• State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 6597 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed Units don't show deprovisioned users and ARS policies do not apply to deprovisioned users

Lee Andrews
over 6 years ago

In the same way as you can change the way dynamic groups can contain non mail enabled accounts why can't we choose if a MU contains deprovisioned accounts. 

It can be limiting that ARS effectively ignores deprovisioned accounts. 

I have policies in place to help ( prevent ) the SD doing something they shouldn't like enable an account HR have marked as a leaver but once the account is deprovisioned these policies no longer work so the SD can enable an account.

Also I have teams who's only access is via the Managed Unit - if they deprovision a user account then it becomes invisible to them as it can no longer be a member of the Managed Unit.  If my query for the MU includes a filter to locate deprovisioned users then ideally teh MU should display the users.

Parents
  • 0 over 6 years ago
    No these are policies applied directly to the OUs. The polices work fine until the accounts are deprovisioned then they appear to be ignored and the accounts can be enabled.

    it's a simple script policy and it just does not trigger when the account is in a deprovisioned state.

    function onPreModify($Request) {
    # check if the request object is a user object
    if ($Request.Class -ne "user") { return }
    if ( $(IsAttributeModified -strAttributeName 'edsaAccountIsDisabled' -Request $Request) ) {
    # Initialise variables
    $debugLevel = [string]$PolicyEntry.Parameter("debugging")
    # get the user name to use in any event log entries
    $username = Get-Value $DirObj "sAMAccountName"
    $uacvalue = Get-Value $request "edsaAccountIsDisabled"
    if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> in onPreModify User: $username UAC: $uacvalue") }
    # check if the account is being enabled
    if ( $uacvalue -eq $false ) {
    # account is enabled because -band 2 = 0
    $HRStatus = Get-Value $DirObj "primaryTelexNumber"
    if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> <<<<<<< USER ENABLED >>>>>>>>>>> : userAccountControl is modified HRStatus : $HRStatus") }
    if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
    }
    }
    }
Reply
  • 0 over 6 years ago
    No these are policies applied directly to the OUs. The polices work fine until the accounts are deprovisioned then they appear to be ignored and the accounts can be enabled.

    it's a simple script policy and it just does not trigger when the account is in a deprovisioned state.

    function onPreModify($Request) {
    # check if the request object is a user object
    if ($Request.Class -ne "user") { return }
    if ( $(IsAttributeModified -strAttributeName 'edsaAccountIsDisabled' -Request $Request) ) {
    # Initialise variables
    $debugLevel = [string]$PolicyEntry.Parameter("debugging")
    # get the user name to use in any event log entries
    $username = Get-Value $DirObj "sAMAccountName"
    $uacvalue = Get-Value $request "edsaAccountIsDisabled"
    if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> in onPreModify User: $username UAC: $uacvalue") }
    # check if the account is being enabled
    if ( $uacvalue -eq $false ) {
    # account is enabled because -band 2 = 0
    $HRStatus = Get-Value $DirObj "primaryTelexNumber"
    if ( $debugLevel -ge 9 ) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"$($ScriptName)_$($scriptVersion) >>>>>>> <<<<<<< USER ENABLED >>>>>>>>>>> : userAccountControl is modified HRStatus : $HRStatus") }
    if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
    }
    }
    }
Children
No Data