Quantcast
Channel: Software Communities : Popular Discussions - ActiveRoles
Viewing all 1277 articles
Browse latest View live

Unknown error (0x80041452)

October 26, 2010, 8:32 am
$
0
0
Hi

I've had a working C# application for months.  It runs daily to query ARS (AD) to see which accounts are being automatically deleted.  It uses the returned query results to email application owners to let them know to remove the users.

As I said, it has been working without fault for months.  Last wednesday it stopped working and all the error message that I get is "Unknown error (0x80041452)".  The error happens  when doing the "SearchResultCollection src = searcher.FindAll();".  The full code snippet is below.

I tried googling this, but all I get back is a single Quest forum thread with a different problem.

If any one has hit this before, or has any ideas, I'd appreciate it.

Thanks
Nick

DirectoryEntry dirEntry = null;

IADsOpenDSObject iADsOpenDSObject = null;

IADs iads = null;

try

{

iADsOpenDSObject = (IADsOpenDSObject)Marshal.BindToMoniker("EDMS:");

iads = (IADs)iADsOpenDSObject.OpenDSObject("EDMS://XXXXXXXXXXX.xxxxxx.com/OU=XX,OU=XXX,DC=xxxxxx,DC=com", @"domain\adminid", "XXXXXXXXXX", 32768);

if (newway)

{

dirEntry = new DirectoryEntry(iads);

DateTime datetimer = DateTime.Today.Date;

string searchFilter = "(&(edsvaDeprovisionDeletionDate>= " + datetimer.ToShortDateString() + " 12:00AM)(edsvaDeprovisionDeletionDate<= " + datetimer.ToShortDateString() + " 11:59PM))";

DirectorySearcher searcher = new DirectorySearcher(dirEntry, searchFilter, new string[] { "samaccountname", "sn", "givenname" }, SearchScope.Subtree);

SearchResultCollection src = searcher.FindAll();



Search

Script or Report on accounts scheduled for deletion?

January 25, 2012, 7:44 pm
$
0
0

Hey Group,

 

I am new here, but this is a great community!  We have a need to notify some people when accounts will be deleted and this report has to include a couple of attributes of the user account. We've been searchin for a way to do this and the only value that seems to make sense to use for the report is the "evsadeletiondate" that is stamped on accounts after they run through the deprov process.

 

ANyone know if there is a script or report that will do this, but it has to be the same day or just before the account is deleted as we log certain information like fax numbers, mobile, office location, and so forth. 

 

I am new to powershell so I haven't figured out how to write a script that would pull the info and then filter out the items I need, etc.


Thank you!
Jake

Trap error user already exists

March 27, 2012, 5:19 am
$
0
0

When trying to create an user which already exists usign the cmdlet new-qaduser it returns an error. I would like to capture this error using trap, but this doesn't work.

I have created a sample script (the user should exist):

 

function test{

    trap{

            write-host "ERROR!!!!"

            return $false

        }

 

    try {

 

        new-qaduser test -parentcontainer "ou=user,dc=test,dc=nl"

 

    }catch{

        throw "Error"

    }

}

 

The error I receive:

 

New-QADUser : The object already exists.

At line:7 char:20

+         new-qaduser <<<<  test -parentcontainer "ou=user,dc=test,dc=nl"

    + CategoryInfo          : NotSpecified: (CN=test,ou=user,dc=test,dc=nl:String) [New-QADUser], ObjectAlreadyExi

   stsException

    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlets.NewUserCmdlet

 

How can I capture this error?

Issues Retrieving Task parameters in a scheduled task.

July 29, 2013, 9:15 am
$
0
0

I'm having issues with retrieving task parameters in a scheduled task.

 

I'm running Version: 6.8.0.4269

 

I've tried the following two methods:

 

Method 1:  As per: http://communities.quest.com/message/18927#18927

 

function Get-Param($name)

{

foreach($v in $task.Dirobj.Parameters)

{

if ($v.name -eq $name)

{

$v.Value

break;

}

}

}

 

$OrgUnitToQuery = Get-Param("OrgUnitToQuery")

 

The debug info looks like this:

DEBUG: 123+ foreach($v in >>>> $task.Dirobj.Parameters)

Call '$Task.get_DirObj'

Call '$DirObj.Parameters'

DEBUG: ! SET $foreach = 'System.__ComObject System.__ComObject System.__ComObj...'.

DEBUG: 123+ foreach( >>>> $v in $task.Dirobj.Parameters)

DEBUG: ! SET $foreach = ''.

DEBUG: 131+ >>>> }

DEBUG: ! SET $OrgUnitToQuery = ''.

 

And the $OrgUnitToQuery value is blank.

If I added an eventlog entry in the ForEach block, but before the IF block, the EventLog is never fired (indicating to me that it THINKS that the object is empty.



 

Method 2: from the 6.8 SDK in the seciton titled: Using Parameters in Scheduled Task Scripts



$TestAuditOnly = $Task.DirObj.Parameters("TestAuditOnly")



And the script fails, and the debug info looks like this:



DEBUG: 164+ >>>> $TestAuditOnly = $Task.Dirobj.Parameters("TestAuditOnly")



 Call '$Task.get_dirobj'

ERROR:

At Line: 164 char:1. Method invocation failed because [Quest.ActiveRolesServer.Service.CorePolicies.PowerShellDirObj] doesn't contain a method named 'Parameters'.



What am I missing?  This is driving me batty.

 

P.S.  The rest of the script functions fine when executing in PowerGUI.

Undo Deprovisioning and setting password

August 7, 2013, 8:32 am
$
0
0

I am trying to automate the re-provisioning of a users account, reset their password, and send their manager the new password.  The issue that I'm seeing to two different things.  1) I assign an ARS VA to the newly generated password - I do this with account provisioning and it shows up on the provisioning notification - I can check and see that this attribute is set, and when I log on with the re-provisioned user with that password, I get in fine.  But it is not showing on the re-provisioning notification.  2) I check to include the manager of the object in the recipients of the notifcation, but the manager is not being put on the email.

 

The system that is setup is a SQL table that syncs from Workday to ARS via Quick Connect.  The two things I need to do is to set not only the EndDate in the SQL table, but also the AccountExpires Attribute in AD.  The standard undo de-provisioning 'wizard' doesn't allow this, thus I'm trying to automate it.  I've tried to use the 'onPreUnDeprovisiong', 'onPostUnDeprovisioning', and even the 'onPostModify', 'onPreModify' events to perform all the actions I am needing done.  But, these do not seem to set the values that are needed.  So, I've created a PoSh script to perform the actions and rely on the Policies\Workflow to send out the notifications.  The only thing that I can think of to do would be to eliminate the ARS Notfication and add a notification from the PoSh script.  But, I'd rather not have to resort to that action.

 

One other issue that I've been having is on the conversion of the date value to and from the AD Objects' AccountExpires Attribute.  To retrieve and convert to a readable date, I must subtract two days.  To write to the attribute I need to add two days to set the AD Object to the correct date.

 

Thoughts? Guidance? Suggestions?  More info?

Deprovisioning/Undo Deprovisioning History migration long after the upgrade

November 28, 2012, 12:54 am
$
0
0

Hello all,

 

We migrated from 6.5 to 6.7 by adding new servers for 6.7, leaving the 6.5 ones out there for use by help desk and the Self-Service users while we the infrastructure team used 6.7. I do not recommend this, but we just really didn't know any better. I wasn't in the loop when the upgrade/migration took place, but the whole "change history migration" thing looks to have been written off as unnecessary.

 

Anyhow, my attempts to manually populate the edsvaDeprovisionReportXML field for an account that we now want to undeprovision via the Set-QADUser -ObjectAttributes @{...} route failed utterly.

 

Other suggestions? Is there anything I could pull from the 6.5 SQL database and push into the 6.7 one? Is running the change history migration wizard now harmless, or would it cause more problems than it would solve? I would prefer to operate only on the accounts that are deprovisioned, in the spirit of minimizing the chances of harm.

 

Thanks!

How to Deprovission an account on a particular date?

August 7, 2013, 6:50 am
$
0
0

I am looking for scripts and instructions on how to create a deprovision task that allows you to deprovision a user on a specific date. Ideally you would have the option to deprovision immediately with an option tp select a date/time for deprovisioning.

Script for Powershell in order to pull data from AD

April 9, 2012, 1:20 pm
$
0
0

Hi All, im new to powershell and need to extract out some data.

 

I need every employee that is ACTIVE along with this criteria...

 

samAccountname

employeeID

department

status

mail

title

 

I got the correct names out of Active Roles, but now i need to run this in powershell and dump it to a CSV, can anyone generate a script for this?

 

Thanks!

Artie

Search

Cannot send emails to new Query-based Distribution Group.

November 10, 2010, 6:06 pm
$
0
0
I created a new QBDG with the following details:

Name: Mailing List- MyCompany
Custom Filter: (&(!cn=SystemMailbox{*})(company=MyCompany)(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Scope: Whole Domain

The aim of the QBDG is to create a distribution Group for all members of the company MyCompany which are not disabled accounts and not system mailboxes.

Preview shows the correct results.

Interestingly, the new QBDG appears in Exchange 2007 with no email addresses as the "Automatically update email addresses based on email address policy" checkbox is not checked. I checked this and the QBDG obtains an email address.

The problem here is that I cannot send to the QBDG. When I do, I get the error:

[===========================================]

Delivery has failed to these recipients or distribution lists:

xxxMailing List- MyCompany
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

  _____ 

Sent by Microsoft Exchange Server 2007



Diagnostic information for administrators:

Generating server: myexchangeserver.mycompany.local

IMCEAEX-_O=NT5_ou=2184165AD80E7C48BE45E41AC221DD0D_cn=36BCFCACDCD38A4783F4559E4296974A@myexternaldomain.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

Original message headers:

Received: from myexchangeserver.mycompany.local ([192.168.1.100]) by myexchangeserver.mycompany.local
 ([192.168.1.100]) with mapi; Thu, 11 Nov 2010 12:46:57 +1100
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: MyUserName <MyFirstName.MyLastName@mycompany.com>
To: xxxMailing List- MyCompany
    <IMCEAEX-_O=NT5_ou=2184165AD80E7C48BE45E41AC221DD0D_cn=36BCFCACDCD38A4783F4559E4296974A@myexternaldomain.com>
Date: Thu, 11 Nov 2010 12:46:55 +1100
Subject: TEST
Thread-Topic: TEST
Thread-Index: AcuBQlH/bbEshypLSXq/l8qy4e8n3g==
Message-ID: <D62E8BA531547A4E8A72E9F8062C945A18AA6993A0@myexchangeserver.mycompany.local>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <D62E8BA531547A4E8A72E9F8062C945A18AA6993A0@myexchangeserver.mycompany.local>
MIME-Version: 1.0

[===========================================]

Does anyone know why I cannot send to this QBDG?




Message was edited by: ActiveRolesAdmin

Move Users from one Security Group to Another based on Attribute

April 30, 2013, 11:58 am
$
0
0

Greetings,

 

I'm sure info on this is somewhere but really in a crunch.  How can I use powershell to move a number of users from one security group to another based on an attribute.  Not ready for dynamic groups at this time; just need to move them.  Alternatively, I could use a .csv to import the list to move SG membership, but they need to be out of the original SG.

 

Any help appreciated.

 

Thanks.

 

-Steve

Calling FTP within a post create script

May 2, 2013, 3:13 am
$
0
0

Hi,

 

After I create a user in AD using Active Roles, I export the user to a file and want to FTP it to our HR system. (don't ask!!)

 

So the script runs fine if I run it in native Powershell (with Quest extensions)

 

However as a post create script.  the last section which is FTP to the HR. doesn't work.  (I can't even seem to see FTP logs)

 

Sorry about my bad scripting but new to PS .....   Anyone have any thoughts on why the FTP funtion doesn't work or it there is another way to FTP (my only option)

 

 

 

function onPostCreate($Request)

{

<#

.DESCRIPTION 

    Script to Query and export to file the required Attributes for contingent worker interface

.NOTES 

    File Name      : contuserOUT.ps1 

    Author         : Peter dodgy

    Prerequisite   : PowerShell V2 and the QUEST SnapIns (expecting the script to be run from ARS.)

    NotCopyright 2013 - Please use and abuse. 

    Warrenty : Dream on.  This script comes as is

 

#>

 

 

# Setup some variables File Names..

$Filedate = Get-Date -format "ssmmHHddMMyyyy"

$ExportLoc = "c:\StaffLink\Export\"

$ExportFileName = "$Filedate.dat"

$ExportFile = "$ExportLoc$ExportFileName"

 

 

$ADouSearch = "OU=NewUsersContingent,OU=AccountProvisioning,DC=nswhealth,DC=net"

$congWorkAtt = "NSWH-EmployeeID","NSWH-StartDate","givenName","initials","sn","NSWH-DoB","NSWH-Gender","company"

 

<#Check if the ARS User Only#>

   if ($Request.Class -ine 'user') {exit}

 

<# Connection to ActiveRoles Server rather than AD LDAP #>                     

 

    Connect-QADService -service localhost -proxy

 

 

Get-QADUser $Request.Name -proxy -SearchRoot $ADouSearch -DontUseDefaultIncludedProperties -IncludedProperties $congWorkAtt | Select-Object $congWorkAtt | Export-Csv -encoding "unicode" -path $ExportFile -Delimiter "|" -NoTypeInformation

 

 

#Format the file into StaffLink Format...

#(gc $ExportFile) -replace('"','') | Out-File $ExportFile -Force

#$csv = Get-Content $ExportFile

#$csv = $csv[1..($csv.count - 1)]

#$csv > $ExportFile

 

______________ works to this point in QARS ___________________________

 

#FTP TO STAFFLink

$Username = "ftpuser"

$Password = "P@assw0rd"

$Server = "10.112.232.143"

$dir = "/"

"open $Server

user $Username $Password

binary 

cd $dir    

" +

($ExportFile | %{ "put ""$_""`n" }) | ftp -i -in

 

 

}

Script to ask for Expiry Date if user is created as a Temp

February 7, 2013, 11:46 pm
$
0
0

Hi All

 

Upon New User Creation I need a script or way that will set an expiry date of my choice or set it to once month ahead if the user is setup as a Temporary User (See below)newuser.JPG

 

Any help greatly appreciated.

How to create bulk users using ActiveRoles Management Shell based on csv and make use of ARS policies?

February 27, 2012, 4:02 am
$
0
0

Greetings,

 

I am able to create bulk users using csv file as source.  I used following command.

 

import-csv C:\UserList.csv | ForEach-Object {new-qadUser -ParentContainer 'OU=QME,DC=qmesoftware,DC=com'-name $_.'user name' -SamAccountName $_.'samaccountname' -userprincipalname $_.'userprincipalname' -UserPassword $_.'password' -givenname $_.'FirstName' -sn $_.'LastName'}

 

Users are created successfully.

 

One issue though.  The policies set on the OU under which the users are created does not get applied. E.g. I have Display Name and Exchange mailbox creation policy defined.  Neither the Display name is set as per defined policy nor the mailbox is created.

 

Do I need to add anything else in the command above?

 

Regards,

Sameer

Trying to remove primary X400 address with remove-QADProxyAddress

June 19, 2012, 2:03 pm
$
0
0

As part of new user creation on a certain OU, I have set up ActiveRoles to call a Powershell script. One thing we would like is to completely remove the recipients' X400 address that Exchange auto-creates. Changing the Recipient Update Policy in Exchange is not an option. I have been attempting to run the command from the commandline first, before using it in my script, but I can't figure out the syntax to remove just the X400 address.

 

If I get-qaduser an existing user, I see an entry for PrimaryX400Address. But I've tried several attempts of remove-qadproxyaddress, with no luck. The closest I have found is:

 

get-qaduser useralias | Remove-QADProxyAddress -Pattern 'PrimaryX400Address'

 

Which does not return any kind of error, but it doesn't seem to make any changes.

 

If I try the following I do get an error:

 

get-qaduser useralias | Remove-QADProxyAddress -CurrentAddresses 'PrimaryX400Address'

 

But that complains about

 

Remove-QADProxyAddress : Cannot bind parameter 'CurrentAddresses'. Cannot convert the "PrimaryX400Address" value of typ

e "System.String" to type "Quest.ActiveRoles.ArsPowerShellSnapIn.UI.ProxyAddressChangesUI".

 

Can somebody point me in the directions as to what syntax I can use?

Implemenation of remove-qadobject under ARS task engine

August 12, 2013, 5:50 am
$
0
0

Hello,

 

I am reciveing a function not implement under current host (ARS 6.7) error when I call the following in a task script

 

$Rtn = remove-qadobject -identity $MyuserObj.DN

 

I whould have thought it unnecessary to user add-pssnapin quest.activeroles.admanagement when running under ARS.

 

Ideas?

Search

ActiveRoles Server v6.7.0 ADSI Provder unable to add computers to AD group using C# .NET v3.5

August 12, 2013, 10:09 am
$
0
0

The below C# code returns error: "Request to change a multi-valued attribute failed: attempted to add or remove too many attribute values. Not more than 1500 values can be added or removed from a multi-valued attribute within a single request." And fails at line 5.

 

1. static void AddComputerToGroupUsingARSProvider(string computerDn, string groupDn)

2. {

3.      DirectoryEntry de = new DirectoryEntry("EDMS://" + groupDn);

4.      de.Properties["member"].Add(computerDn);

5.      de.CommitChanges();

6.      de.Close();

7. }

 

 

However, if I don't use the ARS provider, and replace line 3 with "LDAP" as shown below it works.

 

DirectoryEntry de = new DirectoryEntry("LDAP://" + groupDn);

 

Any ideas?

 

Thank you,

Ray

Having trouble with Search in Workflow (6.8)

August 13, 2013, 8:24 am
$
0
0

I'm trying to use the Search functionality in a scheduled workflow to generate a list of all Users that aren't members of one of a collection of groups.

 

I've created the workflow, added a Search widget, set the filters, set the notification, then added a Add Report Section widget and set its value.  (Pretty much all based on the blog post.)  However, when I run the workflow the Notification email isn't sent and the Run History doesn't show the new Report Section.  Am I missing any steps?

Exchange 2013 support

November 21, 2012, 8:23 am
$
0
0

Hi

 

Will ARS 6.7 support Exchange 2013 management also? Or is this something that 6.8 will do?

 

Thanks

 

Matt

preventing managed unit sprawl

August 13, 2013, 6:18 am
$
0
0

I am looking to delegate authority to several security groups to only a few individulals. I am trying to prevent creating another managed unit for these users as they will only be managing a few groups. I can see this same scenario playing out several more times and would prefer not to create a MU for each and every one. Ideally, these users would only see the few security groups that they have been delegated authority for.

 

Does anyone have any best practices for this type of scenario?

 

Thanks.

Searching 'Description' field

August 13, 2013, 5:06 am
$
0
0

Hi

 

At present the search function lets me search for user/groups etc, butI was wondering how i could search for the description as i currently can in AD?

 

 

Any ideas?

 

Thanks

Viewing all 1277 articles
Browse latest View live
Search