Back to User management: Other
DESCRIPTION
You want to prohibit specifying a user password that never expires. And thus, you have applied an Access Template that denies edsaPasswordNeverExpires modification. It's works perfectly for existing user accounts, but fails for newly created ones. Why? Unfortunately, it happens over MS Active Directory security model. It read as follow: If anyone has right to create an object, he/she can create it with any attribute values even he/she doesn't have right for these attributes. Well, what you can to do? M-m-m... Scriting, surely! You can override this behaviour by script policy.
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
Option Explicit
Const strErrorMessage = "Corporate policy prohibits to specify a password that never expires"
'===========================================================================
' onPreCreate
'===========================================================================
Sub onPreCreate(Request)
Check Request, 1
End Sub
'===========================================================================
' onPreModify
'===========================================================================
Sub onPreModify(Request)
Check Request, 1
End Sub
'===========================================================================
' onPreCreate
'===========================================================================
Sub onCheckPropertyValues(Request)
Check Request, 2
End Sub
'===========================================================================
Sub Check(ByRef Request, ByVal nCode)
'-- skip all classes but user
If (Lcase(Request.Class) <> "user") Then Exit Sub
Dim boolFlag
'-- try to get attribute value
On Error Resume Next
boolFlag = CBool(Request.Get("edsaPasswordNeverExpires"))
On Error GoTo 0
'-- if attribute is specified and is set to True
If (boolFlag = True) Then
'-- report an error
If (nCode = 1) Then
'-- for create & modify request
Err.Raise 1, strErrorMessage
ElseIf (nCode = 2) Then
'-- for check property values request
Request.SetPolicyComplianceInfo "edsaPasswordNeverExpires", EDS_POLICY_COMPLIANCE_ERROR, strErrorMessage
End If
End If
End Sub
'******** END OF CODE ******************************************************
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): <Not specified>