0 votes

We currently allow users to create users with constraints and some types of accounts need approval.

However is there a way to stop using creating more than 1 or 2 users per day si they do not abuse this capability.

Or even report on the what new user accounts have been created on a daily basis and not to report if empty.

by (110 points)

1 Answer

0 votes
by (294k points)

Hello Mike,

However is there a way to stop using creating more than 1 or 2 users per day si they do not abuse this capability.

It can be done using a business rule triggering Before creating a user. The rule will execute a script that will check for accounts created during the day and cancel the new user creation if the limit is exceeded.

Or even report on the what new user accounts have been created on a daily basis and not to report if empty.

You can schedule the Recently created users built-in report (out of the box located in container Reports\All Reports\Users). For details on how to schedule reports, see https://www.adaxes.com/help/ScheduleReports.

0

With the business rule, can this be a limit of 2 per person or is it global?

Also is there already a script for this kind of thing?

0

Hello Mike,

With the business rule, can this be a limit of 2 per person or is it global?

The rule will allow you to prohibit creating more then 2 user accounts per day in all the domains managed by Adaxes.

Also is there already a script for this kind of thing?

Unfortunately, there is no such script.

0

Thanks for your support as always, I have created the following script to do this, but I get the error:

image.png

# Get the current value of UserCreationCount for the initiator
$initiatorDN = $Context.Initiator.DN

try {
    # Bind to the initiator's user object
    $user = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$initiatorDN")

    if ($null -eq $user) {
        throw "Failed to bind to user object for $initiatorDN."
    }

    # Retrieve the UserCreationCount attribute
    $currentCount = $user.Properties["adm-CustomAttributeInt1"]

    if ($null -eq $currentCount) {
        # The attribute doesn't exist, set an initial value
        $currentCount = 0
    }

    # Increment the count by 1
    $newCount = $currentCount + 1

    # Update the UserCreationCount attribute on the initiator's user object
    $user.Properties["adm-CustomAttributeInt1"].Value = $newCount
    $user.CommitChanges()

    # Log success or additional information
    $Context.LogMessage("UserCreationCount attribute updated successfully.", "Information")

} catch {
    # Log the error message
    $errorMessage = $_.Exception.Message
    $Context.LogMessage("Error: $errorMessage", "Error")
}
0

Hello Mike,

Sorry for the confusion, but we are not sure what exactly you are trying to do in the script. If it is about the initial request, the script will never work. You need to have a script condition that will return true only if there were created two or more users. The script should perform a general search for users based on the When Created property. The following article should be helpful: https://adaxes.com/sdk/ServerSideScripting. Finally, the business rule will look like the following: image.png

0

Hi,

I did not want to limit to 2 user account per day globally but rather limit each user to 2 user creations per day.

My thinking was that we used a custom attribute i.e. adm-customattributeint1 (UserCreationCount) which was incrementall updated each time a user was created so this would be performed 'After creating a user' as a last action.

Then as you suggest a check 'before creating a user' to check if the initiator has a count at 2 in the UserCreationCount attribute already then it would cancel the operation.

My next step after this would then need to look at resetting this every 24 hours on when the attribute was last modified potentially.

+1

Hello Mike,

Thank you for clarifying. In this case, the approach will be totally different. You will need the following:

Business rule triggering Before creating a user

The rule will check the value of the custom integer attribute of the operation initiator. If the number equals two, the operation will be cancelled. image.png In the rule condition, use the below script. In the script, the $propertyName variable specifies the schema name of the attribute to check.

$propertyName = "adm-CustomAttributeInt1" # TODO: modify me

# Bind to operation initiator
$initiator = $Context.BindToObjectByDN("%adm-InitiatorDN%")

# Get integer attribute value
try
{
    $value = $initiator.Get($propertyName)
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

$Context.ConditionIsMet = $value -eq 2

Business rule triggering After creating a user

We recommend you to have a separate business rule that will trigger for all user creations and increment the integer attribute for all initiators. The rule will look like the following. image.png In the rule, use the below script. In the script, the $propertyName variable specifies the schema name of the attribute to update.

$propertyName = "adm-CustomAttributeInt1" # TODO: modify me

# Bind to operation initiator
$initiator = $Context.BindToObjectByDN("%adm-InitiatorDN%")

# Get integer attribute value
try
{
    $value = $initiator.Get($propertyName)
}
catch
{
    $value = 0
}

# Update initiator
$valueToSet = $value + 1
$initiator.Put($propertyName, $valueToSet)
$initiator.SetInfo()

Scheduled task

The scheduled task should be executed after hours (e.g. at midnight) and clear the integer attribute used in the workflow for all users. image.png

0

fantastic thank you

Related questions

0 votes
1 answer

we are establishing a sync with our legacy intranet database and appear to have hit a limit with the API for adaxes...is this a soft threshold that we can adjust ... ; Last access: 2/12/2014 11:09:59 AM; Client: AdmReferralCallback.QueryForConnection Direct

asked Feb 12, 2014 by kf4ape (490 points)
0 votes
1 answer

Hi team, I am trying to limit the list of possible countries during user creation by this Property Pattern How ever during the creation the list is still full of other ... checked possibility to modify the form it self for Country - but no options available.

asked Jan 31 by wintec01 (1.5k points)
0 votes
1 answer

When setting user accounts to disable we use a business rule which executes whenever a user account is modified. So for example a member from our Service Desk team will go onto ... behind for some reason, and doesn't reflect the server date/time it lives on.

asked Nov 16, 2022 by Homelander90 (350 points)
0 votes
1 answer

Is there a way for Adaxes to use a user's Microsoft 365 profile pictures instead of having to select a file on a per user basis?

asked Feb 1 by keneth.figueroa (20 points)
0 votes
0 answers

I have followed the tutorial on how to set an addresses based on the Office field. http://www.adaxes.com/tutorials_Simplif ... Office.htm The scenario is that for employees I ... g only let them be edited if there if a values such as "Contractor" is selected?

asked Aug 11, 2016 by jscovill (110 points)
3,589 questions
3,278 answers
8,303 comments
548,146 users