Tina.Lapere Posted June 29, 2016 Posted June 29, 2016 Hi, As part of our leavers process we want to make Customers records inactive. Can this be done through Service Manger without going to the Administration side? I don't really want to give everyone admin permission just to perform this task. Thanks Tina
gwynne Posted June 30, 2016 Posted June 30, 2016 Something I would like to know as well, is there any way the ldap can pickup if an account is set to disabled? and change accordingly?
Ralf Peters Posted July 1, 2016 Posted July 1, 2016 i do that as part of our leavers process, i use system centre orchestrator runbooks for our leavers process , i just create a powershell task that uses the new LDAP script to set the user as archived , i use the same functionalty to add new users to service manager.
gwynne Posted July 1, 2016 Posted July 1, 2016 H Ralf, Is there any part of the powershell / ldap setup you can share, I am not well versed with either but I am interested it automating the archive process? Regards Gareth
Guest Posted July 4, 2016 Posted July 4, 2016 Hi All, There is now actually a feature in the latest LDAP Import Utility (v2.0.3) that can achieve this functionality. It contains a section where you can set the UserAccountStatus as follows: "UserAccountStatus":{ "Action":"Update", "Enabled": false, "Status":"active" So in theory what you could do: 1) Take a copy of your existing LDAP conf.json file (providing you are on the latest version - if not, download and convert you existing mappings to the latest version, test to ensure all is working, and then take a copy of that) 2) Call the copy a different name e.g. archivedUsers.json 3) In this copied file, change the "Enabled" value to true and "Status" (as shown above) to "archived" 4) Set the "Filter" of this file to only return disabled LDAP accounts - this may vary, however a standard filter for this which has been used before is as follows: (&(objectCategory=Person)(sAMAccountName=*)(UserAccountControl:1.2.840.113556.1.4.803:=2)) 5) Schedule this file to run after any existing LDAP Imports you have set up. What this should do is update any accounts that exist within Hornbill to an archived status if they have been set to Disabled in LDAP. Please keep in mind we do not currently have the ability to delete or remove anything in the LDAP, nor would we advise deleting users anyway. Full instructions and download links can be found on the wiki page here. I hope this helps, let me know if there are any questions. Regards Bob
Ralf Peters Posted July 4, 2016 Posted July 4, 2016 Hi Gareth; i did it slighly different : i use a "template" .json file with the details Bob mentioned , instead of using the filter section i use the DSN section. i wanted to only archive the one user of my leavers process , not every disabled account . i used this in the .json file: "Filter": "(objectClass=user)", "DSN": "replaceme", then in my powershell script i set "replaceme" with the distinguished name . something like this ( please test if you going to use any of this ) Powershell: import-Module activedirectory #checks if file exists and deletes it $FileName = "C:\LDAP_Import\new_delete.json" if (Test-Path $FileName) { Remove-Item $FileName } # get the ad account details $a = get-aduser <leavers samaccountname> $b = $a.distinguishedName #use template delete.json , replace "replaceme" with ad details and write to new_delete.json file, then run batch file to delete if ($b -ne "") { [System.IO.File]::ReadAllText("C:\LDAP_Import\delete.json").replace('replaceme',$b)|sc C:\LDAP_Import\new_delete.json if (Test-Path $FileName) { C:\LDAP_Import\User_delete.bat |out-null } } end of powershell batchfile : c: cd C:\LDAP_Import\ C:\LDAP_Import\ldap_user_import.exe -file=new_delete.json as i said , test in your environment before using this , hope it give you some ideas. Thanks Ralf
gwynne Posted July 4, 2016 Posted July 4, 2016 Both thank you very much for the input, I will test both and see what works for us Kind Regards Gareth
Tina.Lapere Posted August 17, 2016 Author Posted August 17, 2016 Hi Guys, I've finally got round to looking at this and I've created a new conf file but I'd like to test it before I apply it to everything just in case it's wrong. Can someone please advise what I need to add into the filter area to restrict it down to one user (I'm not good with scripting stuff). Also can you see any obvious errors? Thanks Tina archiveusers.docx
Tina.Lapere Posted August 19, 2016 Author Posted August 19, 2016 Could anyone just cast their eye over my comment about and provide any help? I'd like to get this sorted asap. Thanks Tina
Ralf Peters Posted August 19, 2016 Posted August 19, 2016 looks ok to me, but then I don't know anything about your AD structure , so can't be sure . you can run the command with dryrun=True to give it a test run and check the log file if it what you want . Thanks Ralf
Tina.Lapere Posted August 19, 2016 Author Posted August 19, 2016 @Ralf Peters Thank you I'll give that a go.
Guest Posted August 25, 2016 Posted August 25, 2016 Hi Tina, Sorry for the late reply on this - but if you are still looking to restrict the filter down to one user, you simply need to add an additional brackets into your filter along the lines of (samAccountName=TinaL) - or whatever your unique reference is I hope this helps Kind Regards Bob
samwoo Posted August 30, 2016 Posted August 30, 2016 Hi all, Just wanted to mention that I use Softerra LDAP Browser (free) to build these filters. Once i get the results i require, i copy the filter that I built from the software into the Conf file and away it goes. http://www.ldapadministrator.com/ When building filters they look like this (example from their website): When you've created the filters they end up looking like the ones we need for the LDAP_Import. I don't check for disabled accounts as they are moved into the "Archived" OU anyway, if any current user ends up in here they are set to "Archived" in Hornbill, if they are moved into another OU then they will automatically become "Active" if they are not already. It's really cool. Thanks, Samuel 1
Tina.Lapere Posted September 16, 2016 Author Posted September 16, 2016 @bob_dickinson I've tried running this with both a dry run and live as it's only set one user and I'm getting this error message: [ERROR] Unable to Set User Status 111: The value 'Archived' for element <accountStatus> is not an allowable value at location '/methodCall/params/accountStatus' Can you shed any light on what it means please. Many thanks Tina
TrevorKillick Posted September 16, 2016 Posted September 16, 2016 @Tina.Lapere The following status's are accepted: active suspended archived So i believe the issue might be case sensitivity. Kind Regards Trevor Killick
Tina.Lapere Posted September 16, 2016 Author Posted September 16, 2016 @TrevorKillick perfect that worked. Thank you 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now