Limit user creation to max 2 per day

Question

We currently allow users to create users with constraints and some types of accounts need approval.

However is there a way to stop using creating more than 1 or 2 users per day si they do not abuse this capability.

Or even report on the what new user accounts have been created on a daily basis and not to report if empty.

Answer 1

Hello Mike,

However is there a way to stop using creating more than 1 or 2 users per day si they do not abuse this capability.

It can be done using a business rule triggering Before creating a user. The rule will execute a script that will check for accounts created during the day and cancel the new user creation if the limit is exceeded.

Or even report on the what new user accounts have been created on a daily basis and not to report if empty.

You can schedule the Recently created users built-in report (out of the box located in container Reports\All Reports\Users). For details on how to schedule reports, see https://www.adaxes.com/help/ScheduleReports.

Comments

With the business rule, can this be a limit of 2 per person or is it global?

Also is there already a script for this kind of thing?

---

Hello Mike,

With the business rule, can this be a limit of 2 per person or is it global?

The rule will allow you to prohibit creating more then 2 user accounts per day in all the domains managed by Adaxes.

Also is there already a script for this kind of thing?

Unfortunately, there is no such script.

---

Thanks for your support as always, I have created the following script to do this, but I get the error:

# Get the current value of UserCreationCount for the initiator
$initiatorDN = $Context.Initiator.DN

try {
    # Bind to the initiator's user object
    $user = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$initiatorDN")

    if ($null -eq $user) {
        throw "Failed to bind to user object for $initiatorDN."
    }

    # Retrieve the UserCreationCount attribute
    $currentCount = $user.Properties["adm-CustomAttributeInt1"]

    if ($null -eq $currentCount) {
        # The attribute doesn't exist, set an initial value
        $currentCount = 0
    }

    # Increment the count by 1
    $newCount = $currentCount + 1

    # Update the UserCreationCount attribute on the initiator's user object
    $user.Properties["adm-CustomAttributeInt1"].Value = $newCount
    $user.CommitChanges()

    # Log success or additional information
    $Context.LogMessage("UserCreationCount attribute updated successfully.", "Information")

} catch {
    # Log the error message
    $errorMessage = $_.Exception.Message
    $Context.LogMessage("Error: $errorMessage", "Error")
}

---

Hello Mike,

Sorry for the confusion, but we are not sure what exactly you are trying to do in the script. If it is about the initial request, the script will never work. You need to have a script condition that will return true only if there were created two or more users. The script should perform a general search for users based on the When Created property. The following article should be helpful: https://adaxes.com/sdk/ServerSideScripting. Finally, the business rule will look like the following:

---

Hi,

I did not want to limit to 2 user account per day globally but rather limit each user to 2 user creations per day.

My thinking was that we used a custom attribute i.e. adm-customattributeint1 (UserCreationCount) which was incrementall updated each time a user was created so this would be performed 'After creating a user' as a last action.

Then as you suggest a check 'before creating a user' to check if the initiator has a count at 2 in the UserCreationCount attribute already then it would cancel the operation.

My next step after this would then need to look at resetting this every 24 hours on when the attribute was last modified potentially.

---

Hello Mike,

Thank you for clarifying. In this case, the approach will be totally different. You will need the following:

Business rule triggering Before creating a user

The rule will check the value of the custom integer attribute of the operation initiator. If the number equals two, the operation will be cancelled. In the rule condition, use the below script. In the script, the $propertyName variable specifies the schema name of the attribute to check.

$propertyName = "adm-CustomAttributeInt1" # TODO: modify me

# Bind to operation initiator
$initiator = $Context.BindToObjectByDN("%adm-InitiatorDN%")

# Get integer attribute value
try
{
    $value = $initiator.Get($propertyName)
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

$Context.ConditionIsMet = $value -eq 2

Business rule triggering After creating a user

We recommend you to have a separate business rule that will trigger for all user creations and increment the integer attribute for all initiators. The rule will look like the following. In the rule, use the below script. In the script, the $propertyName variable specifies the schema name of the attribute to update.

$propertyName = "adm-CustomAttributeInt1" # TODO: modify me

# Bind to operation initiator
$initiator = $Context.BindToObjectByDN("%adm-InitiatorDN%")

# Get integer attribute value
try
{
    $value = $initiator.Get($propertyName)
}
catch
{
    $value = 0
}

# Update initiator
$valueToSet = $value + 1
$initiator.Put($propertyName, $valueToSet)
$initiator.SetInfo()

Scheduled task

The scheduled task should be executed after hours (e.g. at midnight) and clear the integer attribute used in the workflow for all users.

---

fantastic thank you