• State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 6637 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed Units don't show deprovisioned users and ARS policies do not apply to deprovisioned users

Lee Andrews
over 6 years ago

In the same way as you can change the way dynamic groups can contain non mail enabled accounts why can't we choose if a MU contains deprovisioned accounts. 

It can be limiting that ARS effectively ignores deprovisioned accounts. 

I have policies in place to help ( prevent ) the SD doing something they shouldn't like enable an account HR have marked as a leaver but once the account is deprovisioned these policies no longer work so the SD can enable an account.

Also I have teams who's only access is via the Managed Unit - if they deprovision a user account then it becomes invisible to them as it can no longer be a member of the Managed Unit.  If my query for the MU includes a filter to locate deprovisioned users then ideally teh MU should display the users.

Parents
  • 0 over 6 years ago
    This looks like a scripting error. The $uacvalue value was not being populated.

    I don't know what the "Get-Value" function is doing, but attempting to use a .Get() on an Active Roles constructed attribute will not provide the expected results.

    This below script works just fine (I removed some checks and the logging functionality):

    function onPreModify($Request) {
    # check if the request object is a user object
    if ($Request.Class -ne "user") { return }
    $username = $DirObj.Get("sAMAccountName")

    $uacvalue = get-qaduser $request.dn -DontUseDefaultIncludedProperties `````
    -IncludedProperties edsaAccountIsDisabled -proxy

    if ( $uacvalue -eq $false ) {

    $HRStatus = $DirObj.Get("primaryTelexNumber")
    if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
    }
    }
Reply
  • 0 over 6 years ago
    This looks like a scripting error. The $uacvalue value was not being populated.

    I don't know what the "Get-Value" function is doing, but attempting to use a .Get() on an Active Roles constructed attribute will not provide the expected results.

    This below script works just fine (I removed some checks and the logging functionality):

    function onPreModify($Request) {
    # check if the request object is a user object
    if ($Request.Class -ne "user") { return }
    $username = $DirObj.Get("sAMAccountName")

    $uacvalue = get-qaduser $request.dn -DontUseDefaultIncludedProperties `````
    -IncludedProperties edsaAccountIsDisabled -proxy

    if ( $uacvalue -eq $false ) {

    $HRStatus = $DirObj.Get("primaryTelexNumber")
    if ( $HRStatus -eq "Deprovision" ) { throw "HR have marked the account as disabled - you must raise a SN request to have the restriction lifted by HR" }
    }
    }
Children
No Data