Adaxes

Run custom command against matching user account

0 votes

I have two domains where a sub-set of users are a mirror of each other. When a deprovision is run in the primary domain I would also like it to perform the deprovisioning tasks on the account in the secondary domain. there are a number of unique identifiers that could be used to find the account across the domains, the primary of which is EA4. So if User A is deprovisioned in the primary domain I would like deprovision task to go find if there is a matching EA4 in the secondary domain, and if there is deprovision that on as well, possibly by calling a separate custom command where I can have different steps.

by (470 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

You can do this with the help of a PowerShell script. The following script will do the job:

$secondaryDomainDN = "DC=example,DC=com" # TODO: modify me
$commandID = "{9DB88EC3-1241-4AB1-9612-C7C982BAA49F}" # TODO: modify me

if ([System.String]::IsNullOrEmpty("%extensionAttribute4%"))
{
    $Context.LogMessage("Cannot find the user's account in the secondary domain because Extension Attribute 4 of the user is empty.", "Error")
    return
}

# Find account in the secondary domain
$searcher = $Context.BindToObjectByDN($secondaryDomainDN)
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(extensionAttribute4=%extensionAttribute4%))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one account with the same value of Extension Attribute 4 in the secondary domain.", "Error")
        return
    }
    elseif ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Could not find the user's account in the secondary domain.", "Error")
        return
    }

    # Bind to the account in the secondary domain
    $accountInSecondaryDomain = $Context.BindToObjectEx($searchResults[0].AdsPath, $True)

    # Execute the Custom Command
    $accountInSecondaryDomain.ExecuteCustomCommand($commandID)
}
finally
{
    $searchResultIterator.Dispose()
}
ExpandCopy code

In the script:

  • $secondaryDomainDN - specifies the Distinguished Name (DN) of the secondary domain;
  • $commandID - specifies the ID of the Custom Command that you want to execute on accounts in the secondary domain. For information on how to get the ID, see Get the ID of a Custom Command.

To add the script to a Custom Command for deprovisioning users, use the Run a program or PowerShell script action.

Related questions

0 votes
1 answer
import csv to run the custom command for deprovisioning user

We are trying to get a scheduled task to run every Friday night at 10:00pm to pull the users needed to be fully deprovisioned by the custom command we have created.

asked Dec 2, 2016 by willy-wally (3.2k points)
0 votes
1 answer
Report last 7 days showing who a custom command was run on.

Is there a report, or a way to make a custom report, to show when a custom command was run and who it was run against? The Operation in the log is "Execute Deprovision User Account"

asked Apr 11, 2023 by stlouischiefs (20 points)
0 votes
1 answer
How can I run a report from a scheduled task or custom command?

I have an ADP Sync scheduled task that modifies and creates users from a csv file. I also have reports that show new users created and management history for user ... ADP Sync scheduled task so that they only run after the ADP Sync task is complete?

asked Jan 7, 2020 by barberk (60 points)
0 votes
1 answer
Create a Scheduled task to run a custom command

Hello - I'm working on my companies off boarding process and need to run a Custom Command that turns off access to different systems and resources at the ... -9612-c7c982baa49f}" $user.ExecuteCustomCommand($commandID) # Save the Scheduled Task $task.SetInfo()

asked Jul 16, 2015 by jakesomething (190 points)
0 votes
1 answer
Is there any "whatif" function to confirm which objects a scheduled task will run against?

Similar to Powershell's "whatif"? I'd like to enable this scheduled task - But would like to confirm who will actually be affected before enabling this. Is there at least ... objects in the console log? I could run that before adding the 'modify' actions back.

asked Jun 25, 2024 by msinger (210 points)
3,669 questions
3,354 answers
8,472 comments
549,205 users