I am trying to set up a field on the Web UI to be populated when a computer object is viewed using a script. For example: Users look at the properties of a AD computer -> script is executed, and the result is shown in a read only field.
Thanks!
One way this could be accomplished is the use of the onPostGet event handler. Review this in the Active Roles SDK as well as the following support article. As this KB article indicates, if not coded properly, this event handler should be used with the knowledge that it can be very taxing on the Administration Service and could cause slowness/unresponsiveness as objects are viewed.
How To Populate a Virtual Attribute that is NOT Stored in the Database (4256736) (oneidentity.com)
Maybe I can give you more context on what i am trying to do. I am working on a script to try and get the Windows LAPS password from AD. Since the attribute is encrypted, I have to run powershell to get the value I am looking for. This is my first script for ARS so no idea if I am even close to being correct.
$machineName = $this
function LAPSPassword($Request)
{
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
$machineName.VirtualAttributes["edsvaLAPS"] = $customValue
}
function onGetEffectivePolicy($Request){
if($Request.Class -eq "user"){
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
$strAttrname = "edsvaLAPS"
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue)
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_AUTO_GENERATED, $strAttrname)
}#end request class
}#end on get effective policy
something like that
Look in the SDK if you need more. You can go crazy doing different things using SetEffectivePolicy
function onGetEffectivePolicy($Request){
if($Request.Class -eq "user"){
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
$strAttrname = "edsvaLAPS"
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue)
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_AUTO_GENERATED, $strAttrname)
}#end request class
}#end on get effective policy
something like that
Look in the SDK if you need more. You can go crazy doing different things using SetEffectivePolicy
Thank you. I will try this out. For mu understanding, how does the script get the $machinename variable?
how are you calling this script? from a workflow or something?
If the machine name is in another attribute on the page you can use $Request.Get("attributeName")
then you'd have to add a line where it's it's a RELOAD
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_RELOAD_EPI_BY_RULE, 'FirstattributeName)
I was hoping to have a field on the web UI that was populated from the scripts result. I am not 100% sure how to do this complete so just taking it one step at a time.
Here is the script I have so far. I have added the virtual attribute to the web UI but still not getting any results. I have set the Workflow to run on demand and linked it to the script below.
function onPostGet($Request){
if($Request.Class -eq "computer"){
$machineName = $Request.Get("cn")
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
$strAttrname = "edsvaLAPS"
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue)
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_AUTO_GENERATED, $strAttrname)
$Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_RELOAD_EPI_BY_RULE, $machineName)
}#end request class
}#end on get effective policy
Try changing the event handler from onPostGet to onGetEffectivePolicy. Also, remove the RELOAD_EPI_BY_RULE line and have those three lines resemble the following. This should result in the attribute being marked read-only and having a lightning bolt button next to it. The LAPS password will then be displayed once that button is clicked.
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue) $Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true) $Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $customValue)
Also, in order for this to work, the script should be added to a Provisioning Policy and not a Workflow. The Policy should then be linked to the OU where the Computer objects reside.
If you are looking for the customValue to be displayed without needing to click a button, then use the onPostGet handler as you have above and have these lines at the top of the function:
if ($Request.class -ne "computer") {return}
if ($Request.IsAttributeRequested("edsvaLAPS") -eq $false) {return}
Then remove the three SetEffectivePolicyInfo lines and replace them with this single line:
$Request.Put($strAttrname, $customValue)
Thank you. That makes alot more sense. I have made the suggested updated but now getting the error when I click on the lighting bolt:
Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 500
See if these might help:
Thank you. I was able to get past that error but get a new one after I click on the lightning bolt: Cannot generate unique edsvaLAPS (edsvaLAPS) using configured rules. Enter this value manually. How do I troubleshoot next steps?
function onGetEffectivePolicy($Request){
if($Request.Class -eq "computer"){
$machineName = $Request.Get("cn")
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
$strAttrname = "edsvaLAPS"
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue)
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $customValue)
}#end request class
}#end on get effective policy
I take the line that is populating $customValue works outside of Active Roles and returns a value? You will need to account for Computer objects that may not have a LAPS password in AD, or an error occurs with the running of the Get-LapsADPassword cmdlet and $customValue is getting set to $null. Wrap the Get-LapsADPassword in a Try/Catch and after that add something like below, so that $customValue will always get set to a non-null value.
if ($customValue -eq $null)
{
# An error occurred
$customValue = "An error occurred, verify that this computer is registered with LAPS"
}
Also, to continue looking into this a little further, within the properties of the Script Module itself, you can enable logging under the Debugging tab. Enable the bottom, most verbose selection in the list, reproduce the issue and then come back to the Debugging tab. Search the resulting log file for "SET $customValue". A few lines above the SET line, you will see Active Roles running the PowerShell cmdlet and what it is setting this variable to. This could further help determine if data is getting returned from the running of Get-LapsADPassword.
Thank you for the information. Did some more testing.
1) Doesn't look like the lightning bolt icon is triggering the script. Click and the debug log is empty.
2) I created a workflow to run the scrip just for testing and the output is below
WARNING: The names of some imported commands from the module 'ActiveRolesManagementShell' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.
<-------------------------------------------------------------->
<---- New Debug Session 6/9/2023 10:19:38 AM ---->
<-------------------------------------------------------------->
<------------------- $Request XML ------------------------>
<RunScheduledWorkflowRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" dn="CN=Workflow,CN=Policies,CN=Configuration" isStartedBySchedule="false" xmlns="urn:schemas-quest-com:ActiveRolesServer" />
<------------------- $Request XML ------------------------>
Call: Set-PSDebug -trace 2
DEBUG: 1+ >>>> s8a4c23af-b8e7-42b6-adeb-fc2cd3ef4a40 'onGetEffectivePolicy' $Request
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 29+ >>>> &$args[0] $args[1]
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 1+ function onGetEffectivePolicy($Request) >>>> {
DEBUG: ! CALL function 'onGetEffectivePolicy'
DEBUG: 3+ if( >>>> $Request.Class -eq "computer"){
DEBUG: 23+ >>>> } #end on get effective policy
<------------------- $Request XML ------------------------>
<RunScheduledWorkflowRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" dn="CN=Workflow,CN=Policies,CN=Configuration" isStartedBySchedule="false" xmlns="urn:schemas-quest-com:ActiveRolesServer" />
<------------------- $Request XML ------------------------>
Updated script:
function onGetEffectivePolicy($Request){
if($Request.Class -eq "computer"){
$machineName = $Request.Get("cn")
try {
$customValue = Get-LapsADPassword -Identity "$machineName" -AsPlainText | Select-Object Password
}
catch {
# An error occurred
$customValue = "An error occurred, verify that this computer is registered with LAPS"
}
$strAttrname = "edsvaLAPS"
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_GENERATED_VALUE, $customValue)
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)
$Request.SetEffectivePolicyInfo($strAttrName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $customValue)
} #end request class
} #end on get effective policy