Hello,
You can do this with the help of a PowerShell script. The following script will do the job:
$secondaryDomainDN = "DC=example,DC=com" # TODO: modify me
$commandID = "{9DB88EC3-1241-4AB1-9612-C7C982BAA49F}" # TODO: modify me
if ([System.String]::IsNullOrEmpty("%extensionAttribute4%"))
{
$Context.LogMessage("Cannot find the user's account in the secondary domain because Extension Attribute 4 of the user is empty.", "Error")
return
}
# Find account in the secondary domain
$searcher = $Context.BindToObjectByDN($secondaryDomainDN)
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(extensionAttribute4=%extensionAttribute4%))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
if ($searchResults.Length -gt 1)
{
$Context.LogMessage("Found more than one account with the same value of Extension Attribute 4 in the secondary domain.", "Error")
return
}
elseif ($searchResults.Length -eq 0)
{
$Context.LogMessage("Could not find the user's account in the secondary domain.", "Error")
return
}
# Bind to the account in the secondary domain
$accountInSecondaryDomain = $Context.BindToObjectEx($searchResults[0].AdsPath, $True)
# Execute the Custom Command
$accountInSecondaryDomain.ExecuteCustomCommand($commandID)
}
finally
{
$searchResultIterator.Dispose()
}
In the script:
- $secondaryDomainDN - specifies the Distinguished Name (DN) of the secondary domain;
- $commandID - specifies the ID of the Custom Command that you want to execute on accounts in the secondary domain. For information on how to get the ID, see Get the ID of a Custom Command.
To add the script to a Custom Command for deprovisioning users, use the Run a program or PowerShell script action.
