Workflow vs Deprovisioning Policy

That did not work.

Can you elaborate?  Are you still facing the timing issue with your deprovisioning policy?

Also, I just noticed your code snippet above - the DirObj.setinfo() is redundant as the Set-QADUser will perform the operation under the covers.

allison.lethy said:

can't use a workflow... because it looks like these don't kickoff until AFTER a deprov policy object.

Why does it matter when this happens so long as after all is said and done, the Manager has access to the home folder?

Yes - I am still running into the issue.

Setting the home folder properties (drive letter/path) is NOT being saved/committed prior to the following policy settings to assign the manager read access to the home folder.

In the provisioning results for the home folder manager settings:  Home folder deprovisioning is skipped because the user does not have a home folder.

Throughout the deprov process, be it a Deprov policy object AND/OR Deprov Workflow - the setting of the home folder attributes is NOT being committed and therefore, assigning the manager READ permissions to the home folder does not happen.

So... after all is said and done - the Manager does not have access to the home folder.

The deprovisioned user does have the home folder attributes set once the deprov process completes.

Do you have any provisioning policy controlling the contents of the home folder property?

Also, since you are having so much trouble getting that property set within your deprovisioning process, why can't you create a separate workflow to set the property and only then trigger your deprovisioning?  (I suggested this before)

Our provisioning policy does set the Home drive/path, but we run a script to clear those since we use GPOs for home folder redirection.  We have never mapped a drive to a home folder rather we just leverage ARS to get the initial home folder created.

Regarding your recommendation to to create a separate workflow to set the property and then trigger the deprovisioning... how exactly would I accomplish that?

Today, our frontline techs receive a work order to deprovision an employee.  They simply right-click the user and click deprovsion.  What you are suggesting sounds like that would change what our techs do.  Which is fine, provided it works.  What would be the trigger to kick off a Workflow to set the home folder property? And then, how would we kickoff the Deprovisioning Policy object from there?  Would this have to be two steps for our techs to deprovision a user?  

What I am thinking of would represent a minor modification of your process.

1) Add a new virtual attribute (VA) and call something like edsvaPreDeprovision
2) Using out-of-the-box customization of the Web UI, add a new right pane command and call it <Deprovision Prep>. This command would stamp the above attribute with "YES" or "TRUE" (this is codeless functionality available through the Web UI customization).
3) Create a change workflow that watches for the change to edsvaPreDeprovision and when it detects it, stamps the home folder on the selected user.
4) Create another Change Workflow that (via its start conditions) reacts to a combination of the VA having contents on the user ("property of workflow target object" ) and the home folder property being set ("changed property of workflow target [Requested Changes]"). This workflow will trigger the actual deprovision of the user (by way of a Deprovision Activity) that you drop into it.
Now, when your techs get a request, they select the user in question and simply click on the new Deprovision Prep command.

Can I add this new Deprovision Prep command in the context menu of a user object in the mmc. console (right click user - Deprovision Prep?

We do not use the web UI.