Adaxes

Schedule Enabling/Disabling AD User

0 votes

Hello,
I was wondering if there is a way to schedule (pick a date & time) when a user is enabled/disabled or any advice on how I could achieve this?

Thanks!
Adrian

by (50 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Adrian,

Yes, that's possible. First of all, you'll need properties to specify when an account should be enabled or disabled. We suggest using Adaxes virtual properties that can store date/time values, for example, CustomAttributeDate1 for the date when an account must be enabled and CustomAttributeDate2 to specify when an account must be disabled. Adaxes virtual properties are not stored in AD, but can be used the same as any other properties of AD objects.

Then, you'll need to perform the following tasks:

  • Create a Scheduled Task that will run daily to enable/disable users on the dates specified
  • Allow users to modify the properties you've chosen via the Web Interface so that they can specify a date when a user account should be enabled or disabled
  • Configure the properties to appear in the Web interface under your own names (optional)

I. Create a Scheduled Task to enable/disable users on the dates specified

For this purpose, you'll need to create a Scheduled Task that will run each day and will enable or disable users if the date specified in the properties you've chosen is the current date. To create Such a Scheduled Task:

  1. Create a new Scheduled Task.

  2. On the 3rd step, select the User object type.

  3. On the 4th step, add the Enable/disable the User account action.

  4. Select the Enable the User account option. This action will be used for scheduled enabling of the objects.

  5. Click OK.

  6. Now, you need to specify when a user will be enabled. A user will be enabled if the user's account is disabled and if the date stored in the property for enabling users is today. To check this, you'll need a PowerShell script. Double-click Always.

  7. Select the If PowerShell script returns true condition type.

  8. Paste the following script in the Script field:

     $enableOn = "adm-CustomAttributeDate1" # TODO: modify me

 $Context.ConditionIsMet = $False

 if (-not($Context.TargetObject.AccountDisabled))
 {
     return # The account is already enabled
 }

 try
 {
     $enableDate = $Context.TargetObject.Get($enableOn).Date
 }
 catch
 {
     return # The property is empty
 }

 $today = [System.DateTime]::Now.Date

 if ($enableDate -eq $today)
 {
     $Context.ConditionIsMet = $True
 }

  9. In the script, $enableOn specifies the name of the property that will be used for the date when an account must be enabled. Modify it, if necessary.

  10. Enter a short description for the script and click OK.

  11. Now, you need to add an action that will disable users. Click the Add action to a new set link.

  12. Select the Enable/disable the User account action.

  13. Select the Disable the User account option.

  14. Click OK.

  15. Now, you need to specify when a user will be disabled. Double-click Always.

  16. Select the If PowerShell script returns true condition type.

  17. Paste the following script in the Script field:

     $disableOn = "adm-CustomAttributeDate2" # TODO: modify me

 $Context.ConditionIsMet = $False

 if ($Context.TargetObject.AccountDisabled)
 {
     return # The account is already disabled
 }

 try
 {
     $disableDate = $Context.TargetObject.Get($disableOn).Date
 }
 catch
 {
     return # The property is empty
 }

 $today = [System.DateTime]::Now.Date

 if ($disableDate -eq $today)
 {
     $Context.ConditionIsMet = $True
 }

  18. In the script, $disableOn specifies the name of the property that will be used for the date when an account must be disabled. Modify it, if necessary.

  19. Enter a short description for the script and click OK.

  20. Finish creation of the Scheduled Task.

II. Allow users to modify the properties via the Web Interface

For information on how to add the properties to the pages for creating and editing users, see step 6 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... tomization.

III. Configure the properties to appear in the Web interface under your own names

Since names like CustomAttributeDate1 won't tell much to your users about the meaning and the function of the fields, you'll probably want to give the properties your own names. For information on how to do this, see Customizing Display Names for AD Properties..

0

Hello,
For the Scheduling Disabling of an account, is it possible to also disable by time, not just by date?
My goal is to have a scheduled task every hour to check the date and time filled in CustomAttributeDate2. If the date is met, but not the time, return false, until the time is also met. This way we can have users accounts disabled on a specific day after hours when no one is on-site.

I see that the CustomAttributeDate2 includes a field for time in the web portal, not just the date. I have attached a screenshot. It is possible to have the time properties written into the power shell script as well?

Something like:

if ($enableDate -eq $today) AND ($enableTime -eq $now)
{
    $Context.ConditionIsMet = $True

by (0 points)
0

Hello,

Yes, it is possible. However, we recommend comparing the hours of the current date with those of the date specified in the custom attribute. The thing is that if you try to compare full dates with time, they will have to match up to nanoseconds. To compare the date hours, use the below script in the If PowerShell script returns true condition. In the script, the $property variable specifies the LDAP name of the property whose value will be compared with the current date

$property = "adm-CustomAttributeDate2" # TODO: modify me

# Get attribute value
try
{
    $compareDate = $Context.TargetObject.Get($property)    
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

# Compare dates
$currentDate = [System.DateTime]::UtcNow
$Context.ConditionIsMet = ($compareDate.Date -eq $currentDate.Date) -and ($compareDate.Hour -eq $currentDate.Hour)
by (289k points)

Related questions

0 votes
1 answer
Security Role - Enabling and Disabling User Accounts

Is it possible to create a security role that would only allow disabling accounts, but not enabling?

asked Feb 21, 2012 by BradG (950 points)
0 votes
1 answer
Can I schedule export of all AD users with all their email address to Excel spreadsheet

Hello, I'm wondering if it's possible to export a list of all users in AD along with their email addresses to an Excel spreadsheet and then schedule that export to append ... address that wasn't previously used. Please let me know if this is possible. Thanks!

asked Apr 11 by sjjb2024 (60 points)
0 votes
1 answer
Schedule manager change in AD

Hello all, We have a situation where HR would like to schedule Title/Dept/Manager changes. I believe I have figured out the title/dept scheduling by using custom date and ... ? I have some powershell knowledge, but not a veteran by any means. Thanks, Brian

asked Mar 5, 2022 by bballinger (50 points)
0 votes
1 answer
Disabling the user account for a specific local time zone of the user object.

On the last working day of a user I should always lock (disable) his account at 5pm local time. Since our company is worldwide, I need a good idea how to easily find out when it is 5pm for this user (always local time). Is there a simple solution in adaxes ?

asked Jun 13, 2023 by Beat Ott (40 points)
0 votes
1 answer
How can we setup a due date field for disabling an user account?

Hello, we're currently having issues to disabling user accounts on a specific date and time. When our HR department wants to start a "Offboarding", we're created a ... can we link it to the *After approval of disabling account field? Thanks in adavantage.

asked Aug 24, 2021 by BeliarsFire (20 points)
3,548 questions
3,238 answers
8,232 comments
547,811 users