Workflow vs Deprovisioning Policy

Hello,

This is configurable:

Solution Title: Resolving a race condition between an Active Roles Policy and an Active Roles Approval Workflow
Solution Number: 4338998
Solution URL: https://support.oneidentity.com/kb/4338998 

Setting the edsvaPrecedeWorkflowActivities boolean on the Workflow will change it so it runs first.

I shouldn't need to use a workflow at all.  The Deprovisioning Policy Object offers the ability to set the values of attributes or call a script in the policy object to do so.
Either way, I can get the home drive and home folder path set for the user object, but when it gets to the Home Folder policy rule (that is configured to give the manager read access)... the error states "User doesn't have a home folder".

It's almost as when the policy sets the drive/path, it needs to be saved/applied before it process the Home Folder policy rule.  UGH!

I did create a workflow to run a script (onPreProvision) to set the Home Folder attributes.  I want this workflow to run first.  The Deprov Policy object hasedsvaPrecedeWorkflowActivities=False. That was the default setting.  If False, then the Workflow should run first. 

But it is not.  When I look at the Deprov results, it is clearly showing timestamps that the policy objects settings are running first, then the workflow.

Rather than triggering on Deprovisioning per se, why don't you trigger based on the setting of a virtual attribute - for example, edsvaTriggerPreDeprovisionAction and have this be the start condition for your Change Workflow that handles the home folder stuff?

I'm hoping to not have to use a workflow to achieve this.  It really seems like it should be straight forward but I am getting inconsistent results.

In my Deprov Policy Object, in this order:

1. Run script to set home folder.  I assume by using $dirobj.setinfo() that the home folder settings are actually being saved ... so that #4 below will see that a home folder exists and give manager READ access.  

function onPreDeprovision($Request)
{
Set-QADUser $request.dn -HomeDrive "H:" -HomeDirectory "\\lethbridge\users\cityhome\%username%"
$dirobj.setinfo()
}

2. Make account ineligible for login (disable account)

3. Delete account after 30 days

4. Prevent user from access home folder (assign read access to manager)

5. Move the user to a different OU.

After deprovisioning a user, all is good EXCEPT for the Home Folder settings.  It says it is skipped because there is no home folder for the user.  UGH!

If I add the home folder on the users AD Profile tab first... and then deprovision... all works as it should.

I will also say that I have had the Deprov policy work twice out of 50 times trying.  Which makes it even more difficult to troubleshoot.

Any help would be super appreciated.

It seems like the Home Folder attributes need to be committed before the Deprovisioning Policy checks them. You might try ensuring that the attributes are saved and applied correctly before the policy rule runs, possibly by revisiting your script or policy configuration.

Yes... I agree.  I thought that by adding $dirobj.setinfo() that the home folder settings would be committed.  But it is not working.

Any ideas on how I can get the home folder settings committed prior to the Policy Object Home Folder settings being checked?

Rather than using $Dirbobj.setinfo(), trying using Set-QADUser -proxy to populate the contents of the property.