This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Capture Delete Account events in Active Directory -Terminate User

Capture Delete Account events in Active Directory -Terminate User

I want to terminate (LOGIN_DISABLED = TRUE) a user who was DELETED in Active Directory. I am able to make user terminated (LOGIN_DISABLED = TRUE) when an account in AD was disabled. I want to have the same capability on the DELETE event as well. 

Can you please guide me on how to accomplish this?

  • You only get one shot at this... When the Pub channel sends you a delete, you have to catch that event.  (if operation equals delete) then set dest attr Login Disabled to true.

    I cannot recall, but the class name may not be there in a delete of a user, so you have to ignore the class when you do this.

  • Yes, you can.

    I used "custom" logic in one of the AD drivers that 

    1. Capture AD delete operation

    2. "Convert" deleted object name to "human-friendly" format for future use.

    You can use "similar" techniques.

    Geoffrey absolutely right: ObjectClass information already "disappear" during delete operation.

    But we still have a number of methods for users identifications: object association (GUID) and "reconstructed" SAMAccountname.

    Example of the Delete operation event (some business sensitive information in the trace masked) 

    [08/12/21 09:08:22.821]:AD-XXX2LS :Remote Interface Driver: Received.
    [08/12/21 09:08:22.822]:AD-XXX2LS :
    <nds dtdversion="2.2">
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="">AD</product>
    <contact>NetIQ Corporation</contact>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">

     <nds dtdversion="2.2">
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="">AD</product>
    <contact>NetIQ Corporation</contact>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">
    [08/12/21 09:08:23.073]:AD-XXX2LS PT:Applying policy: %+C%14C15 msDS-PrincipalName%-C.
    [08/12/21 09:08:23.115]:AD-XXX2LS PT: Evaluating selection criteria for rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.120]:AD-XXX2LS PT: (if-operation equal "delete") = TRUE.
    [08/12/21 09:08:23.124]:AD-XXX2LS PT: (if-op-property 'op-msDS-PrincipalName' not-available) = TRUE.
    [08/12/21 09:08:23.127]:AD-XXX2LS PT: (if-src-dn available) = TRUE.
    [08/12/21 09:08:23.133]:AD-XXX2LS PT: Rule selected.
    [08/12/21 09:08:23.135]:AD-XXX2LS PT: Applying rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.140]:AD-XXX2LS PT: Action: do-set-local-variable("lvSrcDN",scope="policy",token-src-dn()).
    [08/12/21 09:08:23.145]:AD-XXX2LS PT: arg-string(token-src-dn())
    [08/12/21 09:08:23.148]:AD-XXX2LS PT: token-src-dn()
    [08/12/21 09:08:23.150]:AD-XXX2LS PT: Token Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.154]:AD-XXX2LS PT: Arg Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.158]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-before($lvSrcDN,'\0ADEL:')")).
    [08/12/21 09:08:23.164]:AD-XXX2LS PT: arg-string(token-xpath("substring-before($lvSrcDN,'\0ADEL:')"))
    [08/12/21 09:08:23.167]:AD-XXX2LS PT: token-xpath("substring-before($lvSrcDN,'\0ADEL:')")
    [08/12/21 09:08:23.170]:AD-XXX2LS PT: Token Value: "CN=skumawa".
    [08/12/21 09:08:23.174]:AD-XXX2LS PT: Arg Value: "CN=skumawa".
    [08/12/21 09:08:23.175]:AD-XXX2LS PT: Action: do-if().
    [08/12/21 09:08:23.177]:AD-XXX2LS PT: Evaluating conditions.
    [08/12/21 09:08:23.180]:AD-XXX2LS PT: (if-xpath true "starts-with($lvmsDS-PrincipalName,"CN=")") = TRUE.
    [08/12/21 09:08:23.185]:AD-XXX2LS PT: Performing if actions.
    [08/12/21 09:08:23.187]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")).
    [08/12/21 09:08:23.194]:AD-XXX2LS PT: arg-string(token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')"))
    [08/12/21 09:08:23.198]:AD-XXX2LS PT: token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")
    [08/12/21 09:08:23.202]:AD-XXX2LS PT: Token Value: "skumawa".
    [08/12/21 09:08:23.204]:AD-XXX2LS PT: Arg Value: "skumawa".

  • Suggested Answer

    There is sub-ctp-entitlementImpl policy that does just that with one of it's rules in AD, I recommend you just copy that rule (change conditions of execute), you could even turn on entitlements and use integrated default policies...

  • Hello, Yes I saw the rule and like you said I just copied it into my policy. I have put a screenshot containing the log for the policy. Unfortunately, the user Login Disabled attribute did not turn into TRUE. I have specified the Association like it is done in sub-ctp-entitlementImlp. There was no error in the logs at the same time. I have received a successfull completed operation log. Login Disabled attribute is also present in schema mapping.

    <nds dtdversion="2.2">
    <product build="20180125_120000" instance="\OGUZ_TREE\system\driverset1\Active Directory Driver" version="">AD</product>
    <contact>NetIQ Corporation</contact>
    <modify class-name="User" event-id="Active Directory Driver##183f509f401##0">
    <modify-attr attr-name="Login Disabled">
    <value type="string">true</value>


  • Hi Oguz,

    In your trace I can see, that modify operation going thru.

    Could you validate the rest of your trace and publish here, how modify operation was executed on your vault or maybe blocked?

  • Verified Answer

    Hello, I have found a solution implementing this requirement. What I did was to create a separate policy under Publisher - Event Transformation package. In the policy, I have used 

    <do-set-dest-attr-value class-name="User" name="Login Disabled" when="after">
    <arg-value type="string">
    <token-text xml:space="preserve">true</token-text>

    As action and in Condition I have put <if-operation mode="regex" op="equal">modify|delete</if-operation>. The reason I have used modify is after I create the policy in Event Transformation container, I have realized that the operation turned into modify. I was delete before when my policy is in Publisher-itp.

  • Hi, if it works great.

    We asked you for the whole trace so we could see and advise on what is wrong.
    Trace would be still good to properly advise, but this policy should be under Command Transformation Policies as is 

  • Hello, I have created my own policy under Publisher channel -> Command Transformation container. However, I am getting an exception when the user is deleted in Active Directory. I tried to use the same rule defined in sub-ctp-entitlementImpl, only I removed the object class conditions as it does not catch it as User.

    Below is my policy;

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.202209141650\DTD\dirxmlscript4.8.4.dtd"><policy>
    <description>Set Login Disabled for Delete Events OGUZ</description>
    <comment xml:space="preserve">Sets Login Disabled to TRUE for Delete Events</comment>
    <if-operation mode="case" op="equal">remove-association</if-operation>
    <do-set-dest-attr-value class-name="User" name="Login Disabled" when="before">
    <arg-value type="string">
    <token-text xml:space="preserve">true</token-text>

    The exception I got is;

    [01/15/23 23:56:42.348]:ADTrace PT:Applying policy: %+C%14CNOVLADDCFG-pub-ctp-deleteUserOgz%-C.
    [01/15/23 23:56:42.350]:ADTrace PT: Applying to modify #1.
    [01/15/23 23:56:42.351]:ADTrace PT: Evaluating selection criteria for rule 'Set Login Disabled for Delete Events OGUZ'.
    [01/15/23 23:56:42.354]:ADTrace PT: (if-operation equal "remove-association") = FALSE.
    [01/15/23 23:56:42.354]:ADTrace PT: Rule rejected.
    [01/15/23 23:56:42.355]:ADTrace PT: Applying to remove-association #2.
    [01/15/23 23:56:42.356]:ADTrace PT: Evaluating selection criteria for rule 'Set Login Disabled for Delete Events OGUZ'.
    [01/15/23 23:56:42.359]:ADTrace PT: (if-operation equal "remove-association") = TRUE.
    [01/15/23 23:56:42.361]:ADTrace PT: Rule selected.
    [01/15/23 23:56:42.363]:ADTrace PT: Applying rule 'Set Login Disabled for Delete Events OGUZ'.
    [01/15/23 23:56:42.365]:ADTrace PT: Action: do-set-dest-attr-value("Login Disabled",class-name="User",when="before",arg-association(token-association()),"true").
    [01/15/23 23:56:42.375]:ADTrace PT: arg-association(token-association())
    [01/15/23 23:56:42.376]:ADTrace PT: token-association()
    [01/15/23 23:56:42.377]:ADTrace PT: Token Value: "".
    [01/15/23 23:56:42.378]:ADTrace PT: Arg Value: "".
    [01/15/23 23:56:42.380]:ADTrace PT:
    DirXML Log Event -------------------
    Driver: \OGUZ_TREE\system\driverset1\Active Directory Driver
    Channel: Publisher
    Object: (data\o2more2)
    Status: Error
    Message: Code(-9145) Error in : Unable to determine target object for action 'do-set-dest-attr-value("Login Disabled",

  • Verified Answer

    When posting trace like this, you always start with the input document, then the processing of it, then the error.

    You are trtying you use the association of the event, but I forget what it looks like but I bet you do not have it in the doc in the <association> node.  Probably need to to use XPATH of  ./text()

  • I have made another test using XPATH ./text() and got the Code(-9039) Element &lt;modify> does not have a valid association

    Shared the full trace log for user test107

    I have moved the Login Disabled part to NOVLADDCFG-pub-ctp policy and inside "remove managed attributes when object disassociated". Because what I realized that I can catch the operation is equal to remove-association.


  • Looking at the trace you included, I see that what I suggested actually did work.

    [01/16/23 05:11:36.424]:ADTrace PT:
    <nds dtdversion="2.2">
        <product build="20180125_120000" instance="\OGUZ_TREE\system\driverset1\Active Directory Driver" version="">AD</product>
        <contact>NetIQ Corporation</contact>
        <remove-association event-id="Active Directory Driver##185bab4db3e##0">d79e842928610544bfe1cc156f4695d5</remove-association>
    This triggers:
    [01/16/23 05:11:36.452]:ADTrace PT:    Applying rule 'remove managed attributes when object disassociated'.
    [01/16/23 05:11:36.453]:ADTrace PT:      Action: do-set-dest-attr-value("Login Disabled",arg-association("XPath("./text()")"),"true").
    [01/16/23 05:11:36.453]:ADTrace PT:        arg-association("XPath("./text()")")
    [01/16/23 05:11:36.455]:ADTrace PT:          token-text("XPath("./text()")")
    [01/16/23 05:11:36.457]:ADTrace PT:          Arg Value: "XPath("./text()")".
    [01/16/23 05:11:36.458]:ADTrace PT:        arg-string("true")
    [01/16/23 05:11:36.458]:ADTrace PT:          token-text("true")
    [01/16/23 05:11:36.458]:ADTrace PT:          Arg Value: "true".
    [01/16/23 05:11:36.458]:ADTrace PT:      Action: do-clear-dest-attr-value("DirXML-ADAliasName",when="before",arg-association(token-xpath("./text()"))).
    [01/16/23 05:11:36.462]:ADTrace PT:        arg-association(token-xpath("./text()"))
    [01/16/23 05:11:36.464]:ADTrace PT:          token-xpath("./text()")
    [01/16/23 05:11:36.466]:ADTrace PT:            Token Value: "d79e842928610544bfe1cc156f4695d5".
    [01/16/23 05:11:36.468]:ADTrace PT:          Arg Value: "d79e842928610544bfe1cc156f4695d5".
    [01/16/23 05:11:36.471]:ADTrace PT:      Action: do-clear-dest-attr-value("DirXML-ADContext",when="before",arg-association(token-xpath("./text()"))).
    [01/16/23 05:11:36.474]:ADTrace PT:        arg-association(token-xpath("./text()"))
    [01/16/23 05:11:36.476]:ADTrace PT:          token-xpath("./text()")
    [01/16/23 05:11:36.477]:ADTrace PT:            Token Value: "d79e842928610544bfe1cc156f4695d5".
    [01/16/23 05:11:36.480]:ADTrace PT:          Arg Value: "d79e842928610544bfe1cc156f4695d5".

  • Yes it worked. I did a small mistake by putting the XPATH("./text()") between "" and that's because it did not work. But after I reconfigure it it worked.

    Now am able to set a TRUE value for Login Disabled attribute of a user who was deleted in Active Directory.

Reply Children
No Data