Aegis Automation Workflows in 5 Minutes - Report on Disabled User Accounts

Aegis Automation Workflows in 5 Minutes - Report on Disabled User Accounts

The "Aegis Automation Workflows in 5 Minutes" cool-tool blog series shows examples of Aegis workflows which deliver value in as little as 5 minutes development time - all using out of the box activities! Aegis workflows can be forever evolving, and while these workflows fulfill a purpose, you may for example want to extend a workflow from being a simple notification workflow to one which goes further to remediate a problem.

There are many ways to detect Disabled User accounts, in this 5 minute workflow I will use the Directory Resource Administrator Adapter for Aegis to interact with Active Directory. Accounts can be for many reason, disabled manually by an administrator to automatically when the account expires. Managing disabled accounts is an important task in the smooth management of Active Directory. This workflow will first search for disabled users, remove any 'known' disabled accounts from the list and report this list to an administrator.

This is what the workflow looks like...

workflow1

I use the DRA adapter activity 'Find Active Directory Objects' to run an LDAP query to find disabled user accounts with this filter:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))


Not all the results will need to be reporte tot he administrator - there may be already a list of known accounts which are meant to be disabled that we want to ignore. The next step in the workflow, 'Compare Arrays', is used to remove the 'known' disabled accounts from the list. The remaining accounts are added to an Aegis Table for display in a Input Form. The send mail activity sends the administrator the link to the input form which contains the disabled account list.

form

And you are done ... hopefully in 5 minutes!

The workflow is attached if you want to compare results. There are some workitem attributes which need updating to work in your environment, the email_FromAddress and email_ToAddress which are used by the send mail activity, domainController domainControllerPort and baseDN which are used in the DRA Search and exclusionList which is a list of accounts to ignore. Everything else is generic. The workflow requires Aegis 3.2 and the DRA 2.0 Adapter for Aegis.

Next Steps - yes you've guessed it, there are loads of possibilities to extend this workflow! Here are some examples...


  1. A must - add some error handling and notification! If there are any failures (for example is DRA is unreachable) the workflow will silently fail apart from an error in console.

  2. Add a scheduled trigger, so the workflow runs automatically on a schedule of your choosing.

  3. Add some checkboxes to the input form - any user account the user selects can be removed, moved or re-enabled later in the workflow.

  4. This workflow could be used to perform lots of similar queries by modifying the filter, only returning expired accounts for example.

  5. The workflow is specific to Active Directory with DRA adapter,but could be used using command line, scripts, Ldap Adapter etc. on different Directory types




Think about how you'd extend the workflow!
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2014-08-27 23:10
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.