Removing Users from Adaxes Unmanaged State

Question

Hello,

I use a script to place user accounts in a Adaxes unmanaged state. Recently we need some of those user accounts to be reverted back to a managed state. Is there a way I can enable them again through Adaxes?

Answer 1

Hello,

Yes, there is. To do this:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click the service node for your Adaxes service.
3. Click Properties.
   
4. Click Restrict.
   
5. Select the users you want to manage with Adaxes.
6. Click Remove.
   
7. Click Yes, and then click OK 2 times.

Comments

Thanks, that is handy to know
Is there a way this could be done through the Adaxes web interface instead? I do not want my service desk to have access to the configuration interface.
I was think maybe some kind of custom command might do the trick.

---

Hello,

Yes, there is. What do you think about the following scenario:

1. A user clicks a link on Adaxes Home Page. They are presented with a form where they can see a drop-down list of all users who are currently in the unmanaged state. The list will be a simple list of full names and/or usernames.
2. The user picks the necessary unmanaged account from the list and click Save.
3. A Business Rule remove the user from Unmanaged Accounts.

If such a solution is OK with you, we will provide you with detailed instructions.

---

That solution sounds good to me, please provide the details!
Thanks

---

Hello,

OK, that will need a couple of PowerShell scripts to accomplish. We'll update you as soon as our script guys come up with something.

---

Sounds good

---

Hello,

To achieve what you want, you'll need to create a Home Page Action. The Home Page Action will modify a certain attribute of an initiator's account and will set it to the name of the user who needs to be put back to managed. For this purpose, you can use an Adaxes virtual property that can store string (text) values, for example, CustomAttributeText1. Such properties are not stored in Active Directory, but can be used the same as any other properties of AD objects. A Business Rule triggered when the attribute is modified will find the necessary unmanaged account and remove it from the unmanaged list.

Also, in order to show a list of all unmanaged accounts, you'll need a script that will create a Property Pattern item for the property that you want to use (e.g. Custom AttributeText1) and will impose the 'must be one of the following values only' type of constraint on the property, where the allowed values will be the names of the unmanaged accounts. Thus, when editing the selected property, users will see a drop-down list of all currently unmanaged accounts.

To use the script with Adaxes, you'll need to create a Scheduled Task. The task will use the script to update the list of unmanaged accounts in the Property Pattern on a periodical basis. Also, you've mentioned that you have a script that updates the Unmanaged Accounts in your environment. If the script is also run by a Scheduled Task, Instead of creating a separate Scheduled Task, you can simply add the below script to your existing Scheduled Task, placing it after the script that updates Unmanaged Accounts so that the Property Pattern would be updated right after your current script updates the Unmanaged Accounts.

The Script:

$propertyForUserList = "adm-CustomAttributeText1" # TODO: modify me

$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Get all unmanaged accounts
$currentUnmanagedAccounts = $admConfigurationSetSettings.GetUnmanagedAccounts(@("cn", "userPrincipalName"))

$values = @()
foreach ($userInfo in $currentUnmanagedAccounts)
{
    $searchResult = $userInfo.Value
    if ($searchResult -eq $NULL)
    {
        continue
    }

    $userPrincipalName = $searchResult.Properties["userPrincipalName"].Value
    $fullName = $searchResult.Properties["cn"].Value
    $values += "$fullName ($userPrincipalName)"
}

# Update 'User Pattern'

# Bind to 'User Pattern'
$propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
$propertyPatternsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $propertyPatternsPath
$builtinPathObj = $propertyPatternsPathObj.CreateChildPath("CN=Builtin")
$userPatternPath = $builtinPathObj.CreateChildPath("CN=User Pattern")
$pattern = $Context.BindToObject($userPatternPath)

# Delete the item for the specified property
foreach ($item in $pattern.Items)
{
    if ($item.PropertyName -ieq $propertyForUserList)
    {
        $pattern.Items.Remove($item)
        break
    }
}

# Add unmanaged accounts to the Property Pattern
$item = $pattern.Items.Create()
$item.PropertyName = $propertyForUserList

$constraints = $item.GetConstraints()
$constraint = $constraints.Create(
    "ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $values
$constraints.Add($constraint)
$item.SetConstraints($constraints)

$item.SetInfo()
$pattern.Items.Add($item)

The script updates the built-in User Pattern that is applied to all users by default. In the script, $propertyForUserList specifies the property that will be used for the name of the user removed from Unmanaged Accounts.

To create a separate Scheduled Task:

1. Create a new Scheduled Task.
2. On the 3rd step of the Create Scheduled Task wizard, select Show all object types and select the Domain-DNS object type. Running a task on a domain allows you to run the script only once per a task run.
   
3. On the 4th step, add the Run a program or PowerShell script action and paste the above script in the Script field.
   
4. On the 5th step, include any of your AD domains in the Activity Scope of the task.

For information on how to create a Home Page Action that will allow users to specify an account in Adaxes Web interface, see section Modify Object in the Configure Home Page Actions Tutorial. Use it as a guide.

1. Since initiators will modify their own accounts to specify a user to be removed from Unmanaged Accoutns, on Step 3 of the section, you need to configure the Home Page Action to always modufy the initiator's account. For this purpose, select the Always perform for the current user option.
   
2. On Step 4, you wll find instructions on how to modify the form used by the action. Modify the form so that it would show only the property that will be used to specify the Unmanaged Account, e.g. CustomAttributeText1.

To create a Business Rule that will remove a user specified from unmanaged accounts:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select User and After Updating a User.
   

3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field.
   

    $propertyForUserList = "adm-CustomAttributeText1" # TODO: modify me
   
    # Search selected user in unmanaged accounts
    $configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
    $admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
   
    # Get all unmanaged accounts
    $currentUnmanagedAccounts = $admConfigurationSetSettings.GetUnmanagedAccounts(@("cn", "userPrincipalName"))
   
    $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
    $userIndentity = $Context.TargetObject.Get($propertyForUserList)
    $userFullName = $userIndentity.SubString(0, $userIndentity.IndexOf("(") - 1)
    $userPrincipalName = $userIndentity.SubString($userIndentity.IndexOf("(") + 1, $userIndentity.IndexOf(")") - $userIndentity.IndexOf("(") - 1)
    $updateUnmanagedAccounts = $False
    foreach ($userInfo in $currentUnmanagedAccounts)
    {
        $searchResult = $userInfo.Value
        if ($searchResult -eq $NULL)
        {
            continue
        }
   
        $principalName = $searchResult.Properties["userPrincipalName"].Value
        $fullName = $searchResult.Properties["cn"].Value
        if (($principalName -ieq $userPrincipalName) -and ($fullName -ieq $userFullName))
        {
            $updateUnmanagedAccounts = $True
            continue
        }
   
        $allUnmanagedSids.Add($userInfo.Key) | Out-Null
    }
   
    if ($updateUnmanagedAccounts)
    {
        # Update unmanaged accounts
        $admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
   
        # Clear custom attribute
        $Context.TargetObject.Put($propertyForUserList, $NULL)
        $Context.TargetObject.SetInfo()
    }
    else
    {
        $Context.LogMessage("User with indentity '$userIndentity' was not found in the Unmanaged Accounts", "Warning")
    }
   

4. In the script, $propertyForUserList specifies the property that will be used for the name of the user removed from Unmanaged Accounts. Modify it, if necessary.

5. Enter a short description for the script and click OK.

6. Now, you need to add a condition when the script will be executed. Right-click the action that you've just added and select Add Condition.

7. Select the If <property> <changed> condition type.

8. In the <property> drop-down list, select Show all properties and select the virtual attribute that you chose, e.g. CustomAttributeText1.

9. Select has changed.
   

10. Click OK.

11. Also, the script to must be launched only when an account is specified, that is, when the virtual attribute is not empty. Right-click the action that you've added and select Add Condition again.

12. Select the If <property> <relation> <value> condition type.

13. In the <property> drop-down list, select Show all properties and select the virtual property that you chose, e.g. CustomAttributeText1.

14. Select is not empty.
    

15. Click OK.

16. Finish creation of the Business Rule.

Since a name like CustomAttributeText1 will not tell much to your users about the function of the property, you can also configure Adaxes to specify a different display name for the property.