• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 64 subscribers
  • Views 4343 views
  • Users 0 members are here
Options
Related

Detect changes that occur in Active Directory (not AR) and trigger an action?

todd harrison

Hey,

Is it at all possible for Active Roles to trigger off of a change made in the underlying Active Directory as opposed to within Active Roles itself?

Scenario:

  • A computer has BitLocker enabled and the keys are transferred to associated Active Directory computer object.
  • When Active Roles detects that the computer object now has keys or those keys have been updated, a script is triggered to do some thing.

I suspect this is not possible because when I check the Change Log in AR, there is no mention of keys being added to the computer object. I understand why this happens and didn't expect to see that in the AR logs, but I am just curious if there are any other methods for detecting something like this.

Regards,

Todd

  • 0

    This can be done.  You just need to enable the detection of changes from the Dirsync control.  There is a school of thought that this type of detection can be impactful on the Active Roles Service's performance but it's worth a try as if you are doing this only a limited basis, it's not likely to be a big issue.

    You have to enable "Handle changes from DirSync control" option on the policy script that will detect the change.

    Here's a discussion of the concept:

    www.oneidentity.com/.../setting-a-virtual-attribute-triggered-from-dirsync-change

    • 0 in reply to JohnnyQuest

      You are too quick for me, sir.

    • 0 in reply to JohnnyQuest

      I appreciate both you guys answering!

      Based on the KB and the linked forum post I think I understand how it would work.

      It appears to basically work the same way it would if you were dealing with ARS directly.

      A few additional questions:

      • Is there a log of for the DirSync? I ask only because I am not entirely sure what attribute I should be checking for. I will do some research to get the exact name of the attribute that AD uses to the store BitLocker key.
      • Performance wise, I would only be checking on computer objects and I will also implement the check to only process if the BitLocker is created. Do you think this could significantly hurt the performance of AR?
        • I will be curious to see how this is handled because the values aren't really updated, they are added to. 

      I will see if I can create just a short dummy script to just test the triggering, I am curious to see how it will.

      Thank you for your help guys!

      Regards,

      Todd

      • 0 in reply to todd harrison

        There is no log for the DirSync event, as such, but there is a log for the script module. You can see examine the $Request and other Workflow objects by writing them to a file or by reviewing the Debugging log.

        Enable the logging by right-clicking on the script module in the Active Roles Console and go to Properties | Debugging

        • 0 in reply to Terrance.Crombie

          Brilliant. Thank you kindly sir!

          • 0 in reply to todd harrison

            - I implement my own log function in all of my scripts as I find the built-in debug logging very "unfriendly".  Here's an example:

            function Logit ($Text) # Simple function for creating timestamped log entries
            {

            $LogPath = "\\ARServer\LogsShare\MyCurrentScriptName\MyCurrentScriptName_log.txt"

            $Timestamp = $(Get-Date -Format "MM/dd/yyyy hh:mm:ss").ToString()

            $Text = $Timestamp + " " + $Text

            Add-Content -Path $LogPath -Value $Text

            } # End of Logit function declaration

            # Here's some sample code

            Function MyPolicyScriptFunction ($Request)
            {

            $RequestUser = $Request.DN

            Logit "In-process user is [$RequestUser]"

            }

        • 0

          This ask can be done in Active Roles in two ways:

          1) Via a custom policy script.

          2) Via a scheduled Automation Workflow.

          A custom policy script can be triggered by native changes if the associated policy is set to "Handle changes from DirSync control"

          For more information, see this solution:

          Title: Active Roles Provisioning Policies are only triggered by Active Roles clients

          Solution: 311680

          URL: https://support.oneidentity.com/kb/311680

          Although an Automation Workflow is not a "triggered change", the end result may be just about the same due to delays resulting from Active Directory replication.