Who can tell me how the AD/Exchange Shim actually works.


L.S.

Here's our issue :
All users need a mailbox, which is fully automated. All mailbox
preferences besides quota are managed by the driver or via
groups/policies at the exchange back-end.
Beside user mailboxes, We need "Shared" mailboxes. These
(group)mailboxes are requested via workflows and may have very different
preferences (quota, retention etc)

MS Exchange and the O365 counterpart have a web management interface but
this is insufficient, so we need to used this wonderful management
"tool" called powershell ;-o. (so much for the "click" generation).

So we create a mailbox and we need to make it shared, create a group,
give the group Full Access and Send As, Set Quota, change retention
times timezone etc etc.

My first attempt was to add a few attributes PSExecute with all cmdlets.
Some were executed some not and there was no telling why or when things
were not executed.
The second attempt was to add the same few attributes PSExecute with the
difference that all cmdlets are grouped and separated by ";". (This is
NOT supported by MS). The grouping was based on all quota cmdlets in a
single group, all access action grouped together etc.
But to no avail, we had the same issues. some cmdlets were carried out,
some not, and no telling which or why. The only thing we found out is
that Exchange takes its time to create and we need to wait for that
sending new cmdlets.
We cannot use "scripts" at the Exchange side nor can we use groups and
policies for this, because it is to dynamic.

The only way we got it to work is fire 2 cmdlets on creation, write back
the other 4 in an eDirectory, and with a trigger job fire one cmdlet at
a time. So any shared mailbox creation needs 4 triggers in order to
finalize the creation.

My question, referring to the title :

Does the NetIQ AD/Exchange shim concatenate all Attributes called
PSExecute to one single command or does it fire them one by one ?
If it is one command, then i understand my findings. If it is not i do
not (besides the timing).

I am starting on building an O365 driver (the new one) and wonder if i
will run into the same issues

Thanks very much in advance


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=53951


  • Hi dvandermaas,
    Officially AD driver support only Active Directory and Exchange
    Cmdlets.
    >Does the NetIQ AD/Exchange shim concatenate all Attributes called

    PSExecute to one single command or does it fire them one by one ?

    I believe, that you suppose to "generate" command line for powershell.
    PSExecute will inject your generated line to PS.

    > <rule>
    > <description>Adding PSExecute to Disable New User
    > Account</description>
    > <conditions>
    > <and>
    > <if-operation mode="regex"
    > op="not-equal">query|status</if-operation>
    > </and>
    > </conditions>
    > <actions>
    > <do-set-local-variable name="identityname" scope="policy">
    > <arg-string>
    > <token-xpath
    > expression='./add-attr[@attr-name="sAMAccountName"]/value/text()'/>
    > </arg-string>
    > </do-set-local-variable>
    > <do-set-dest-attr-value name="PSExecute">
    > <arg-value type="string">
    > <token-text xml:space="preserve">Disable-ADAccount -Identity
    > </token-text>
    > <token-local-variable name="identityname"/>
    > </arg-value>
    > </do-set-dest-attr-value>
    > </actions>
    > </rule>



    --
    al_b
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=53951


  • Yes, that what is does but .............
    If you were to use this code :

    Does the shim concatenate these 2 lines or does it fire them one by one
    ?


    <do-set-dest-attr-value name="PSExecute">
    <arg-value type="string">
    <token-text xml:space="preserve">Set-Mailbox -type Shared -Identity
    </token-text>
    <token-local-variable name="identityname"/>
    </arg-value>
    </do-set-dest-attr-value>
    <do-set-dest-attr-value name="PSExecute">
    <arg-value type="string">
    <token-text xml:space="preserve">Set-Mailbox -Identity </token-text>
    <token-local-variable name="identityname"/>
    <token-text xml:space="preserve">-IssueWarningQuota 255252
    </token-text>
    </arg-value>
    </do-set-dest-attr-value>


    --
    dvandermaas
    ------------------------------------------------------------------------
    dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
    View this thread: https://forums.netiq.com/showthread.php?t=53951

  • On 7/30/15 3:28 PM, dvandermaas wrote:
    >
    > Yes, that what is does but .............
    > If you were to use this code :
    >
    > Does the shim concatenate these 2 lines or does it fire them one by one
    > ?


    It will execute them one by one.

    Please remember that PSExecute was never intended to be used for
    anything but simple scripting. If you need something advanced then it is
    recommended to use the Scripting Driver.

    Casper

  • Casper Pedersen wrote:

    >
    > It will execute them one by one.


    Doesn't it execute them in a remote runspace/session also?

    > Please remember that PSExecute was never intended to be used for anything but simple scripting. If you need something advanced then it is recommended to use the Scripting Driver.
    >


    This is exactly why I use the Scripting Driver for these types of use-cases.
  • On 7/30/15 5:14 PM, Alex McHugh wrote:
    > Casper Pedersen wrote:
    >
    >>
    >> It will execute them one by one.

    >
    > Doesn't it execute them in a remote runspace/session also?


    Alex,

    I think TID7012362 should cover some of it, but just to recap; with
    PowerShell service it will execute as remote runspace, and with Exchange
    2010 it will execute in local runspace.

    Now the "fun" part, AD cmdlets are executed in local runspace - so with
    the powershell service (requirement with Exchange 2013) you will no
    longer be able to mix Exchange and AD cmdlets. Ie. scripting driver....

    That is the very short story.

    Casper

  • On 7/30/15 5:54 PM, dvandermaas wrote:
    >
    > Thx Al_b, Casper