Quantcast
Channel: Software Communities : Popular Discussions - ActiveRoles
Viewing all 1277 articles
Browse latest View live

User Logon Name generation and validation against multiple source

July 10, 2012, 6:16 am
$
0
0

Greetings,

 

My requirement is as follows;

I need to create user accounts using WI.  I have customized user form accordingly.

I created logon name policy which states that if a user exist in AD another combination should be used.

My logon name convention is
"QA+Initial of FirstName+Initial of LastName+x" where x is a numeric suffix which starts from 1

e.g. for user John Spart it will be QAJS1.

If QAJS1 is present it will create QAJS2

and so on.

 

This works properly.

 

But, what I need is,

I need to validate logon name against a database before an user account is created and not against Active Directory.  If an account is not present in database then surely it will not be present in AD.

 

This is an oracle database.  In database there is a table which has a field called logonname.  This table contains logon names of existing and ex-employees of the company.

 

I have ARS and QC both.

 

How can I best achieve this?

 

Thanks in advance.

Search

Access Template for a specific user Object !

September 12, 2012, 1:35 am
$
0
0

Hello,

I want to know if there's a possibility to create an Access Template that can limit the access rights for a specific type of user.

This type of user is a service account. In conclusion I must define in the Access template a strategy to distinguish between two objects that have the same type, User and Service Account (is a specific user) ?

Thanks for your help;

Specify/Schedule an account to be deprovisioned ahead of time?

November 3, 2011, 12:26 pm
$
0
0

Hi Folks,

 

Does anyone know if you can schedule or set a date ahead of time for an account to be deprovisioned on a specific date/time?

 

I am trying to find a solution to deal with the requests that come in which are something such as:  On December 1st this persons account should be deprovisioned..Right now the tickets aren't processed correctly as someone has to remember to go back to do it, but if there was a setting that was available they could be processed instantly and ARS could go deprovision the account on the date specified.

 

I was thinking of using the option to have an account expire on a specific date, but I thought there might be something easier than that?

Controlled Property

December 21, 2009, 11:05 am
$
0
0
Is there a way to control a property by query?

My goal is to allow users to modify their office field in the Self Service portal, but only give them a listing of valid office numbers. These vaild office numbers could be queried from each organizational unit in our domain.

EmployeeID query returns no results

April 10, 2012, 12:10 pm
$
0
0

Hi All, this does work correctly but i cannot figure out when i run the script i get all the information i requested except for the "employeeID", the column is blank. Do i need a filter or something?

 

get-qaduser -proxy -LdapFilter '(&(objectclass=user)(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!userAccountControl=2080))' | select samAccountname,employeeID,department,status,mail,title | Export-Csv c:\activeusers.csv

Powershell Script Quest One Snap-in Slow When Not Logged Into Domain

May 28, 2013, 6:34 pm
$
0
0

I have a powershell script that uses the Quest One ActiveRoles Management Shell for Active Directory snap-in. 

Scenario 1

When I'm in the office, the script runs very quickly (1 min).  No errors.

Scenario 2

When I take my laptop home, and log into the laptop using the same account (although I'm not connected to the domain), the script takes 20 minutes to complete.  No errors.

I have Internet access both at work and at home.

Script Code:

FunctionTestImport($a)
{
     Get-Date
     Write-Host"Importing CRL" $Q_CRL =Import-QADCertificateRevocationList-FileName $a
     Write-Host"Import Complete"
     $CRL_ThisUpdate = $Q_CRL.EffectiveDate
     $CRL_NextPublish = $Q_CRL.NextPublish
     $CRL_NextUpdate = $Q_CRL.NextUpdate
     Write-Host"CRL Effective Date/Time: $CRL_ThisUpdate"
     Write-Host"CRL Next Publish Date/Time: $CRL_NextPublish"
     Write-Host"CRL Next UPdate Date/Time: $CRL_NextUpdate"
     Get-Date
}
 
TestImport"C:\TEMP\My.CRL"

 

The slowness occurs when the script starts the import using the snap-in.

 

Get-PSSnapin returns the following:

Name        : Microsoft.PowerShell.Core

PSVersion   : 3.0

Description : This Windows PowerShell snap-in contains cmdlets used to manage components of Windows PowerShell.


Name        : Quest.ActiveRoles.ADManagement

PSVersion   : 1.0

Description : This Windows PowerShell snap-in contains cmdlets to manage Active Directory and Quest One ActiveRoles.

Get-ExecutionPolicy shows: RemoteSigned

Does anyone have any ideas as to why the snap-in would be running so slowly?  All the other parts of the script seem to run just fine; no slowness.  Any help would be greatly appreciated.

Workflow - Report Section

February 12, 2014, 4:10 am
$
0
0

Hi,

 

I have a workflow that deprovisions users on mass.

I looked at the report section but this does not seem to be ideal in terms of displaying information that is in a good readable format.

 

Could someone advise the best way to provide a report based on the previous search results.

Would it be best to add a script and if so how are the results stored so that I could get at them and write all information to a CSV file.

 

Many Thanks

Regards

Andy

Replace Umlaute(ä,ü,ö)

October 6, 2011, 12:45 am
$
0
0

Hi,

 

is there a way to replace Umlaute(ä, ü, ö) in a request directly. I have tested something but nothing works

 

e.g.

function onGetEffectivePolicy($Request)

{

 

$string = "%<sn>%<givenname>"

$string.replace("ü","ue")

$Request.SetEffectivePolicyInfo("cn", $Constants.EDS_EPI_UI_POLICY_VALUE, $string)

 

}

 

It would be nice to see the result directly.

 

Thanks!!

Search

Extracting settting in ARS

October 12, 2010, 5:30 pm
$
0
0

Maybe someone can help me

I am trying to script using powershell all the ARS defined Access templates or all the defined security templates in my ARS environment.. We are trying to look at the big picture from a access.

I found a script on the web but seems to not work for me in my site

The script is


 

cls

connect-QADService-Proxy

get-QARSAccessTemplateLink -AccessTemplate 'AR Server Security - Active Directory Container'| format-List DirectoryObject



or

connect-QADService -Proxy

get-QARSAccessTemplate -Proxy-SearchRoot 'Configuration/Access Templates/Builtin' -Predefined $true | format-List Name, ParentContainerDN


receiving the same error for both

Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX))
At :line:2 char:18
+ connect-QADService <<<<  -Proxy


Can someone help me out or tell me what I am doing wrong..

Thanks

Script to clear comment attribute

December 22, 2012, 8:40 pm
$
0
0

Does anyone know of a quick script that clears the user's "comment" Attribute in Active Directory.  This would be helpful in resetting a user's Profile in the Password Manager Application.

 

Thanks,

 

Kevin C.

Approval rules missing in MMC?

December 26, 2012, 4:07 pm
$
0
0

I'm trying to test out the web console approval feature but the approval rules are missing in the MMC console?  Do these need to be enabled somehow?

How do I restructure and strip out extra characters in phone numbers for mass changes in AD

January 2, 2013, 8:02 am
$
0
0

I'm looking to clean up our active directory by making all of the phone numbers the same format. Currently we have phone numbers in the following formats:

 

Phone Number                        IP Phone

(123) 456-789 EXT 6789          blank

(123)456-789 ext 6789            blank

(123) 456-7889 EXT 6789        blank

+123456789                                 blank

123-456-789                                balnk

(123) 456-789                             6789

 

What I'd like to do is find a way to use the quest add on for powershell (this is a 2003 environment) to strip out all the superfluous characters, be it -(s), or ((s)/)(s) or +(s) or whatnot and then change the number to a format I wish.  Preferably:

 

Phone Number                    IP Phone               Cell Phone

(123) 456-789                        1234                        (123) 456-8593

 

I need something that will look and see if there are 10 or 14 digits. If there are 10, I want this to strip all characters from them and reformat them as indicated above. If there are 14, I want the first 10 stripped and reformatted and the last 4 moved to the IP phone field. I also need all other phone fields to follow the stripping and reformatting of all 10 digits.  I've looked into this and while I can seem to find ways to replace individual phone numbers, I can't seem to find the coding advice to strip and replace digits in a format I want.  Any help would be deeply appreciated!

Compliance Reporting and Umlauts

November 24, 2011, 2:30 am
$
0
0

Hi seems I can't post a blog so a discussion will have to do ....

 

I'm writing some compliance reports and scheduling them with ARS - the reports are basically group memberships and the are text files with .csv extentions.  The problem I had was that the umlauts were being mangled by Excel when the auditors open the files.

 

The fix......

 

It appears that streamwriter defaults to UTF8 which preserves the umlauts (opening in notepad correctly identified the file as UTF8) but it appears the BOM was not being written to the file so Excel was not correctly formatting the file.

 

 

To fix this I had to explicity force the streamwriter to write the BOM. 

Create a system.text.UTF8Encoding object

 

$utf8 = New-Object System.Text.UTF8Encoding($true)

 

Using $false would stop the BOM being written – you might want that option but it seems streamwritter does that by default anyway

 

Then when you open the file use the object as follows to force the BOM being written to the file

 

$reportFile = new-object system.IO.StreamWriter($filename,$true,$utf8)

 

you write to the file using $reportfile.writeline("Text you want added - or the ad object.attribute for example")

 

Why do I use the streamwriter instead of export-csv ?

1. its quicker (http://blogs.technet.com/b/gbordier/archive/2009/05/05/powershell-and-writing-files-how-fast-can-you-write-to-a-file.aspx)

2. export-csv does not format the file correctly as there are commas in the user names

3. export-csv has the same problem writing to the file and if you use the -encoding switch then you get a single line in quotes so no good for an excel spreadsheet

4. were getting away from teh point of the post which is just to tell you how to do it using streamwriter - if thats what you wanted to do

 

Lee Andrews

How To Add Reason to add-QADGroupMember when Approval Required

November 19, 2013, 8:56 am
$
0
0

We recently switched to require approvals from the specified group manager for additions to groups.  Interactively this works fine and prompts you for a reason for the request.  This reason is included in the e-mail to the manager.

 

How can we specify a reason when adding a user to a group with add-QADGroupMember in a script so that the manager gets the reason in the e-mail?

 

We are currently on ARS 6.7.

 

Thanks. 

Access Template for a specific user Object !

September 12, 2012, 1:35 am
$
0
0

Hello,

I want to know if there's a possibility to create an Access Template that can limit the access rights for a specific type of user.

This type of user is a service account. In conclusion I must define in the Access template a strategy to distinguish between two objects that have the same type, User and Service Account (is a specific user) ?

Thanks for your help;

Search

C# EDSM ADSI Provider ARS Search based on edsva-MsExch-ActiveMailboxServerName

February 14, 2013, 10:42 am
$
0
0

Can we use EDSM ADSI provider to search based on the built-in custom Exchange attribute "edsva-MsExch-ActiveMailboxServerName" ?

 

The code below return 0 result even though there are a lot users has value of the attribute "edsva-MsExch-ActiveMailboxServerName"

 

If we change the search filter to another attribute "sn", it will work

 

filter.Append("(&(sn=" + sSN + "))"); 

          

==============================================================================

 

          const AuthenticationTypes ADS_EDMSERVER_BIND = (AuthenticationTypes)32678;

            DirectoryEntry strDefaultNamingContext = new DirectoryEntry("EDMS://servername/DC=test,DC=com");

            strDefaultNamingContext.AuthenticationType = ADS_EDMSERVER_BIND;

            strDefaultNamingContext.Username = @"NIH\" + userID;

            strDefaultNamingContext.Password = userPW;

 

 

            // DirectorySearcher

            DirectorySearcher ConfigSearcher = new DirectorySearcher(strDefaultNamingContext);

            ConfigSearcher.SearchRoot = strDefaultNamingContext;

 

 

            StringBuilder filter = new StringBuilder();           

            filter.Append("(&(edsva-MsExch-ActiveMailboxServerName=" + sExServer + "))");          

            ConfigSearcher.Filter = filter.ToString();

            ConfigSearcher.PropertiesToLoad.Add("edsva-msexch-activemailboxservername");

            ConfigSearcher.PropertiesToLoad.Add("sn");

            ConfigSearcher.SearchScope = SearchScope.Subtree;

            SearchResultCollection results = ConfigSearcher.FindAll();

 

 

            foreach (SearchResult result in results)

            {

                s = result.Properties["sn"][0].ToString();

                Response.Write(s);

            }

 

 

            //cleanUp

            strDefaultNamingContext.Close();

            strDefaultNamingContext.Dispose();

            ConfigSearcher.Dispose();

            results.Dispose();

Deny Add/Remove members to/from a Group

August 16, 2013, 2:26 am
$
0
0

Hello,

I want Deny the permission add / remove members to/from a group for specific groups of administrators. Is it possible to apply an Acess Template to a group?

Thank you.

Custom Password Generation Policy

February 12, 2014, 9:07 am
$
0
0

Hi all,

We are looking for some help with a policy script that we plan to use for generating passwords with configurable length and complexity.  We basically took the built-in password generation policy script, converted it to PowerShell, set it to return a static password value, and applied it to a single OU.  So far the custom password generation policy only works when we either disable the built-in password generation policy or if we enable script debugging.

 

I assume that our attempt to override the built-in policy is failing which explains why the custom policy does work when we disable the built-in policy.  I'd appreciate any feedback that would help override the built-in policy so our implemenation is a little more straight forward. 

 

I cant explain why this policy magically starts working when we enable script debugging.  What changes in the scripting environment which would allow the new policy to work as expected?

 

Below is a copy of a watered down version of the script.  We've removed our password generation code and anything that was specific to our environment.  To test the script, we basically applied it as a provisioning policy to a single OU.  We then test password resets (using the generate password button) to see what password value is displayed.  We also test using the new account wizard (also leveraging the generate password button).

 

Any feedback would be helpful.  We didnt have any luck finding examples of others doing the same thing so I hope the eventual solution will benefit others.  Thanks!

 

 

 

function onGetEffectivePolicy($Request)
{
    $errcount = $Error.count

 

# Include script library
    $context.UseLibraryScript("PowerShell Best Practices")

    if (($Request.Class -ne "inetOrgPerson") -AND ($Request.Class -ne "user") ) {$Request.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE, "CustomPasswordPolicy-Wrong object type-exit"); return }

 

# Mark password as server-side generated.
    $Request.SetEffectivePolicyInfo("edsaPassword",$Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
   
# Determine whether server-side generation is requested (button pressed).
    $controlFullPolicyInfo = $Request.GetInControl($constants.EDS_CONTROL_FULL_EFFECTIVE_POLICY_INFO)
    if ($Error.count –ne $errcount)
    {
       $controlFullPolicyInfo = ""
    }

    if ($controlFullPolicyInfo -ne "edsaPassword") { return }

 

# Return static password value
    $Request.SetEffectivePolicyInfo("edsaPassword",$Constants.EDS_EPI_UI_GENERATED_VALUE, "123456789")
}

 

function onGetPolicyMarker()
{

# Override built-in Generate User Password Policy
    return "Generate User Password"
}

New User Creation Policy

February 13, 2014, 10:28 am
$
0
0

Hi I am trying to create a new policy, with following requirements.

 

UPN = prefix_firstname.lastname

samccountname = UPN

Name (CN) = UPN

 

 

however, on creation of the user it errors . . .

 

  • Corporate policy violation. The 'name' property value does not conform to corporate policy. The specified value 'TemporaryCN{9BDAA21D3A5D4e5297F6CFA5E15D7F75}' does not conform to policy requirements.

 

Thanks in advance.

 

M

Specify/Schedule an account to be deprovisioned ahead of time?

November 3, 2011, 12:26 pm
$
0
0

Hi Folks,

 

Does anyone know if you can schedule or set a date ahead of time for an account to be deprovisioned on a specific date/time?

 

I am trying to find a solution to deal with the requests that come in which are something such as:  On December 1st this persons account should be deprovisioned..Right now the tickets aren't processed correctly as someone has to remember to go back to do it, but if there was a setting that was available they could be processed instantly and ARS could go deprovision the account on the date specified.

 

I was thinking of using the option to have an account expire on a specific date, but I thought there might be something easier than that?

Viewing all 1277 articles
Browse latest View live
Search