undo previous action?

Question

Hello,

We have several actions that run against an object when it's set to pending approval.

If the approval is denied, is there an easy way to revert these changes on the object?

For example, disabling a user and hiding from the Address Book.

Thank you.

Comments

Hello,

And why don't you make the action that requires an approval the first action in the sequence? If an action requires an approval, and approval is not granted, all subsequent actions won't be executed either.

---

Because you may have a scenario where deleting a user requires approval, but you need to take actions before the user is deleted.

For example, an employee is exiting the company. A Help Desk technician gets a ticket to delete the user immediately, but this action has to be approved by management. Meanwhile, the user still needs to be disabled, password reset, moved to another OU, and removed from the Exchange Address Book. When the manager approves, the account itself is deleted. This might be several days after the employee has exited.

We have built some custom actions that do all of these things at the same time. But if there is a need to reverse these actions, it will be a manual process.

That's why I was hoping you could do this automatically in some way.. especially if you need to do this for many users. (Obviously I realize that some changes cannot be undone like password resets.)

I have seen other software like ADModify that creates an XML log of bulk changed attributes to AD objects. It gives you the option to access the log and undo those changes if desired.

Might be nice to have something similar in Adaxes.

Answer 1

FYI As we do something similar to this...

1. Our workflows make the final deletion the 'approval required' step - similar I guess to you.

2. We actually use a different tool that is capable of rollback of changes if there is a need to (NetWrix if we can mention a different vendor in the forums).

3. However, previously (and actually still do just in case) we performed an automated data export for the user account that lists groups, OU etc (everything but the password) as the first step so we do have a record of the exact setup of the account before the deprovision started (you have to use the additional exe that Adaxes has for exporting, so just call it as an external command).

4. We generally manually moved the account back to the OU, then had a PowerShell script that parsed the export file and added it back to all the groups (and you could easily tack a few Adaxes steps onto the end to enabled in address book etc).

Comments

FYI This is the external command we call to dump the user data prior to the deprovisioning workflow making changes:-

"C:\Program Files\Softerra\Adaxes 3\Administration Console\admimex.exe" /d HTML /ds /f "D:\Adaxes Exports\Archived Data\Deprovisioned Users\[%name%] [%sAMaccountname:upper%] [%objectGUID%].html" /r "%distinguishedName%"

Rgds

---

This is pretty smart! Thanks for the tip!

---

Would you be willing to show us your PowerShell script that parsed the export file and added it back to all the groups?