Making Customers Inactive

[Tina.Lapere]

Hi, As part of our leavers process we want to make Customers records inactive.  Can this be done through Service Manger without going to the Administration side?  I don't really want to give everyone admin permission just to perform this task.

Thanks

Tina

[gwynne]

Something I would like to know as well, is there any way the ldap can pickup if an account is set to disabled? and change accordingly?

[Ralf Peters]

i do that as part of our leavers process, i use system centre orchestrator runbooks for our leavers process , i just create a powershell  task that uses the new LDAP  script to set the user as archived ,  i use the same functionalty to add new users to  service manager.

[gwynne]

H Ralf,

Is there any part of the powershell / ldap setup you can share, I am not well versed with either but I am interested it automating the archive process?

 

Regards

 

Gareth 

[Guest]

Hi All,

There is now actually a feature in the latest LDAP Import Utility (v2.0.3) that can achieve this functionality. 

It contains a section where you can set the UserAccountStatus as follows:

 

   "UserAccountStatus":{
       "Action":"Update",
       "Enabled": false,
       "Status":"active"

 

So in theory what you could do:

1) Take a copy of your existing LDAP conf.json file (providing you are on the latest version - if not, download and convert you existing mappings to the latest version, test to ensure all is working, and then take a copy of that)
2) Call the copy a different name e.g. archivedUsers.json
3) In this copied file, change the "Enabled" value to true and  "Status" (as shown above) to "archived"
4) Set the "Filter" of this file to only return disabled LDAP accounts - this may vary, however a standard filter for this which has been used before is as follows: 

(&(objectCategory=Person)(sAMAccountName=*)(UserAccountControl:1.2.840.113556.1.4.803:=2))

5) Schedule this file to run after any existing LDAP Imports you have set up. 

What this should do is update any accounts that exist within Hornbill to an archived status if they have been set to Disabled in LDAP. Please keep in mind we do not currently have the ability to delete or remove anything in the LDAP, nor would we advise deleting users anyway.

Full instructions and download links can be found on the wiki page here.

I hope this helps, let me know if there are any questions.

Regards

Bob

 

[Ralf Peters]

Hi Gareth;

 

i did it slighly different :

i use a  "template"  .json   file   with the details  Bob mentioned ,  instead of using the filter section i use the DSN section.

i wanted to only archive the one  user  of my leavers process , not every disabled account .

i used this in the .json file:

"Filter": "(objectClass=user)",

"DSN": "replaceme",

 

then in my powershell script i  set "replaceme" with the distinguished name .

something like this ( please test  if you going to use any of this )

Powershell:

import-Module activedirectory

#checks if file exists and deletes it

$FileName = "C:\LDAP_Import\new_delete.json"
if (Test-Path $FileName) {
  Remove-Item $FileName
}

# get the ad account details
$a = get-aduser   <leavers  samaccountname>

$b = $a.distinguishedName

 

#use template delete.json , replace "replaceme" with ad details and write to new_delete.json  file, then run batch file to delete

if ($b -ne "")
   {
       [System.IO.File]::ReadAllText("C:\LDAP_Import\delete.json").replace('replaceme',$b)|sc C:\LDAP_Import\new_delete.json
       
        if (Test-Path $FileName) {
                 C:\LDAP_Import\User_delete.bat |out-null
             }
     }

end of powershell

batchfile :

c:
cd C:\LDAP_Import\
C:\LDAP_Import\ldap_user_import.exe -file=new_delete.json

 

 

 

as i said , test in your environment before using this , hope it give you some ideas.

 

Thanks

Ralf

 

 

 

[gwynne]

Both thank you very much for the input, I will test both and see what works for us

Kind Regards

 

Gareth

[Tina.Lapere]

Hi Guys,

I've finally got round to looking at this and I've created a new conf file but I'd like to test it before I apply it to everything just in case it's wrong.  Can someone please advise what I need to add into the filter area to restrict it down to one user (I'm not good with scripting stuff).  Also can you see any obvious errors?

Thanks

Tina

archiveusers.docx

[Tina.Lapere]

Could anyone just cast their eye over my comment about and provide any help?  I'd like to get this sorted asap.

Thanks

Tina

[Ralf Peters]

looks ok to me,   but then I  don't know anything about your AD structure , so can't be sure .

you can run the command with dryrun=True    to give it  a test run  and check the log file  if it what you want .

 

Thanks

 

Ralf

[Tina.Lapere]

@Ralf Peters Thank you I'll give that a go.

[Guest]

Hi Tina,

Sorry for the late reply on this - but if you are still looking to restrict the filter down to one user, you simply need to add an additional brackets into your filter along the lines of (samAccountName=TinaL) - or whatever your unique reference is

I hope this helps

Kind Regards

Bob

[samwoo]

Hi all,

Just wanted to mention that I use Softerra LDAP Browser (free) to build these filters. Once i get the results i require, i copy the filter that I built from the software into the Conf file and away it goes.

http://www.ldapadministrator.com/

When building filters they look like this (example from their website):

When you've created the filters they end up looking like the ones we need for the LDAP_Import.

I don't check for disabled accounts as they are moved into the "Archived" OU anyway, if any current user ends up in here they are set to "Archived" in Hornbill, if they are moved into another OU then they will automatically become "Active" if they are not already.

It's really cool.

Thanks,

Samuel

[Tina.Lapere]

@bob_dickinson I've tried running this with both a dry run and live as it's only set one user and I'm getting this error message:

 

[ERROR] Unable to Set User Status 111: The value 'Archived' for element <accountStatus> is not an allowable value at location '/methodCall/params/accountStatus'

 

Can you shed any light on what it means please.

Many thanks

Tina

[TrevorKillick]

@Tina.Lapere

The following status's are accepted:
active
suspended
archived

So i believe the issue might be case sensitivity.

Kind Regards

Trevor Killick

[Tina.Lapere]

@TrevorKillick perfect that worked.  Thank you