0 votes

Hello,

I use a script to place user accounts in a Adaxes unmanaged state. Recently we need some of those user accounts to be reverted back to a managed state. Is there a way I can enable them again through Adaxes?

by (50 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Yes, there is. To do this:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click the service node for your Adaxes service.
  3. Click Properties.
  4. Click Restrict.
  5. Select the users you want to manage with Adaxes.
  6. Click Remove.
  7. Click Yes, and then click OK 2 times.
0

Thanks, that is handy to know
Is there a way this could be done through the Adaxes web interface instead? I do not want my service desk to have access to the configuration interface.
I was think maybe some kind of custom command might do the trick.

0

Hello,

Yes, there is. What do you think about the following scenario:

  1. A user clicks a link on Adaxes Home Page. They are presented with a form where they can see a drop-down list of all users who are currently in the unmanaged state. The list will be a simple list of full names and/or usernames.
  2. The user picks the necessary unmanaged account from the list and click Save.
  3. A Business Rule remove the user from Unmanaged Accounts.

If such a solution is OK with you, we will provide you with detailed instructions.

0

That solution sounds good to me, please provide the details!
Thanks

0

Hello,

OK, that will need a couple of PowerShell scripts to accomplish. We'll update you as soon as our script guys come up with something.

0

Sounds good

0

Hello,

To achieve what you want, you'll need to create a Home Page Action. The Home Page Action will modify a certain attribute of an initiator's account and will set it to the name of the user who needs to be put back to managed. For this purpose, you can use an Adaxes virtual property that can store string (text) values, for example, CustomAttributeText1. Such properties are not stored in Active Directory, but can be used the same as any other properties of AD objects. A Business Rule triggered when the attribute is modified will find the necessary unmanaged account and remove it from the unmanaged list.

Also, in order to show a list of all unmanaged accounts, you'll need a script that will create a Property Pattern item for the property that you want to use (e.g. Custom AttributeText1) and will impose the 'must be one of the following values only' type of constraint on the property, where the allowed values will be the names of the unmanaged accounts. Thus, when editing the selected property, users will see a drop-down list of all currently unmanaged accounts.

To use the script with Adaxes, you'll need to create a Scheduled Task. The task will use the script to update the list of unmanaged accounts in the Property Pattern on a periodical basis. Also, you've mentioned that you have a script that updates the Unmanaged Accounts in your environment. If the script is also run by a Scheduled Task, Instead of creating a separate Scheduled Task, you can simply add the below script to your existing Scheduled Task, placing it after the script that updates Unmanaged Accounts so that the Property Pattern would be updated right after your current script updates the Unmanaged Accounts.

The Script:

$propertyForUserList = "adm-CustomAttributeText1" # TODO: modify me

$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Get all unmanaged accounts
$currentUnmanagedAccounts = $admConfigurationSetSettings.GetUnmanagedAccounts(@("cn", "userPrincipalName"))

$values = @()
foreach ($userInfo in $currentUnmanagedAccounts)
{
    $searchResult = $userInfo.Value
    if ($searchResult -eq $NULL)
    {
        continue
    }

    $userPrincipalName = $searchResult.Properties["userPrincipalName"].Value
    $fullName = $searchResult.Properties["cn"].Value
    $values += "$fullName ($userPrincipalName)"
}

# Update 'User Pattern'

# Bind to 'User Pattern'
$propertyPatternsPath = $Context.GetWellKnownContainerPath("PropertyPatterns")
$propertyPatternsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $propertyPatternsPath
$builtinPathObj = $propertyPatternsPathObj.CreateChildPath("CN=Builtin")
$userPatternPath = $builtinPathObj.CreateChildPath("CN=User Pattern")
$pattern = $Context.BindToObject($userPatternPath)

# Delete the item for the specified property
foreach ($item in $pattern.Items)
{
    if ($item.PropertyName -ieq $propertyForUserList)
    {
        $pattern.Items.Remove($item)
        break
    }
}

# Add unmanaged accounts to the Property Pattern
$item = $pattern.Items.Create()
$item.PropertyName = $propertyForUserList

$constraints = $item.GetConstraints()
$constraint = $constraints.Create(
    "ADM_PROPERTYCONSTRAINTTYPE_VALUERANGE")
$constraint.AreValuesDenied = $False
$constraint.Values = $values
$constraints.Add($constraint)
$item.SetConstraints($constraints)

$item.SetInfo()
$pattern.Items.Add($item)

The script updates the built-in User Pattern that is applied to all users by default. In the script, $propertyForUserList specifies the property that will be used for the name of the user removed from Unmanaged Accounts.

To create a separate Scheduled Task:

  1. Create a new Scheduled Task.
  2. On the 3rd step of the Create Scheduled Task wizard, select Show all object types and select the Domain-DNS object type. Running a task on a domain allows you to run the script only once per a task run.
  3. On the 4th step, add the Run a program or PowerShell script action and paste the above script in the Script field.
  4. On the 5th step, include any of your AD domains in the Activity Scope of the task.

For information on how to create a Home Page Action that will allow users to specify an account in Adaxes Web interface, see section Modify Object in the Configure Home Page Actions Tutorial. Use it as a guide.

  1. Since initiators will modify their own accounts to specify a user to be removed from Unmanaged Accoutns, on Step 3 of the section, you need to configure the Home Page Action to always modufy the initiator's account. For this purpose, select the Always perform for the current user option.
  2. On Step 4, you wll find instructions on how to modify the form used by the action. Modify the form so that it would show only the property that will be used to specify the Unmanaged Account, e.g. CustomAttributeText1.

To create a Business Rule that will remove a user specified from unmanaged accounts:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select User and After Updating a User.

  3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $propertyForUserList = "adm-CustomAttributeText1" # TODO: modify me
    
     # Search selected user in unmanaged accounts
     $configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
     $admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
    
     # Get all unmanaged accounts
     $currentUnmanagedAccounts = $admConfigurationSetSettings.GetUnmanagedAccounts(@("cn", "userPrincipalName"))
    
     $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
     $userIndentity = $Context.TargetObject.Get($propertyForUserList)
     $userFullName = $userIndentity.SubString(0, $userIndentity.IndexOf("(") - 1)
     $userPrincipalName = $userIndentity.SubString($userIndentity.IndexOf("(") + 1, $userIndentity.IndexOf(")") - $userIndentity.IndexOf("(") - 1)
     $updateUnmanagedAccounts = $False
     foreach ($userInfo in $currentUnmanagedAccounts)
     {
         $searchResult = $userInfo.Value
         if ($searchResult -eq $NULL)
         {
             continue
         }
    
         $principalName = $searchResult.Properties["userPrincipalName"].Value
         $fullName = $searchResult.Properties["cn"].Value
         if (($principalName -ieq $userPrincipalName) -and ($fullName -ieq $userFullName))
         {
             $updateUnmanagedAccounts = $True
             continue
         }
    
         $allUnmanagedSids.Add($userInfo.Key) | Out-Null
     }
    
     if ($updateUnmanagedAccounts)
     {
         # Update unmanaged accounts
         $admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
    
         # Clear custom attribute
         $Context.TargetObject.Put($propertyForUserList, $NULL)
         $Context.TargetObject.SetInfo()
     }
     else
     {
         $Context.LogMessage("User with indentity '$userIndentity' was not found in the Unmanaged Accounts", "Warning")
     }
    
  4. In the script, $propertyForUserList specifies the property that will be used for the name of the user removed from Unmanaged Accounts. Modify it, if necessary.

  5. Enter a short description for the script and click OK.

  6. Now, you need to add a condition when the script will be executed. Right-click the action that you've just added and select Add Condition.

  7. Select the If <property> <changed> condition type.

  8. In the <property> drop-down list, select Show all properties and select the virtual attribute that you chose, e.g. CustomAttributeText1.

  9. Select has changed.

  10. Click OK.

  11. Also, the script to must be launched only when an account is specified, that is, when the virtual attribute is not empty. Right-click the action that you've added and select Add Condition again.

  12. Select the If <property> <relation> <value> condition type.

  13. In the <property> drop-down list, select Show all properties and select the virtual property that you chose, e.g. CustomAttributeText1.

  14. Select is not empty.

  15. Click OK.

  16. Finish creation of the Business Rule.

Since a name like CustomAttributeText1 will not tell much to your users about the function of the property, you can also configure Adaxes to specify a different display name for the property.

Related questions

0 votes
1 answer

I used the script below to try and accomplish this but I get an error. I did try to leave a comment but it would not let me. I tried running ... .adaxes.com/script-repository/add-users-located-in-particular-organizational-units-to-unmanaged-accounts-s178.htm

asked Nov 14, 2022 by raul.ramirez (210 points)
0 votes
1 answer

Hello, A year ago, in a previous ticket, I inquired about the possibility of mandating that Adaxes users enter a ticket number before adding a member to a ... automatic business rules that facilitate the addition/removal of members from groups. Regards, Fabian

asked Jul 16 by fabian.p (380 points)
0 votes
1 answer

I was doing some testing and opened up another Adaxes Service in "Other". How do I remove this from the tree or disconnect from it?

asked Apr 21, 2023 by Homelander90 (350 points)
0 votes
1 answer

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29, 2022 by abisaigomezm (40 points)
0 votes
1 answer

I have setup a form to allow HR to edit some details on AD accounts. Currently the scope is limted to only AD object under one pre-chosen OU. The other option is an ldap filter. How can I allow this action to display user accounts from two seperate OU

asked Nov 18, 2019 by ice-dog (170 points)
3,589 questions
3,278 answers
8,303 comments
548,116 users