Hi,
I have a workflow that deprovisions users on mass.
I looked at the report section but this does not seem to be ideal in terms of displaying information that is in a good readable format.
Could someone advise the best way to provide a report based on the previous search results.
Would it be best to add a script and if so how are the results stored so that I could get at them and write all information to a CSV file.
Many Thanks
Regards
Andy
Hi,
I grabbed a script create dynamic groups using Powershell from this forum and tweaked it to get the names of the groups from a file.The script works fine. I can see that it creates the dynamic group and adds the desired objects as its members. However, when I try to preview it(by going into membership Rules in the GUI), it errors out on the filter. On looking further I saw that the filter is missing a parenthesis at the end like this:
(extensionattribute1=247 <--- Note the missing parenthesis.
Any thoughts on why the paren is missing. The Dynamic group however works..it seems like there is an issue while ARS reads the filter into the GUI.
Thanks
Dipti
Script:
if ( (Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null )
{
Add-PsSnapin Quest.ActiveRoles.ADManagement
}
Connect-QADService -Proxy
$GroupNameArray=Get-Content -path "D:\Scripts\CreateDynamicGroup\GroupName.txt"
$GroupsOU = 'OU=Sites,OU=Groups,OU=Admin,DC=mydomain,DC=com'
Foreach ($groupNameobj in $GroupNameArray) {
$splitinput = $groupNameobj.Split(";")
$groupname = $splitinput[0]
$ea1 = $splitinput[1]
$DN=(New-QADGroup -Name $groupName -SamAccountName $groupname -ParentContainer $GroupsOU).DN
$objGroup = [ADSI] "EDMS://$DN"
$objRuleCollection = $objGroup.MembershipRuleCollection
$rule1 = New-Object -ComObject "EDSIManagedUnitCondition"
$rule1.Base = "EDMS://DC=mydomain,DC=com"
$rule1.Filter = "(&(objectCategory=computer)(objectClass=computer)" + "(extensionattribute1="+$ea1+"))"
write-host $rule1.Filter
$rule1.Type=1
$objRuleCollection.Add($rule1)
$objGroup.SetInfo()
}
We recently switched to require approvals from the specified group manager for additions to groups. Interactively this works fine and prompts you for a reason for the request. This reason is included in the e-mail to the manager.
How can we specify a reason when adding a user to a group with add-QADGroupMember in a script so that the manager gets the reason in the e-mail?
We are currently on ARS 6.7.
Thanks.
I am new to ARS, so please forgive my ignorance.
I have create several Cascading Drop Down Lists the the ARS Web Interface, and they are working fine.
One of the Drop Down List is assigned to the "physicalDeliveryOfficeName" attribute. (See Complete Script Below)
What I am trying to do, is after the user record is modified, use an SQL query to lookup the corresponding City, State, Country and Country Code for the selected Location.
I have set up one other policy to combine the Division and " - " and Department and assign that value to the o "Organization" attribute. It works fine, but I am not using any scripting.
I think I have set up the policy correctly, assinged it to my "Manged Users" OU. I selected script for modify and it gave me the begining and ending lines:
Sub onPostModify(Request)
EndSub
I have gleaned the rest of my code from other VBS I have written along with examples from the ARS Community.
The following Script does not have any complilation errors when I save it to the Server, it just doesn't work.
I stripped out the Active Directory part and hard coded the "Where Location = '"& ULoc & "' "
part of the code and commented out the
ULoc = Request.Get("physicalDeliveryOfficeName")
and the
Request.SetEffectivePolicyInfo "l", EDS_EPI_UI_GENERATED_VALUE, GetCity
Request.SetEffectivePolicyInfo "st", EDS_EPI_UI_GENERATED_VALUE, GetState
Request.SetEffectivePolicyInfo "co", EDS_EPI_UI_GENERATED_VALUE, GetCountry
Request.SetEffectivePolicyInfo "c", EDS_EPI_UI_GENERATED_VALUE, GetCountryCode
Statements.
I then ran the script in Windows and had it display the GetCity, GetState, GetCountry, GetCountryCode varibles.
It worked fine, so I know that the SQL part of the Script is OK.
So either I am not assigning the variable ULoc correctly or my statements to set the attributes are wrong.
if that is all good, then I guess I have not applied the script correctly.
When I use the WI to open and modify a User Object and Change the Location Drop Down, it saves fine, but it does not update the City, State and Country as it is suppoesed to.
Any help would be greatly appriciated.
Thanks,
AD
Sub onPostModify(Request)
If Request.Class <> "user"ThenExitSub
' connection and recordset variables
Dim Cnxn
Dim strCnxn
Dim rs
Dim strSQL
Dim ULoc
Dim GetCity, GetState, GetCountry, GetCountryCode
'*******************************************************************************************************
ULoc = Request.Get("physicalDeliveryOfficeName")
' open connection
Set Cnxn = CreateObject ("ADODB.Connection")
strCnxn = "Provider=sqloledb;Data Source=MyServer;Initial Catalog=ADLookup;User Id=MyUser;Password=MyPwd;"
Cnxn.Open strCnxn
' create and open Recordset using object refs
Set rs = CreateObject("ADODB.Recordset")
strSQL = "SELECT Location, City, State, Country, CountryCode, CountryAbriviation "
strSQL = strSQL & "FROM ADLookup.dbo.vw_Locations "
strSQL = strSQL & "Where Location = '"& ULoc & "' "
rs.ActiveConnection = Cnxn
rs.Source = strSQL
rs.Open
'*******************************************************************************************************
IfNot(rs.bof And rs.EOF) then
rs.MoveFirst
GetCity = rs.FIELDs(1).value
GetState = rs.FIELDs(2).value
GetCountry = rs.FIELDs(3).value
GetCountryCode = rs.FIELDs(4).value
Request.SetEffectivePolicyInfo "l", EDS_EPI_UI_GENERATED_VALUE, GetCity
Request.SetEffectivePolicyInfo "st", EDS_EPI_UI_GENERATED_VALUE, GetState
Request.SetEffectivePolicyInfo "co", EDS_EPI_UI_GENERATED_VALUE, GetCountry
Request.SetEffectivePolicyInfo "c", EDS_EPI_UI_GENERATED_VALUE, GetCountryCode
Endif
rs.close
Cnxn.close
EndSub
Trying to find the best possible solution for making "Reason" required for all types of requests in ARS 6.8.
Any ideas would be greatly appreciated.
Is there any way to convert the HTML workflow notifications into PlainText before they reach the destination?
Currently, we have two workflows setup for when a user object is deleted. The workflow runs a script which sends an email to the Remedy system to create a ticket for the actions. The ticket is automatically closed and yay, some bean counter somewhere is happy.
We have been tasked with creating more of these workflows but we would much rather use the builtin notifications instead of having to constantly put together these scripts. And there's the addition that the email contains all this stuff specific to Remedy like the following:
Impact !10000084848!: Minor/Localized
Urgency !20003933!: 4-Low
Company !!3939303!: Company
Timing !203039393!: Latent
Category !122029292!: Networks
Type !20202020202!: Accounts (1)
They match up to fields you would find if you went into the Remedy application to fill out a ticket and there's obviously a lot more that goes into the email, I'm just not typing it all but I think the problem with the HTML is that when it gets to Remedy, some of the necessary characters get lost. So, our thinking is if we could get the HTML notifications to go out PlainText for these particular ones, feeding in the extra information (name of object, change being made, etc..) would be so much easier to manage.
Hello everyone,
I am looking for a deprovisioning script that would flag a mailbox for deletion 30 days after the AD account has been deprovisioned. Any suggestions anyone?
Thanks in advance.
LT
I would like to be able to send email notification (or some other type of alert), when a specific ARS Scheduled Task failed to start.
Is there a way to accomplish this?
Hi i try to update a virtual attribute that must contain the list of the UPN Suffixes...
now i don't want to put them in always manually, but get updated as there is a new UPN Suffix from the Exchange or AD Team.
I would put that in the Policy as script, before the virtual attribute is shown on the Webfrontend when the Admins enter a new email alias for the user, so the list is always up to date.
Has someone a script or an idea?
kind regards
Pablo
Hello,
For Some reasons i have to keep all terminated users in my active directory, but what i like to accomplish is to remove Home folder after 45 days after user account deprovisioned in Active Roles. I'm currently using Active Roles 6.7. Only option i see to remove home folder when Active ROles delete user account after X number of days. But we want to keep user accounts as deprovisisioned and remove home olders after 45 days. I'm not sure how to move forward. Please help.
Hi,
We are using two seperate domains. The tabs and commands shown in Activeroles should differ from those two domains.
As there is only one default form for an object within active roles, I think the only way is to hide some tabs and commands based on the domein the targetted object resides.
Is there any way to perfom this easily?
ARS version is 6.8.0
Cheers,
Trumpeteer
Hi seems I can't post a blog so a discussion will have to do ....
I'm writing some compliance reports and scheduling them with ARS - the reports are basically group memberships and the are text files with .csv extentions. The problem I had was that the umlauts were being mangled by Excel when the auditors open the files.
The fix......
It appears that streamwriter defaults to UTF8 which preserves the umlauts (opening in notepad correctly identified the file as UTF8) but it appears the BOM was not being written to the file so Excel was not correctly formatting the file.
To fix this I had to explicity force the streamwriter to write the BOM.
Create a system.text.UTF8Encoding object
$utf8 = New-Object System.Text.UTF8Encoding($true)
Using $false would stop the BOM being written – you might want that option but it seems streamwritter does that by default anyway
Then when you open the file use the object as follows to force the BOM being written to the file
$reportFile = new-object system.IO.StreamWriter($filename,$true,$utf8)
you write to the file using $reportfile.writeline("Text you want added - or the ad object.attribute for example")
Why do I use the streamwriter instead of export-csv ?
1. its quicker (http://blogs.technet.com/b/gbordier/archive/2009/05/05/powershell-and-writing-files-how-fast-can-you-write-to-a-file.aspx)
2. export-csv does not format the file correctly as there are commas in the user names
3. export-csv has the same problem writing to the file and if you use the -encoding switch then you get a single line in quotes so no good for an excel spreadsheet
4. were getting away from teh point of the post which is just to tell you how to do it using streamwriter - if thats what you wanted to do 
Lee Andrews
Hi All
I need to run obtain a report from ARS based on the last time a password was set/changed an by whom? Any ideas?
I've been looking at Quest Knowledge poratl but cannot customise the standard reports, and seeing as i've never used Report Builder, this is a bit of an issue.
Hi all,
[Ivan or Wally - you guys out there? You Patrons Saints of Migrations....]
I reviewed lots of docs, and posts trying to get answers. I'm not finding info about how "mailbox move" is detected by AR/O365 as opposed to how it works with AZ DirSync.
My customer wants AR/O365 to replace DirSync (working now pre-migration) and I need more info than what's in the AR/O365 prod docs.
I have a 26,000 object Hybrid environment almost deployed with all native tools. ADFS + Azure DirSync + E2013 Hybrid Servers. We're idling due to potential switch of dirsync methods.
We've let DirSync create the objects and we've played around with 5 MSOL portal-created mailboxes and see the GAL synched via Dirsync.
I just don't see what happens with native mailbox moves in an MSOL Hybrid... all talk is of provisioning only "new objects in O365". Nothing about mailbox move and the "changes the obect goes through in the move" using native move tools anyway...
If we switch to Active Roles, I take it we need to:
1) Disable Dirsync, turn that off in the tenant for O365. (Objects stamped owned by AZ Dirsync left in situ? Are the rights on the objects adjusted to allow MSOL to manage?)
2) Install AR 6.7 or 6.8, add the O365 add-on. Configure Quick Sync Engine/Quick Connect Cloud Services/Microsoft Office365 Connector.
3) QUESTION: Should we open a shell and delete all the objects AZ Dirsync made? Or leave in place?
4) Configure AR/O365 to re-sync all the objects
5) Wait for AR/O365 QCSyncEngine to synch to rebuild the GAL. (Now these are MSOL manageable objects / also manageable by AR/O365)
QUESTION: What mailbox move tools between the environemnts are supported at this point with AR/O365 as the synch engine? What's supported? Any detailed info on synch work to do at move time?
- with Native mailbox move tools
- with QMM / Exchange
Thanks for the help
Tal
I have ARS 6.7 with Exchange 2007; I have a requirment to create a bulk Groups in Active directory, about 500 groups.
The requirment is to create (Mail enabled Dynamic Security Group); I have LDAP query for each group. I can create it using GUI but it will take very long to create each group seperately.
Can some one help / guide how do i create using command line / script with in ARS?
Any help would be appreciated.
Thanks.
Using PowerShell how do you get the pending members in a group with temporal settings. I would like to retrieve all members with associated temporal settings.Once I have that I am pretty sure I can manipulate it
Thanks
Hi,
is there a way to replace Umlaute(ä, ü, ö) in a request directly. I have tested something but nothing works
e.g.
function onGetEffectivePolicy($Request)
{
$string = "%<sn>%<givenname>"
$string.replace("ü","ue")
$Request.SetEffectivePolicyInfo("cn", $Constants.EDS_EPI_UI_POLICY_VALUE, $string)
}
It would be nice to see the result directly.
Thanks!!
QADMS 1.6, the version that goes with ARS 6.8, has added several cmdlets, but still doesn't include cmdlets specifically designed for working with Managed Units. Am I the only one interested in *-QARSManagedUnit cmdlets, to parallel the other ARS-specific types (QARSAccessTemplateLink, etc.)? I've got a couple of messy snippets hanging about, and am trying to decide how tidy I want to make them. So far, the main thing I've done is re-write query-based membership rules into explicitly-defined memberships, meant for MUs with really static memberships.
Examples for a potential module include:
- Get-QARSManagedUnit: pulls those objects, based on either a distinguished name or the common name and optional search root, making sure to include the most relevant properties
- Set-QARSManagedUnit: would allow adding or removing an object from a ManagedUnit's membership list, or what really drove me to start this, converting a query-based inclusion/exclusion rule to a list of explicitly-defined inclusions and/or exclusions.
- New-QARSManagedUnit: would create a new edsManagedUnit in a specific location and take criteria for membership
I've posted my work so far on my blog, but if there's enough interest, I'll clean it up and make it a little module you can load after the QADMS PS Snap-In starts. I will target 1.5 (ARS 6.7).
Please let me know - even if your answer is, "why in the world would you want to do that?"
ARS Spring Cleaning: Converting Query-Based Managed Unit Memberships to Explicitly-Defined Ones