Managed Units don't show deprovisioned users and ARS policies do not apply to deprovisioned users

Add the "Retain Deprovisioned" membership rule into your Managed Unit and the default behaviour will be changed.

One down and one to go - I'd somehow missed that rule in the MU configuration. Have I missed something similar with the ARS policies?

Are the policies applied via a Managed Unit?

No these are policies applied directly to the OUs. The polices work fine until the accounts are deprovisioned then they appear to be ignored and the accounts can be enabled.

it's a simple script policy and it just does not trigger when the account is in a deprovisioned state.

function onPreModify($Request) {
# check if the request object is a user object
if ($Request.Class -ne "user") { return }
if ( $(IsAttributeModified -strAttributeName 'edsaAccountIsDisabled' -Request $Request) ) {
# Initialise variables
$debugLevel = [string]$PolicyEntry.Parameter("debugging")
# get the user name to use in any event log entries
$username = Get-Value $DirObj "sAMAccountName"
$uacvalue = Get-Value $request "edsaAccountIsDisabled"
if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> in onPreModify User: $username UAC: $uacvalue") }
# check if the account is being enabled
if ( $uacvalue -eq $false ) {
# account is enabled because -band 2 = 0
$HRStatus = Get-Value $DirObj "primaryTelexNumber"
if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> <<<<<<< USER ENABLED >>>>>>>>>>> : userAccountControl is modified HRStatus : $HRStatus") }
if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
}
}
}

This looks like a scripting error. The $uacvalue value was not being populated.

I don't know what the "Get-Value" function is doing, but attempting to use a .Get() on an Active Roles constructed attribute will not provide the expected results.

This below script works just fine (I removed some checks and the logging functionality):

function onPreModify($Request) {
# check if the request object is a user object
if ($Request.Class -ne "user") { return }
$username = $DirObj.Get("sAMAccountName")

$uacvalue = get-qaduser $request.dn -DontUseDefaultIncludedProperties `````
-IncludedProperties edsaAccountIsDisabled -proxy

if ( $uacvalue -eq $false ) {

$HRStatus = $DirObj.Get("primaryTelexNumber")
if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
}
}

Wait, I take that back - I thought that I was running the last test against a deprovisioned account, but it was enabled.

After deprovisioning the account, the policy does not fire at all.

A Workflow does fire as expected, even against a deprovisioned target.

The script could be modified to use a Workflow as a trigger.

Okay, I have this figured out.

Add the same script into a Deprovisioning policy as a script module. Then, it will fire against Deprovisioned objects.

You are a star! I never thought of doing that, but it makes sense now you have suggested it and having tested it it works!

My script works fine on all accounts that have not been deprovisioned - This was just the event handler, Get-Value is one of the library best practice functions Quest used to provide ( not included in the snippet I posted ), not sure if teh library functions are still provided or listed in the SDK but these scripts go back 7 years and have been working fine until someone decided to enable a deprovisioned account recently.

Thanks for discovering that Deprovision Policies still fire on deprovisioned accounts - this makes such sense now that I think about it and it opens up a whole new smorgasbord of scripting opportunities - I still love this products flexibility and ease with which it can be customized and cajoled into working Identity Magic :-)