OnPostMove script doesn't pull the same variables as OnPostCreate script

June 27, 2012, 8:40 am

≫ Next: Get the samAccountname from the currentUser

≪ Previous: Searching 'Description' field

$

0

0

I'm using the following script to modify newly-created linked-mailbox users'' SMTP addresses (Thanks to the community for helping me with this):

 

function onPostCreate($Request)

 

{

     $First = $Request.Get("givenName")

     $Last = $Request.Get("sn")

     $Primary = $First + "." + $Last + "@mydomain.com"

     $Local = $First + "." + $Last + "@anotherdomain.local"

 

      Get-QADUser $Request.dn | Add-QADProxyAddress -Type SMTP -Address $primary -PRIMARY

      Get-QADUser $Request.dn | Add-QADProxyAddress -Type SMTP -Address $Local

      Get-QADUser $Request.dn | Remove-QADProxyAddress -Pattern '*@myolddomain.com'  

     

}

 

It works great when creating a new user and then a linked mailbox. However, we've discovered that several users are being created in a different OU which the policy does not affect. We have been moving the users to the appropriate OU and creating the linked mailbox. But, the script is not firing on these users. My theory is since these are not newly created users, OnPostCreate isn't going to work.

 

So, I created an identical script but set the function to OnPostMove. If I link the user's mailbox and then move that user to the "good" OU, the Quest script will fire but it will fail with the following error:

 

ERROR:

At line: 9 char:52. Administrative Policy returned an error.

The specified e-mail address 'SMTP:.@mydomain.com' already exists in this organization.

 

So it looks like it isn't processing the variables in the way that I had expected, and attempting to give the user an SMTP address of ".@mydomain.com". I'm guessing that the $Request variable in ActiveRoles is different on a move vs. a create? Is this the case, and any pointers on how to fix this? Thanks in advance.

---

Get the samAccountname from the currentUser

February 6, 2013, 8:00 am

≫ Next: Deploying EDMS Custom Webservice to IIS

≪ Previous: OnPostMove script doesn't pull the same variables as OnPostCreate script

$

0

0

Hello,

 

i started right now scripting with PowerShell for ARS. I want fid out the samAccoutName of the current user.

 

In VBS is the code:

 

Sub onPreModify(Request)

 

If (Request.Class <> "user") Then Exit Sub

 

strUserName = Request.get("sAMACcountName")

Eventlog.ReportEvent 4, "This is the samAccoutName: " & $currentUser

 

End If

End Sub

 

Now I want to write this code in PS. I've try:

 

function onPreModify($Request)

{

$currentUser = [string]$Request.Get("samAccountName")

 

}

 

or

 

function onPreModify($Request)

{

If ($Request.Class -ne "user")

{

$currentUser = [string]$Request.Get("samAccountName")

$EventLog.ReportEvent(4,"This is the samAccoutName: " + $currentUser

 

}

}

 

The EventLog works, but the var $currentUser is still empty.

 

//Background is: This user shoud add to a Group. Befor the user can be added to this group, must prove some settings.

 

 

with kind regards

and sorry for my bad gramma

 

woody

Deploying EDMS Custom Webservice to IIS

August 12, 2009, 2:22 am

≫ Next: writting a script that will remove disabled profiles from SharePoint 2010

≪ Previous: Get the samAccountname from the currentUser

$

0

0

Hi,

I've developed some code in visual studio 2005 to provide a webservice for making alterations to AD via EDMS. The webservice uses a library that I have made for doing these alterations. This library can run in either LDAP or EDMS mode, running in LDAP works fine when deployed to IIS (on 2k3 x64 Server) but when using EDMS, I get

System.Runtime.InteropServices.COMException: Unknown error (0x80005000)
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at ADInteractor.FindUsersByPartalLoginName(String name) in C:\proj\ADInteractor.cs:line 278
  
HOWEVER, using the visual studio in-built webserver, both EDMS & LDAP work fine. Both machines have the ActiveRoles Server 5.2.4 ADSI Provider installed on them. The only difference being that I'm developing it on XP x86, and the IIS server is 2K3 x64.

The app-pool that the web service is running under is running under a domain username, and the web.config file has the identity impersonation set to true and also set to this username. I've tried various combinations of setting it on and off and have added the domain user to the local admins & IIS WPG group on the IIS machine, but none of this has helped.

Any ideas?

writting a script that will remove disabled profiles from SharePoint 2010

April 23, 2013, 11:30 am

≫ Next: Having trouble with Search in Workflow (6.8)

≪ Previous: Deploying EDMS Custom Webservice to IIS

$

0

0

and I have run into a problem.I need to locate users that are just in an OU=NetIQRecycleBin, but I can't figure out how to do it. I am using ActiveRoles, and this is what I have so far:

#Find out how many accounts we should delete ( I’ll make this interogate UPS at some point in future
#for now this fudge will do
Param ([int]$limit)

if (!$limit)
{
$limit = 999999999
}

$count = 1

write-host “————- Started ————-”
$output = Get-Date
$output = “Started at ” + $output.ToString()
$output | Out-File -FilePath c:\output.txt -append
#Add SharePoint PowerShell SnapIn if not already added
if ((Get-PSSnapin “Microsoft.SharePoint.PowerShell” -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin “Microsoft.SharePoint.PowerShell”
}
#Add Quest AD PowerShell SnapIn if not already added
if ((Get-PSSnapin “Quest.ActiveRoles.ADManagement” -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin “Quest.ActiveRoles.ADManagement”
}
#Set my site host location.

$site=(Get-SPSite https://mysitestg)
$ServiceContext = [Microsoft.Office.Server.ServerContext]::GetContext($site)

#Get UserProfileManager and get all profiles
$ProfileManager = New-Object "Microsoft.Office.Server.UserProfiles.UserProfileManager" -ArgumentList ($ServiceContext)
#= new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServiceContext)
$AllProfiles = $ProfileManager.GetEnumerator()

#iterate around the profiles
foreach($profile in $AllProfiles)
{
#get the associated AD account
$ADUser = $PROFILE.MultiloginAccounts | Get-QADUser

#check if the account is diasabled in AD
if ($ADUser.AccountIsDisabled)
{
#delete the profile
$ProfileManager.RemoveUserProfile($ADUser.NTAccountName)
$output = $count.ToString() + “: ” + $ADUser.NTAccountName
$output | Out-File -FilePath c:\output.txt -append
write-host $output

$count++
if ($count -gt $limit)
{
break
}
}
}

write-host “————- Finished ————-”
write-host ($count -1) accounts removed
$output = Get-Date
$output =  $output.ToString()
$output | Out-File -FilePath c:\output.txt -append

$site.Dispose()

 

Which works, but it also deletes users from other OU's as well, like ,OU=TerminatedUsers.

 

Anyway, thanks in advance for any help anyone can give me.

Having trouble with Search in Workflow (6.8)

August 13, 2013, 8:24 am

≫ Next: Execute Script or Policy using different credential

≪ Previous: writting a script that will remove disabled profiles from SharePoint 2010

$

0

0

I'm trying to use the Search functionality in a scheduled workflow to generate a list of all Users that aren't members of one of a collection of groups.

 

I've created the workflow, added a Search widget, set the filters, set the notification, then added a Add Report Section widget and set its value.  (Pretty much all based on the blog post.)  However, when I run the workflow the Notification email isn't sent and the Run History doesn't show the new Report Section.  Am I missing any steps?

Execute Script or Policy using different credential

August 15, 2013, 9:27 pm

≫ Next: Deny Add/Remove members to/from a Group

≪ Previous: Having trouble with Search in Workflow (6.8)

$

0

0

Is there a way execute script using different credential? The environment is single forest/single domain and service account is used to accessing the domain(i.e. did not use the override account)

 

This also bring me to another question of is there a way to execute provisioning policy using different credential?

Deny Add/Remove members to/from a Group

August 16, 2013, 2:26 am

≫ Next: Issues Retrieving Task parameters in a scheduled task.

≪ Previous: Execute Script or Policy using different credential

$

0

0

Hello,

I want Deny the permission add / remove members to/from a group for specific groups of administrators. Is it possible to apply an Acess Template to a group?

Thank you.

Issues Retrieving Task parameters in a scheduled task.

July 29, 2013, 9:15 am

≫ Next: How to create bulk users using ActiveRoles Management Shell based on csv and make use of ARS policies?

≪ Previous: Deny Add/Remove members to/from a Group

$

0

0

I'm having issues with retrieving task parameters in a scheduled task.

 

I'm running Version: 6.8.0.4269

 

I've tried the following two methods:

 

Method 1:  As per: http://communities.quest.com/message/18927#18927

 

function Get-Param($name)

{

foreach($v in $task.Dirobj.Parameters)

{

if ($v.name -eq $name)

{

$v.Value

break;

}

}

}

 

$OrgUnitToQuery = Get-Param("OrgUnitToQuery")

 

The debug info looks like this:

DEBUG: 123+ foreach($v in >>>> $task.Dirobj.Parameters)

Call '$Task.get_DirObj'

Call '$DirObj.Parameters'

DEBUG: ! SET $foreach = 'System.__ComObject System.__ComObject System.__ComObj...'.

DEBUG: 123+ foreach( >>>> $v in $task.Dirobj.Parameters)

DEBUG: ! SET $foreach = ''.

DEBUG: 131+ >>>> }

DEBUG: ! SET $OrgUnitToQuery = ''.

 

And the $OrgUnitToQuery value is blank.

If I added an eventlog entry in the ForEach block, but before the IF block, the EventLog is never fired (indicating to me that it THINKS that the object is empty.



 

Method 2: from the 6.8 SDK in the seciton titled: Using Parameters in Scheduled Task Scripts



$TestAuditOnly = $Task.DirObj.Parameters("TestAuditOnly")



And the script fails, and the debug info looks like this:



DEBUG: 164+ >>>> $TestAuditOnly = $Task.Dirobj.Parameters("TestAuditOnly")



 Call '$Task.get_dirobj'

ERROR:

At Line: 164 char:1. Method invocation failed because [Quest.ActiveRolesServer.Service.CorePolicies.PowerShellDirObj] doesn't contain a method named 'Parameters'.



What am I missing?  This is driving me batty.

 

P.S.  The rest of the script functions fine when executing in PowerGUI.

---

How to create bulk users using ActiveRoles Management Shell based on csv and make use of ARS policies?

February 27, 2012, 4:02 am

≫ Next: ARS MMC Error - The RPC Server Is Unavailable

≪ Previous: Issues Retrieving Task parameters in a scheduled task.

$

0

0

Greetings,

 

I am able to create bulk users using csv file as source.  I used following command.

 

import-csv C:\UserList.csv | ForEach-Object {new-qadUser -ParentContainer 'OU=QME,DC=qmesoftware,DC=com'-name $_.'user name' -SamAccountName $_.'samaccountname' -userprincipalname $_.'userprincipalname' -UserPassword $_.'password' -givenname $_.'FirstName' -sn $_.'LastName'}

 

Users are created successfully.

 

One issue though.  The policies set on the OU under which the users are created does not get applied. E.g. I have Display Name and Exchange mailbox creation policy defined.  Neither the Display name is set as per defined policy nor the mailbox is created.

 

Do I need to add anything else in the command above?

 

Regards,

Sameer

ARS MMC Error - The RPC Server Is Unavailable

April 27, 2011, 1:19 pm

≫ Next: How to change the Associated Exchange Administrative Group:

≪ Previous: How to create bulk users using ActiveRoles Management Shell based on csv and make use of ARS policies?

$

0

0

I have an ARS 6.7.0 service running on Windows Server 2008 R2.  Attempts by client machines to connect to the service from the MMC results in:

Connecting to Administration Service on 'server.fqdn'...
Failed to connect to Administration Service on
'server.fqdn'.
The RPC server is unavailable.

The client records the following event in the system log:

Type:  Error
Source:  DCOM
Category:  None
Event ID:  10006

Description:

DCOM got error "The RPC server is unavailable. " from the computer server.fqdn when attempting to activate the server:  {9DAAF24F-E27B-4943-99FC-38945006C957}

Any suggestions for troubleshooting this issue would be appreciated.

No issues with opening and running the MMC as the same user directly from the console using Remote Desktop.

How to change the Associated Exchange Administrative Group:

May 30, 2013, 2:38 am

≫ Next: SelfService Groups

≪ Previous: ARS MMC Error - The RPC Server Is Unavailable

$

0

0

Hi All,

 

I have a question that I hope someone can help me with.

 

I want to change the Associated Exchange Administrative Group: that is used when creating things like distribution lists. I can't seem to find were this can be done.

 

Can anyone help

 

Thanks

 

Bhavin

SelfService Groups

August 19, 2013, 1:16 am

≫ Next: Visio Stencils

≪ Previous: How to change the Associated Exchange Administrative Group:

$

0

0

In older versions of ActiveRoles there was a function i Selfservice calle "Mygroups" where users could add/remove members to groups that they where Managers of.

 

In ARS 6.8 this isn't avalible ..

 

Do anyone know if it's possible to add similar function via managed units / and web-interface extension..?

 

other suggestions?

Visio Stencils

November 30, 2010, 6:14 am

≫ Next: Display Name

≪ Previous: SelfService Groups

$

0

0

Guys.

Do Quest provide any Visio stencils for the ARS product?

Cheers

Craig

Display Name

July 6, 2010, 8:11 am

≫ Next: Change and work with edsva-drive

≪ Previous: Visio Stencils

$

0

0

Guys.

We are just testing out ARS and so far so good. One thing i would like to set is the Display Name field. Right now ARS will create a user and display the field as First Name LastName but what i would like is LastName, FirstName

I have looked in the policy but i cant see a way to set this.

Any ideas?

Thanks in advance

Craig

Change and work with edsva-drive

August 20, 2013, 8:57 am

≫ Next: Secondary Owners

≪ Previous: Display Name

$

0

0

Hey there,

 

I want change a drive from an user-object, e.g. the edsva-driveH is the home directory and the path must be changed.

First problem was to get these attribute edsva-driveH. Secound problem was to read and manipulate the attribute.

But I think I've got a good soulution for booth problems.

To get the attribute use -Proxy

 

Get-QADUser -Proxy Stefan.Rehwald -IncludedProperties edsva-driveH

 

 

So you see the value for edsva-driveH. But if you want to use it, there a problem,too.

 

$User = Get-QADUser -Proxy Stefan.Rehwald -IncludedProperties edsva-driveH

$User.edsva-driveH

 

This raise an error like unexpected/ unknown token. There is my solution:

 

$User = Get-QADUser -Proxy Stefan.Rehwald -IncludedProperties edsva-driveH

$User."edsva-driveH"

 

So it works.Do you have a better way for me or is that the solution for it?

 

 

List all edsva-drives with,but it'*s vers slow

Get-QADUser -Proxy Stefan.Rehwald -IncludeAllProperties |  Select-Object 'edsva-drive*'

 

 

Kind regards

Stefan

---

Secondary Owners

August 20, 2013, 5:05 am

≫ Next: Remove whitespace when generating email alias

≪ Previous: Change and work with edsva-drive

$

0

0

I setup Group Management so that managers of the groups can add/remove users .

 

I also added the secondary owner and Secondary owner can update memebership list, my problem is i need the secondary owner to be able to see the group in there group management web interface . If the secondary owner goes into there own group management they do not see that group.

 

Using ARS 6.8

 

Hope this makes sense

Remove whitespace when generating email alias

August 20, 2013, 5:22 am

≫ Next: Cannot validate argument on parameter

≪ Previous: Secondary Owners

$

0

0

Hi,

 

I have a distribution group policy that works great except for removing the white space when generating the email alias.

 

is there any way to make sure that all white space is removed ?

Cannot validate argument on parameter

August 3, 2011, 6:02 am

≫ Next: Deny/Allow specific attribute - Access Templates

≪ Previous: Remove whitespace when generating email alias

$

0

0

Hi all,

 

I try to run a poweshell script from a policy rule, but get an error in the EDM Server log. Are there any one who can explain why this happens?

 

 

This is the beginning of the script:

 

function onPostModify($Request) {    $displayName = [string]$Request.Get('displayName')    $alias       = [string]$Request.Get('sAMAccountName')    # Same error > $alias       = $Request.Get('sAMAccountName')

...
}

 

Error:

 

Log Name:      EDM Server

Source:        EDM

Date:          03.08.2011 14:46:58

Event ID:      2000

Task Category: Policy

Level:         Error

Keywords:      Classic

User:         <removed>

Computer:      <removed>

Description:

Post-processing operation on object caused a policy violation.

Policy: Runs the script '<removed>'

Object: CN=Benjamin Test,OU=Users,DC=one,DC=two

Details: The 'Script Execution' policy encountered an error when running the script '<removed>'. Cannot validate argument on parameter 'Alias'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="EDM" />

    <EventID Qualifiers="49152">2000</EventID>

    <Level>2</Level>

    <Task>2</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2011-08-03T12:46:58.000Z" />

    <EventRecordID>314508</EventRecordID>

    <Channel>EDM Server</Channel>

    <Computer><removed></Computer>

    <Security UserID="<removed>" />

  </System>

  <EventData>

    <Data>Runs the script '<removed>'</Data>

    <Data>CN=Benjamin Test,OU=Users,DC=one,DC=two</Data>

    <Data>The 'Script Execution' policy encountered an error when running the script '<removed>'. Cannot validate argument on parameter 'Alias'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.</Data>

  </EventData>

</Event>

 

Deny/Allow specific attribute - Access Templates

December 14, 2012, 8:08 am

≫ Next: Distribution Groups during Exchange 2003/2010 coexistence

≪ Previous: Cannot validate argument on parameter

$

0

0

What is the most effective way to DENY via Access Templates all Authenticated Users the ability to Read a specific attribute in the entire domain, but then ALLOW very specific groups/accounts to Read that same attribute.

In a quick test, the DENY overrides the ALLOW (seems logical), but not the desired outcome.

 

Any suggestions.

Distribution Groups during Exchange 2003/2010 coexistence

May 2, 2013, 2:40 am

≫ Next: How to test and set "Password must change at next logon"?

≪ Previous: Deny/Allow specific attribute - Access Templates

$

0

0

When we upgraded to ARS 6.7 from 6.5, we were just starting to roll out Exchange 2010, so ARS is still set up to create Exchange 2003-style mail-enabled groups. This is fine for the domains that still have at least one Exchange 2003 server running - Recipient Update Services takes care of populating the email address and Display Name attributes for new distribution lists (and other mail-enabled groups) in those domains. However, we only have Exchange 2010 servers running in one of the domains, and there, the mail-enabled groups never get the proper configuration. I figured out that doing Set-DistributionGroup $groupalias -ForceUpdate after the group was created and had long enough to replicate would cause Exchange to then populate mail, proxyAddresses and DisplayName properly. Here's the Script Policy I've written to check for the presence of mailNickname (Exchange alias) and absence of either mail or DisplayName for groups, and if missing, force those objects up to the Exchange 2010 version:

 

function onInit($context)
{
   # include script library
   $context.UseLibraryScript("PS Best Practices")

}

 

function onPreGet($Request)
{
    if($Request.Class -eq "Group")

     {
        $Request.AddRequestedAttribute("mailNickname")
        $Request.AddRequestedAttribute("mail")
        $Request.AddRequestedAttribute("displayName")
    }
}

 

function onCheckPropertyValues($Request)
{
    if($Request.Class -eq "Group")
    {
        if ( ($Request.mailNickname -ne $null) -and ( ($Request.mail -eq $null) -or ($Request.DisplayName -eq $null) ) )
        {
            Add-PSSnapin "Microsoft.Exchange.Management.PowerShell.E2010"
            Set-DistributionGroup $Request.mailNickname -ForceUpdate     
        }       
    }
}

 

 

This isn't working, even when I do a "Check Policy" directly on the distribution list in question, well after the object should have been replicated everywhere. Nothing in the MSExchange log on the AR Server I'm connected to. Any ideas on what I've left out?

 

Is this something I might be better off doing as a workflow whenever a mail-enabled group is created?