Capture Delete Account events in Active Directory -Terminate User

Capture Delete Account events in Active Directory -Terminate User

I want to terminate (LOGIN_DISABLED = TRUE) a user who was DELETED in Active Directory. I am able to make user terminated (LOGIN_DISABLED = TRUE) when an account in AD was disabled. I want to have the same capability on the DELETE event as well. 

Can you please guide me on how to accomplish this?

Parents
  • You only get one shot at this... When the Pub channel sends you a delete, you have to catch that event.  (if operation equals delete) then set dest attr Login Disabled to true.

    I cannot recall, but the class name may not be there in a delete of a user, so you have to ignore the class when you do this.

  • Yes, you can.

    I used "custom" logic in one of the AD drivers that 

    1. Capture AD delete operation

    2. "Convert" deleted object name to "human-friendly" format for future use.

    You can use "similar" techniques.

    Geoffrey absolutely right: ObjectClass information already "disappear" during delete operation.

    But we still have a number of methods for users identifications: object association (GUID) and "reconstructed" SAMAccountname.

    Example of the Delete operation event (some business sensitive information in the trace masked) 

    [08/12/21 09:08:22.821]:AD-XXX2LS :Remote Interface Driver: Received.
    [08/12/21 09:08:22.822]:AD-XXX2LS :
    <nds dtdversion="2.2">
    <source>
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="4.0.0.4">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">
    <association>2ab868b193aef64cb134bf3989aa8d8a</association>
    </delete>
    </input>
    </nds> 

     <nds dtdversion="2.2">
    <source>
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="4.0.0.4">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">
    <association>2ab868b193aef64cb134bf3989aa8d8a</association>
    </delete>
    </input>
    </nds>
    [08/12/21 09:08:23.073]:AD-XXX2LS PT:Applying policy: %+C%14C15 msDS-PrincipalName%-C.
    [08/12/21 09:08:23.115]:AD-XXX2LS PT: Evaluating selection criteria for rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.120]:AD-XXX2LS PT: (if-operation equal "delete") = TRUE.
    [08/12/21 09:08:23.124]:AD-XXX2LS PT: (if-op-property 'op-msDS-PrincipalName' not-available) = TRUE.
    [08/12/21 09:08:23.127]:AD-XXX2LS PT: (if-src-dn available) = TRUE.
    [08/12/21 09:08:23.133]:AD-XXX2LS PT: Rule selected.
    [08/12/21 09:08:23.135]:AD-XXX2LS PT: Applying rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.140]:AD-XXX2LS PT: Action: do-set-local-variable("lvSrcDN",scope="policy",token-src-dn()).
    [08/12/21 09:08:23.145]:AD-XXX2LS PT: arg-string(token-src-dn())
    [08/12/21 09:08:23.148]:AD-XXX2LS PT: token-src-dn()
    [08/12/21 09:08:23.150]:AD-XXX2LS PT: Token Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.154]:AD-XXX2LS PT: Arg Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.158]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-before($lvSrcDN,'\0ADEL:')")).
    [08/12/21 09:08:23.164]:AD-XXX2LS PT: arg-string(token-xpath("substring-before($lvSrcDN,'\0ADEL:')"))
    [08/12/21 09:08:23.167]:AD-XXX2LS PT: token-xpath("substring-before($lvSrcDN,'\0ADEL:')")
    [08/12/21 09:08:23.170]:AD-XXX2LS PT: Token Value: "CN=skumawa".
    [08/12/21 09:08:23.174]:AD-XXX2LS PT: Arg Value: "CN=skumawa".
    [08/12/21 09:08:23.175]:AD-XXX2LS PT: Action: do-if().
    [08/12/21 09:08:23.177]:AD-XXX2LS PT: Evaluating conditions.
    [08/12/21 09:08:23.180]:AD-XXX2LS PT: (if-xpath true "starts-with($lvmsDS-PrincipalName,"CN=")") = TRUE.
    [08/12/21 09:08:23.185]:AD-XXX2LS PT: Performing if actions.
    [08/12/21 09:08:23.187]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")).
    [08/12/21 09:08:23.194]:AD-XXX2LS PT: arg-string(token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')"))
    [08/12/21 09:08:23.198]:AD-XXX2LS PT: token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")
    [08/12/21 09:08:23.202]:AD-XXX2LS PT: Token Value: "skumawa".
    [08/12/21 09:08:23.204]:AD-XXX2LS PT: Arg Value: "skumawa".

  • Thank you for your replies. One question about the place that the policy place to be put. Should I add the newly defined policy in Input Transformation Policy tab?

  • I usually add my own "new policy", that includes custom logic.

    I'm trying to separate my policies from "default" NetIQ drivers' policies.

Reply Children
No Data