• State Suggested Answer
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 952 views
  • Users 0 members are here
Options
Related

Workflow and using value generated by rule expression with script

todd harrison
1 month ago

Hi,

I am currently attempting to write a workflow that would dynamically update the AD attribute "accountExpires" for all users provisioned via our HRIS system.

My idea was to use a workflow to search for any user with an expiring account within 15 days or less. For all found accounts, I would update the "accountExpires" attribute with a date 1-year in the future of whatever the current date is of the accountExpires attribute.

So, if the current date of the "accountExpires" attribute is 05/07/2023, then we would update the value to /05/07/2024.

Within the workflow, I am using a "Search for objects" following by a "Change object properties > Target Properties > Property: "accountExpires" > "Value generated by rule expression".

The problem I am running into is I don't know how to reference the found object. I have tried the following method:

    $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

This generated the follow error:

DEBUG:     ! CALL function 'GenerateAccountExpiration'
DEBUG:    5+      >>>> $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

  Call '$Workflow.FoundObject'
ERROR: 
At line: 5 char:5. You cannot call a method on a null-valued expression.

Here is the code within the script I am running:

 function GenerateAccountExpiration ()
 {
 
    $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

    $Integer8 = ((Get-ADUser -Filter { userPrincipalName -eq $user } -Properties accountExpires).accountExpires)
    $newExpiryDate = ([datetime]::FromFileTimeUTC($Integer8)).AddDays(365)
 
    $newExpiryDate
    
 }

I know this script can probably be more efficient, I am just trying to work on a POC at the moment Slight smile

Is it not possible to reference the $workflow.FoundObject values from within a "Change object properties" script?

Thank you!

P.S. Does anyone know how to post screenshots? I saw someone else ask this and they said you can just paste the screenshot in. When I try that the space I am pasting into just gets deleted. Do you have to post screenshots on an external source first?

Parents
  • 0 1 month ago

    At first glance, the code looks ok for accessing the found item in the workflow. In the Run History of the Workflow, you can see the LDAP query Active Roles is generating to search for users. Use this query in the MMC, in a Custom Search, to verify that the query is actually finding the desired users. I also find it a little easier to use Out-File in the script to output variables to a text file for debugging.

  • 0 1 month ago in reply to Richard.Lambert

    Thank you Richard.

    I was able to verify that my search is returning my desired test user by the error message that is generated. It actually shows me the user that is attempting to get changed, so I know at least I have a target user.

    I didn't think about the using the MMC to test out queries though, that is a fantastic tip thank you!

    And I too love out-file's! I use them like crazy since I am sort of horrible at scripting and it is usually a lot of trial and error. Only downside right now is that because the script is completely erroring out, I can't get much info.

  • 0 1 month ago in reply to todd harrison

    Out-files are great, sure, but this is also useful:

    Solution Title: How to Enable Debug Logging on Script Modules
    Solution Number: 4334332
    Solution URL: https://support.oneidentity.com/kb/4334332

Reply Children