Business Rule not moving user to required OU

Question

Hi,

I have a business rule setup to perform actions after user creation.

First action is to run a powershell script which works and it sets a required AD attribute (extensionAttribute1). The newly created user object in AD has the attribute set (as per below)

Second action of the business rule is to run a custom command (see below)

Business rule is set to run after successful user creation. It runs the powershell script but not the OU custom command

The business rule is running but no actions are executed and the new user sits in the original OU and does not move

Am i missing something here?

Comments

Hello Lewis,

For troubleshooting purposes, please, provide the Pull employeeID from HR script in TXT format.

---

The script is not the issue, as all its doing is finding the user in a database and then setting the required attribute.

As per my screenshot above, the extensionAttribute1 is being set on the user and can be seen in the user object in AD.

---

Hello Lewis,

The script sets the attribute used in the custom command condition. To check the entire workflow, we need the script. Unfortunately, we have no possibility to assist you without having the script.

---

Hi, Please see script below

Import-Module Adaxes
Import-Module ActiveDirectory
$databaseHost = "SQL.domain.net"
$databaseName = "Database"


$databaseUsername = "domain\Svc_Adaxes"
$databasePassword = ""



$employeeID = $Context.TargetObject.Get("EmployeeID")

$SqlQuery = "SELECT TimGEEmployeeDetails.EmployeeNumber , convert(varchar(10), TimGEEmployeeDetails.JoiningDate, 103) , convert(varchar(10), TimGEEmployeeDetails.LeavingDate, 103), " +,
            "TimGEEmployeeDetails.Title , TimGEEmployeeDetails.Forename , TimGEEmployeeDetails.KnownAs , TimGEEmployeeDetails.Initials, " +,
            "TimGEEmployeeDetails.Surname , TimGEEmployeeDetails.Reference, vw_domain_Departments.Description , Department, " +, 
            "vw_domain_JobDesc.Description , JobTitle , TcfGEEmployeeDetails.LMSJobFamily, PrsInductionSchedule.LineManager, " +, 
            "TimGEEmployeeDetails_1.FullName , TimBEEmployeeDetails.PrimaryLocation , StdBFCodeDescriptions.Description " +,
        "FROM TimGEEmployeeDetails " +, 
        "LEFT JOIN TimBEEmployeeDetails ON TimGEEmployeeDetails.EmployeeNumber = TimBEEmployeeDetails.EmployeeNumber " +,
        "LEFT JOIN vw_domain_JobDesc ON TimBEEmployeeDetails.JobTitle = vw_domain_JobDesc.DetailCode " +,
        "LEFT JOIN vw_domain_Departments ON TimBEEmployeeDetails.Department = vw_domain_Departments.DetailCode " +,
        "LEFT JOIN PrsInductionSchedule ON TimGEEmployeeDetails.EmployeeNumber = PrsInductionSchedule.EmployeeNumber " +,
        "LEFT JOIN TcfGEEmployeeDetails ON TimGEEmployeeDetails.EmployeeNumber = TcfGEEmployeeDetails.EmployeeNumber " +,
        "LEFT JOIN StdBFCodeDescriptions ON StdBFCodeDescriptions.TableCode = 'LOCD' " +,
        "AND TimBEEmployeeDetails.PrimaryLocation = StdBFCodeDescriptions.DetailCode " +,
        "LEFT JOIN TimGEEmployeeDetails AS TimGEEmployeeDetails_1 ON PrsInductionSchedule.LineManager = TimGEEmployeeDetails_1.EmployeeNumber "


 $connectionString = "Data Source=$databaseHost; Database=$databaseName;"
        if ($databaseUsername -eq $NULL)
        {
            $connectionString = $connectionString +
            "Integrated Security=true;"
        }
        else
        {
            $connectionString = $connectionString +
            "User ID=$databaseUsername;Password=$databasePassword;Integrated Security=true"
        }



            $Sqlconnection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
            $Sqlconnection.open()

            $SqlCmd = New-Object System.Data.SqlClient.SqlCommand
            $SqlCmd.CommandText = $SqlQuery
            $SqlCmd.Connection = $SqlConnection

            $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
            $SqlAdapter.SelectCommand = $SqlCmd

            $DataSet = New-Object System.Data.DataSet
            $SqlAdapter.Fill($DataSet) | Out-Null


            #$SqlCmd.Dispose()            
            $SqlConnection.Close()

                $Array = ForEach($Row in $Dataset.Tables[0].Rows){
                $Record = New-Object PSCustomObject
                    ForEach($Col in $Dataset.Tables[0].Columns.ColumnName){
                    Add-Member -InputObject $Record -NotePropertyName $Col -NotePropertyValue $Row.$Col
                    }
                $Record                    
                    #pause
                    if ($Record.EmployeeNumber.Contains($employeeID)){ 
                    break                                         
                    }
                }

                    $GetADUser = get-aduser -filter {EmployeeID -like $employeeID}
                    $UserSAM = $GetADUser.SamAccountName

                    $TrimJob = $Record.Description1.Replace(' ','')
                    $Jobtitle = $Trimjob+$Record.Department

Set-ADuser -Identity $UserSAM -Replace @{BusinessCategory=$Record.LMSJobFamily; extensionAttribute1=$Jobtitle}

Answer 1

Hello Lewis,

Thank you for the provided script. The thing is that the extensionAttribute1 value is set using the Set-ADUser cmdlet. As a result, the update does not involve Adaxes and can be performed on any domain controller (DC) from the AD domain. It can also be done on a DC Adaxes is not connected to. In this ase, Adaxes will not know about the attribute being set by the time when the condition is checked. To achieve the desired, we recommend you to replace this line in the script

Set-ADuser -Identity $UserSAM -Replace @{BusinessCategory=$Record.LMSJobFamily; extensionAttribute1=$Jobtitle}

with the following code:

$Context.TargetObject.Put("extensionAttribute1", $Jobtitle)
$Context.TargetObject.Put("businessCategory", $Record.LMSJobFamily)
$Context.TargetObject.SetInfo()

Comments

Hi,

Thanks for your help.

So for Adaxes to see anything done by script it requires the $context.TargetObject variable.

Unfortunately that code has not helped. The code works, as it does set the required attributes but the custom command to move OU still does not execute.

---

Hello Lewis,

So for Adaxes to see anything done by script it requires the $context.TargetObject variable.

That is not correct. You just need to make sure Adaxes is directly able to read the changes made. There are a lot of other options that can be used.

Unfortunately that code has not helped.

As per our check, the code works perfectly fine. The fact that the command does not perform the move in your case means that the condition is not met. It can happen if the value obtained from the SQL database does not equal the one in the condition. For example, there can be leading spaces or in the end of a value.

---

Hi,

Can the condition of the custom command be entered manually (as below)

Or does it have to reference a 'value reference' (as below)

If i reference the 'Value reference' the code works and the user is moved to the correct OU. However this isn't going to work going forward as i need to link different OU's depending on jobtitle.

The value does match the condition as i have the code within the powershell script that trims all whitespace from the value (as seen below)

---

Hello Lewis,

Can the condition of the custom command be entered manually (as below)

The approach will not work as the value reference will resolve into the property value and the condition will always be met for all users.

The value does match the condition as i have the code within the powershell script that trims all whitespace from the value (as seen below)

The only way for the workflow to work is to make sure the value (not value reference) specified in the condition fully matches the one set by the script.