Schd Task running PowerShell to create a user, a rule triggered on "before creating user" cannot find the domain.

Question

I have a scheduled task that runs the following PowerShell script.

$user = New-AdmUser -Server $domain -AdaxesService localhost -Path $workdayDn -ChangePasswordAtLogon $true -PassThru -GivenName $firstName -Surname $lastName -Department $department -Manager $managerDn -OtherAttributes $otherAttributes

The script runs under the context of domain\account.

There is an existing business process rule that triggers before user is created that runs the following script to verify that the username and email are unique within our environment. Note this script does work appropriately when manually creating a user. This script also runs under the context of domain\account.

# Build search filter
$filter = "(&(sAMAccountType=805306368)(|(sAMAccountName=%username%)(mail=%username%@domain.gov)(proxyaddresses=smtp:%username%@domain.gov)))"

# Search for users with the username or email address specified
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = $filter
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -ne 0)
    {
        $Context.Cancel("A user with the same username or email address already exists. Please choose a different username.")
        return
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

When the scheduled task runs to create the user via PowerShell, the user business process rule keeps throwing the following error:

Exception calling "FetchAll" with "0" argument(s): "Object 'domain.onmicrosoft.com' does not exist." Stack trace: at <ScriptBlock>, <No file>: line 26

I understand that the business process rule searches all domains in Adaxes based on the virtual root being set to true. The domain it is complaining about is our M365 tenant. I am thinking it's a permissions issue, but have already verified that the account that runs both PowerShell scripts (BP and Schelued task) has full control (Super Manager role) over all objects.

I'm stumped! Any help would be super appreciated.

Answer 1

Hello,

First of all, the script executed in the business rule triggering Before creating a user must be updated to use criteria instead of an LDAP filter. Additionally, since the VirtualRoot property is set to $True, you can set the searcher to the target object. Please, find the updated script below. Should you still face errors executing the script, please, provide a screenshot of the Create user operation execution log. You can post the screenshot here or send us at support@adaxes.com.

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {sAMAccountName -eq "%username%" -or mail -eq "%username%@domain.gov" -or proxyaddresses -eq "smtp:%username%@domain.gov"}

# Search for users with the username or email address specified
$searcher = $Context.TargetObject
$searcher.Criteria = $criteria
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -ne 0)
    {
        $Context.Cancel("A user with the same username or email address already exists. Please choose a different username.")
        return
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

Comments

Thanks for the script. I updated the business rule with the script you provided and received the same error as before. Here is the execution log of the business rule with the updated script.

Here is the execution log of the create user (note that the creation was sucessful because the line it's throwing the exception on is prior to the search results length check).

---

Hello,

Thank you for the provided details. For further troubleshooting, please, do the following:

• Provide us with a screenshot of the Multi-server environment dialog. The dialog displays how many Adaxes services you have and what their versions are. For information on how to view it, see https://www.adaxes.com/help/MultiServerEnvironment.
• Clarify whether the Microsoft Entra domain mentioned in the error is managed by Adaxes.
• Specify where the user is created, in an on-premises domain or in a Microsoft Entra domain.