Use next available employeeID

Question

We are using a rolling number for Contract Resource accounts, contract0001, contract0002 and so on. We would like a script that parses the Contractor OU and assigns the next available number to the account being created. This will allow us to turn this action forward facing and allow Directors to create the accounts by themselves with just an approval from the IT dept.

Answer 1

Hello,

Have a look at the following script from our repository: http://www.adaxes.com/script-repository ... s-s494.htm.

Comments

Thank you this works great with the exception of the User Logon Name is in the following format. ADMI\$BRT100-DAAMNOUFRK2G

Please advise.

We also would like to trigger an email after the creation to the manager on file and user but we cannot get the generated password to be in the email.

Please advise.

---

Hello,

Thank you this works great with the exception of the User Logon Name is in the following format. ADMI\$BRT100-DAAMNOUFRK2G

Could you specify, what exactly you need to achieve?

We also would like to trigger an email after the creation to the manager on file and user but we cannot get the generated password to be in the email.

Use the %unicodePwd% value reference.

---

We will try again but previously we did use that attribute in the email and the email showed nothing.

---

This is what we are getting when sending the email. The username should read contract0131 and the password is noticeably missing. Please advise.

Hello The Beaver

A new contract resource account has been created for you,
• Username = $ERT100-0J750ERBAKJ0
• Password =
If you have any issues logging in please email the Technical Service Desk at it-help@aspendental.com and we will assist you.

Thank you
The Employee Computer Accounts team

Here is the code we are using

Hello %fullname%

A new contract resource account has been created for you, 

Username = %sAMAccountName% 
Password = %unicodePwd%
If you have any issues logging in please email the Technical Service Desk at it-help@aspendental.com and we will assist you.

Thank you

The Employee Computer Accounts team 

---

Hello,

The user logon name appears to be protected and it should say contract0130.

What do you mean? Could you specify how the username and password are entered? Is it done manually or using a PowerShell script?

Here is the code we are using

Your code is correct. Could you send us a screenshot of the Business Rule that sends the notification? We need something like the following:

---

The user logon name is being created from a property pattern that uses the employeeID. For the automation piece to work properly, this is the desired way of assigning user name and employeeID.

Here is the email screenshot.

---

Hello,

Issues with Welcome Email

The value of %sAMAccountName% is not resolved correctly because of how value references work in Adaxes. The thing is that when an operation triggers any Business Rules with value references, those are resolved at once and not re-resolved in the course of Business Rule execution. Thus, in your case, the %sAMAccountName% reference is resolved at the very beginning of the Create User action, before a proper username is set by the script / Property Pattern.

The value of %unicodePwd% is not resolved for the same reason. The value reference is resolved at the very beginning of the action, before the Reset password for the User action sets a password.

To resolve both the issues, we suggest creating a Business Rule triggered after resetting a password for the user. Since resetting a password is a completely different operation than creating a user, the value references will be resolved again and correctly.

Also, in your Business Rule triggered after creating a user, we suggest adding a flag indicating that a new user has been created, and that the user needs a welcome email. Thus, in the Business Rule triggered after resetting a password, you can use the flag to understand whether you need to send the welcome email or not.

As a flag, we suggest using one of Adaxes custom attributes, e,g, CustomAttributeBoolean1. Such attributes are not stored in AD, but can be used the same as any other attributes of AD objects.

To do so:

i. Change the Business Rule triggered after creating a user
First, you need to change the Business Rule triggered after creating a user. You need to add a flag indicating that the user needs a welcome email and remove the action that sends an email message. To do so:

1. In the Console Tree of the Administration Console, navigate to and select the Business Rule triggered after creating a user.
2. Right-click the Reset password action and select Add New Action.
   
3. Select Update the User and click Add.
   
4. In the Property to modify list, select the property you want to use as a flag (e.g. CustomAttributeBoolean1).
5. In the New value field, specify True.
   
6. Click OK 2 times.
7. Use the arrow buttons at the bottom to make the action the 1st in the Business Rule.
   
8. Remove the whole set with the Send e-mail notification action.
   
9. Save the changes. You should receive something like this:
   

ii. Create a Business Rule triggered after resetting a password
To create a Business Rule that sends welcome emails:

1. Create a new Business Rule.
2. On step 2 of the Create Business Rule Wizard, select User and After Resetting a password for a User.
   
3. On step 3, add the Send e-mail notification action.
   
4. Specify the action parameters.
5. Click OK.
6. Now, we need to add an action that removes the flag in order to avoid sending a welcome message to the user again. To do this, right-click the action you've just added and select Add New Action.
   
7. Select Update the User and click Add.
   
8. In the Property to modify list, select the property you want to use as the flag for new user (e.g. CustomAttributeBoolean1).
9. Select Remove the property.
   
10. Click OK 2 times.
11. Now, you need to add a condition to send the email only when the flag is set. To do this, right-click the action again and select Add Condition.
12. Select If <property> <relation> <value>.
13. Specify If CustomAttributeBoolean1 equals True, where CustomAttributeBoolean1 is the property you want to use as the flag for new user.
    
14. Click OK. You should receive something like the following:
    

Changes to the Repository Script

In order for the script to update not only Employee ID, but also User Logon Name and User Logon Name (pre-Windows 2000), add the following lines to the very end of the script:

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("sAMAccountName", $uniqueValue)

# Update User Logon Name
$domain = $Context.GetObjectDomain("%distinguishedName%")
$Context.SetModifiedPropertyValue("userPrincipalName", "$uniqueValue@$domain")

---

Thank you that works perfectly.