionStatus(Request)

    On Error Resume Next

    Dim deprovisionStatus

    ' Retrieve the value of the attribute edsvaDeprovisionStatus
    ' and set the attribute amcvaDeprovision in the object Request to that value
       
    Err.Clear
    DirObj.GetInfoEx Array(ARS_DEPROVISION_STATUS), 0
    deprovisionStatus= DirObj.Get(ARS_DEPROVISION_STATUS)
    If Err.Number = 0 Then
        Request.Put AMC_DEPROVISION_VA, 1
    Else
        Request.Put AMC_DEPROVISION_VA, 0
    End If

End Sub

Hi all,

I'm trying to write a script which is to be included as part of the deprov process and will, hopefully, move a user's profile folder from it's original location (in the \\server1\profile$ folder) into a sub folder in that location (server1\profile$\deprovisioned). It doesn't seem like a particularly tricky thing to do but i just can't seem to get it working.

I just noticed that in properties of the Default Company Deprovisioning Policy, under the Policies tab, while all the other Policies have small red arrows point top left by their icons (indicating they're part of the deprovisioning process) the icon for the script does not:

Does this indicate that the script won't run as part of the deprovisioning process? Is there something i need to enable/check to ensure the script gets the red arrow/becomes part of the deprov process?

The other possible reason is that the script i've written isn't formatted properly:

function onDeprovision($Request)

{

     if ($Request.class -eq "user")

          {

               $sAMAccountName = $Request.Get("sAMAccountName")

               Move-Item "\\server1\profile$\$sAMAccountName" "\\server1\profile$\Moved"

          }

}

Either way i'm slightly stumped so any help you could provide would be much appreciated!

Thanks

I'm looking for a set of powershell commands that will allow me to search for a provided OU name within the container for all Managed Units (so the DN is "CN=Managed Units,CN=Configuration") and return the Managed Unit that the group falls under.

As a rough example the structure would be similar to:

>Configuration

     >Managed Units

          >Managed Unit Container

          >Managed Unit Container

               >Managed Unit

                    >OU group I want

               >Managed Unit Container

          >Managed Unit

In the tree sctructure you can see it will be a variety of managed unit containers and managed units at different levels of the tree. I'm just not sure how to traverse the sctructure to find the nessecary managed unit that holds the given OU group. Any Ideas? Thanks!

I am using ARS 6.7 and I have two custom fields on the web interface that are mapped to virtual attributes (user object).  I cannot seem to get them to change from being read-only, although their properties are NOT set to read-only.   This happens even if an ARS Admin is uging the web interface.

On the same web page, I have another custom field that was mapped to an attribute in Active Directory, which I could successfully change to modifiable after changing its properties from being read-only.

The admin guide for web interface was not helpful.  Any idea on what I am doing wrong, as it seems like it should be a very simple fix?

Thanks.

Hi, i would like to query AD using powershell to get a list of all our users that are active, etc. However when i run the query, i receive all users that are both disabled and active. What is the query to show me only ACTIVE?

This is what i have so far...

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADUser -objectAttributes @{employeeID='*'} | select-Object firstname, lastname, employeeID, email, sAMAccountName, AccountisDisabled="false" | Export-Csv "C:\SUS-HR-DATA\Email_Address_Export\Email_Address_Export.csv" -NoTypeInformation

I have tried to substitute "AccountisDisabled" with multiple suggestions from online (edsaAccountIsDisabled, etc), but no luck.

Thanks,

Artie

One department from my company execute a script where count the members of a domain group and check if they are active or disable, but the script is giving me the following error:

Get-QADGroupMember : The object does not exist. At E:\bulk-admin\NewLDAP_synch.ps1:92 char:24 + $a = Get-QADGroupMember <<<< 'agnirvine\IR-SecureIDToken' -Type 'user' -SizeLimit 0 -Disabled -Indirect + CategoryInfo : NotSpecified: (:) [Get-QADGroupMember], DirectoryAccessException + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.Ars PowerShellSnapIn.Powershell.Cmdlets.GetGroupMemberCmdlet Get-QADGroupMember : The object does not exist. At E:\bulk-admin\NewLDAP_synch.ps1:34 char:24 + $a = Get-QADGroupMember <<<< "agnirvine\IR-SecureIDToken" -Type 'user' -SizeLimit 0 -Indirect + CategoryInfo : NotSpecified: (:) [Get-QADGroupMember], DirectoryAccessException + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.Ars PowerShellSnapIn.Powershell.Cmdlets.GetGroupMemberCmdlet

Hi,

Hope someon can point me in the right direction.

One on screen I have a dropdown list for EmployeeType attribue (i.e. Perm, Temp).

On another tab is the Expiry Date.

I want to make sure that if Perm is selected for Employee Type that expiry date is left as Never (greyed out, can't be changed would be idea).

If Temp is set then Never is not allowed to be used, rather a future date has to be set.

Please can someone advise how I would do this ?

Thanks

Andy

Hi Guys.

Looking for some advice and guidance. Right now we are running ARS 6.8 and MS Exchange 2003 and are currentley getting close to moving our first office over to Exchange 2010 on the backend. Right now i have the following setup

UK

2 x Active Roles Administration Services

1 x Active Roles WI

|

|

SQL Replication from UK to US

|

|

1 x Active Roles Administration Services

1 x Active Roles WI

So based on the above setup is there anything i need to do in order to support Exchange 2010? I was thinking and i might be wrong that i need another Admin Service with the Exchange 2010 tools installed?

How would you handle the two different versions of Exchange with ARS?

Thanks in advance

Need help with powershell script to select the smallest exchange DB for e-mail creation.

I am trying to add a script to my new user policy to select the smallest db to build the mail box.

I have the script selecting the correct db but it doesn't pass the value back to ARS for the mail box creation.

I have added event logging and can see the values being selected.

Then I get an error in the eventlogs, 

Details: The 'Script Execution' policy encountered an error when running the script 'test'.

At line: 85 char:34. Exception calling "SetEffectivePolicyInfo" with "3" argument(s): "Object reference not set to an instance of an object."



Here is line 85

85)  $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_DISPLAY_NOTE, "The value is offered by administrative policy")

86)  $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $arr)

}

}



Any assistance would be great!



I am also looking for a manual that explains how to get powershell script to work with ARS.

Like definitions to

$Constants.ADSTYPE_CASE_IGNORE_STRING

$Request.SetEffectivePolicyInfo

$Constants.EDS_EPI_UI_DISPLAY_NOTE

 $Constants.EDS_EPI_UI_GENERATED_VALUE



Hello!!

Is it possible to add an attachment to notification messages via workflow?

ARS 6.7

Thanks!

Phil

***USE AT YOUR OWN RISK***

The following script reads a CSV file list of usernames and clears their "comment" attribute in Active Directory.  This can be useful when dealing with Quest One Password Manager which uses the "comment" attribute, by default, to store user profile information.  Please note that this script makes use of the ActiveRoles Management Shell cmdlets.

## Begin Script

function Get-ScriptDirectory

{

$Invocation = (Get-Variable MyInvocation -Scope 1).Value

Split-Path $Invocation.MyCommand.Path

}

$workingDirectory = Get-ScriptDirectory

$inputFilePath = Join-Path $workingDirectory "users.csv"

Import-Csv($inputFilePath) | ForEach-Object {

Set-QADUser -Identity $_.username -ObjectAttributes @{'comment'=$null}

#Get-QADUser -identity $_.username -includeAllProperties | Format-List comment

}

## End Script

The "users.csv" must be located in the same folder location as the script itself.  The very first line of the "users.csv" file must only contain the word "username", all lower case.  I have attached a blank "users.csv" as a template.  Place each user's username on a new line below first line containing "username".

I am having a problem with obtaining the serialNumber attribute for computer objects in Active Directory using the Get-QADComputer cmdlet.

Using the following code, I get nothing back

Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber

However if I connect to the ARS service...

connect-QADService -proxy

Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber

It works and returns the contents of the serialNumber attribute.

Why won't the get-QADComputer cmdlet return the native attribute of serialNumber when connected to a domain controller?

Dear reader, 

After i configured the user deprovision policy setting Out of Office Configuration (test policy). I'm getting this error returned when i run deprovision:

Administrative Policy returned an error. The 'Out of Office Message Configuration' policy encountered an error. At line: 98 char:16. Exception calling "send" with "1" argument(s): "The download of the specified resource has failed.

So I searched the quest.com site and found the following document: http://communities.quest.com/docs/DOC-10852  It seems this was an Addon for ActiveRoles 6.7 and got integrated with ActiveRoles 6.8 (correct me if I'm wrong). A comment on the page shows that an user has the same problem as me. He says he used one of the HUB-CAS server and then got a different error returned.  So I'm kind of curious to to know what kind of server I need to use, because I tried the following kind of servers: Exchange (SMTP) Server HUB-CAS servers Webmail link (with exchange .asmx) but all gave back the same error.

I've raised a ticket with AR6.8 Support, but he told me i should try the forums because they don't support Addins (but i think this is now a 6.8 feature?).

Yes, you are right, this add-on doesn't work properly on ARS 6.8 version, I did some test on lab but I was unable to make it work fine.

So i hope someone can help me out here