6 minute read time

Using the IDM Scripting Driver to Create Home Directories in an AD Environment

by   in Cybersecurity

In this article I'll try to describe how we can use the driver to create home directories, set a Terminal Services attribute and give the correct rights to the newly created directories. This is not a complete or optimal solution, I only cover the VB Script part, and the error handling can be much improved.

This article assumes you already know how to use Designer, iManager, create rules using DirXML-script etc. As a result I won't be going through those steps.

I recommend you read the driver documentation and have it available while implementing it.

Here the scripting driver is used in combination with the AD-driver, with the following flow:

  1. User is created in the Identity Vault by the HR driver.

  • The AD-driver creates the user object in the AD domain.

  • Exchange generates the mail attribute in AD which is synchronized back to the IDV.

  • The scripting driver sees that the Internet Email Address attribute has been created and knows that the user now exists in AD.

  • An add event is generated and sent to the scripting driver shim where the Add.vbs runs and performs the commands that are entered in the script.

  • If all goes well an add-association event is generated and the user object is now associated with the scripting driver. We can use this association with rename and delete events if we want.

Install the scripting driver

The server I installed the driver on was a domain member and it was the file server where all the users home directories were located.

The OS was Windows Server 2003 SP2.

The installation was done by running the windows_scriptdriver_install.exe from the nt\dirxml\drivers\scripting\bin folder on the IDM 3.5.1 DVD.

Installation is easy, you only need to select the folder where to install the program files and at the end you are prompted to retrieve the SSL certificate from your Identity Vault. Click Yes and a command prompt will open which allows you the specify the hostname and port of your IDV server.

After that you'll be prompted to set the Driver and Remote Loader passwords, click Yes. Another command prompt will open allowing you to set those password, at the end of the installation click Finish.

For the driver to work correctly it needs to be able to create EFS encrypted files on the server which can be prevented if the EFS certificate has expired or if the Group Policy prevents EFS.

Patch the scripting driver

Before you begin to use the scripting driver you should install the latest patch, the installation usually consists of copying the three .exe files from the Win folder to the C:\Program Files\Novell\WSDriver\bin folder, the files are usually EventReader.exe, idmevent.exe, wsdriver.exe. Read the instructions before patching.

Starting the service

Use the Services applet on the control panel (Administrative Tools) to start the “Novell IDM Windows Script Driver” service.

Changing the user the service runs as

The service runs logged on as the “Local System” account. It might not have all the rights needed to run all your scripts, in the Services control panel applet you can edit the “Log On” tab of the service and make it use another user account that has the rights necessary. Start with an Administrator equivalent user and then start reducing rights until you get it right. Restart the service after you make changes there.

Accessing the built-in HTTP server

The scripting driver has a built-in web server which you can access by surfing to the following addresses, you log in by using the driver password.





The file wsdrv.conf is located in the C:\Program Files\Novell\WSDriver\conf folder and is a plain text file that can be edited to change the ports the driver listens on, tracelevel, tracefile and location of the SSL certificate.

Create the driver in the IDV

Use Designer or iManager to create the driver in your driver set.

Some questions you will need to answer:

Driver name: <You decide>
Configure Data Flow: Identity Vault to Application
Scripting Language: Windows VBScript
Polling Interval (Seconds): Since we don't use the publisher channel you can set it to what you want.
Base Container in eDirectory: <You decide>
Auto Associate: No
Strip or Keep old attribute values: Strip
Enable Entitlements: No
Remote Host Name and Port: hostname of the server which runs the driver and the port configured in the wsdrv.conf file.
Use SSL: Yes
Driver Object Password: The password entered during the installation.
Remote Loader Password: The password entered during the installation.

The next step is to configure all the rules to do what you need them to do. The goal of this example is to get an add document with the attribute that will be used to name the directory to the driver shim. This is not covered here.

Creating the VB scripts

Here is an example that does the following:

  1. It uses the built-in make directory command in Windows (md) to create the directory

  • It then uses the freeware SetACL command line tool to set the access rights on the newly created directory so that the user may access it.

  • It sets the TerminalServerProfilePath attribute that can't be set using the AD-driver using the freeware tscmd.exe

  • If everything works OK it returns the workforceID as the value used for association.

The script can (should) be expanded to maybe include the following:

  • Detect if the directory exists before trying to create it, now it assumes that the directory name you feed it is unique.

  • Fail gracefully if it can't find the tscmd.exe or setacl.exe file.

  • Anything else you can think of?

Remember to set the homeDrive and homeDirectory AD attributes which can be done using the AD-driver.


Here is an example script file:

' *****************************************
' * Add implementation-specific code here *
' * Use the ADD_ASSOCIATION command to *
' * supply a unique association *
' *****************************************

' Gets the UserID from the current ADD operation, which is used to name the directory

CN = IDMGetEventValue("UserID")

' Get the workforceID from the current ADD operation, it is used to set the association

workforceID = IDMGetEventValue("workforceID")

' Executes the md command to create the homedirectory in the path below

CreateHomeDir = "cmd.exe /c md d:\users\"& CN &""
ExitCode = IDMExecute(CreateHomeDir)

If ExitCode = 0 Then

' Executes the SetACL command to set the rights on the homedirectory, the following rights are set
' Change, Delete, Delete subfolders/files
' Additionaly the command sets the current user to the owner of the homedirectory

SetACL = "setacl.exe -on d:\users\"& CN &" -ot file -actn ace -ace n:utb\"& CN &";p:change,del_child,delete -actn setowner -ownr n:utb\"& CN &""


IDMStatusError "ADD-FAILED: HomeDir Creation Failed for "& CN &"" & ExitCode

End If

ExitCode = IDMExecute(SetACL)

If ExitCode = 0 Then

' Executes the TSCmd command to set the TerminalServerProfilePath for the current user

TSPath = "tscmd.exe DC-1 "& CN &" TerminalServerProfilePath \\filserver-2\tprofile$"


IDMStatusError "ADD-FAILED: Setting rights on the directory failed for "& CN &"" & ExitCode

End If

ExitCode = IDMExecute(TSPath)

If ExitCode = 0 Then

IDMWriteValue "ASSOCIATION", workforceID
IDMWriteValue "DEST_DN", IDMGetEventValue("SRC_DN")
IDMStatusSuccess "Add event succeeded"


IDMStatusError "ADD-FAILED: Unable to set the TerminalServerProfilePath for "& CN &""

End If

End Sub