Anonymous_User Absent Member.
Absent Member.
187 views

Remove AD Group Memberships when Login is Disabled


Hi I need to remove AD group memberships when an account is disabled in
the ID Vault.

My current Rule Looks like this but doesnt seem to work.

<rule>
<description>NOT-WORKING Remove Users from their default Exchange
Distribution List PTA</description>
<comment xml:space="preserve">Remove PTA users to default groups based
on their placement context in AD.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
<if-op-attr mode="nocase" name="Login Disabled"
op="equal">true</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value class-name="Group" name="Member"
when="after">
<arg-value type="string">
<token-text xml:space="preserve">CN=</token-text>
<token-src-attr name="Full Name"/>
<token-text xml:space="preserve">,OU=User,OU=</token-text>
<token-src-attr name="OU"/>
<token-text xml:space="preserve">,OU=</token-text>
<token-src-attr name="city"/>
<token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-break disabled="true"/>
</actions>
</rule>

I havce also tested this rule but also doesnt work.

<rule disabled="false">
<description>TEST Remove Users to their default Exchange Distribution
List PTA</description>
<comment xml:space="preserve">Remove PTA users to default groups based
on their placement context in AD.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">FMDP</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">CSD</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">LSD</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">HRD</if-src-attr>
<if-op-attr mode="nocase" name="Login Disabled"
op="equal">true</if-op-attr>
</and>
</conditions>
<actions>
<do-set-op-dest-dn disabled="true">
<arg-dn>
<token-text xml:space="preserve">"CN="+"All-"+Source
Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
</arg-dn>
</do-set-op-dest-dn>
<do-remove-dest-attr-value class-name="Group" name="Member"
when="after">
<arg-dn>
<token-text xml:space="preserve">"CN="+"All-"+Source
Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">CN=</token-text>
<token-src-attr name="Full Name"/>
<token-text xml:space="preserve">,OU=User,OU=</token-text>
<token-src-attr name="OU"/>
<token-text xml:space="preserve">,OU=</token-text>
<token-src-attr name="city"/>
<token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-break disabled="true"/>
</actions>
</rule>
<rule>


Thanks in advance


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=49261

Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Remove AD Group Memberships when Login is Disabled

On 11/19/2013 5:14 AM, Hendrik wrote:
>
> Hi I need to remove AD group memberships when an account is disabled in
> the ID Vault.
>
> My current Rule Looks like this but doesnt seem to work.
>
> <rule>
> <description>NOT-WORKING Remove Users from their default Exchange
> Distribution List PTA</description>
> <comment xml:space="preserve">Remove PTA users to default groups based
> on their placement context in AD.</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> <if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
> <if-op-attr mode="nocase" name="Login Disabled"
> op="equal">true</if-op-attr>
> </and>
> </conditions>
> <actions>
> <do-remove-dest-attr-value class-name="Group" name="Member"
> when="after">
> <arg-value type="string">
> <token-text xml:space="preserve">CN=</token-text>
> <token-src-attr name="Full Name"/>
> <token-text xml:space="preserve">,OU=User,OU=</token-text>
> <token-src-attr name="OU"/>
> <token-text xml:space="preserve">,OU=</token-text>
> <token-src-attr name="city"/>
> <token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
> </arg-value>
> </do-remove-dest-attr-value>
> <do-break disabled="true"/>
> </actions>
> </rule>
>
> I havce also tested this rule but also doesnt work.
>
> <rule disabled="false">
> <description>TEST Remove Users to their default Exchange Distribution
> List PTA</description>
> <comment xml:space="preserve">Remove PTA users to default groups based
> on their placement context in AD.</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> <if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
> <if-src-attr mode="nocase" name="OU"
> op="not-equal">FMDP</if-src-attr>
> <if-src-attr mode="nocase" name="OU"
> op="not-equal">CSD</if-src-attr>
> <if-src-attr mode="nocase" name="OU"
> op="not-equal">LSD</if-src-attr>
> <if-src-attr mode="nocase" name="OU"
> op="not-equal">HRD</if-src-attr>
> <if-op-attr mode="nocase" name="Login Disabled"
> op="equal">true</if-op-attr>
> </and>
> </conditions>
> <actions>
> <do-set-op-dest-dn disabled="true">
> <arg-dn>
> <token-text xml:space="preserve">"CN="+"All-"+Source
> Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
> </arg-dn>
> </do-set-op-dest-dn>
> <do-remove-dest-attr-value class-name="Group" name="Member"
> when="after">
> <arg-dn>
> <token-text xml:space="preserve">"CN="+"All-"+Source
> Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
> </arg-dn>
> <arg-value type="string">
> <token-text xml:space="preserve">CN=</token-text>
> <token-src-attr name="Full Name"/>
> <token-text xml:space="preserve">,OU=User,OU=</token-text>
> <token-src-attr name="OU"/>
> <token-text xml:space="preserve">,OU=</token-text>
> <token-src-attr name="city"/>
> <token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
> </arg-value>
> </do-remove-dest-attr-value>
> <do-break disabled="true"/>
> </actions>
> </rule>
> <rule>
>
>
> Thanks in advance
>
>

The later rule is closer. The first doesn't specify which group to remove from. Post a trace of
the later rule failing and we will see what is up. What error are you getting?

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Associate http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Remove AD Group Memberships when Login is Disabled

On Tue, 19 Nov 2013 11:14:01 +0000, Hendrik wrote:

> Hi I need to remove AD group memberships when an account is disabled in
> the ID Vault.


All groups? Or only specified groups?

You can't remove all groups, the user must (by definition) be a member of
at least one group. Usually this is "Domain Users", which is also set as
their "primary group".


> My current Rule Looks like this but doesnt seem to work.


Level 3 trace?


> <actions>
> <do-remove-dest-attr-value class-name="Group"

name="Member"
> when="after">


This needs to specify what group to remove them from, but isn't.


> <arg-value type="string">
> <token-text

xml:space="preserve">CN=</token-text> <token-src-attr
> name="Full Name"/>
> <token-text

xml:space="preserve">,OU=User,OU=</token-text>
> <token-src-attr name="OU"/>
> <token-text

xml:space="preserve">,OU=</token-text> <token-src-attr
> name="city"/>
> <token-text

xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
> </arg-value>


This can most likely be replaced with "current object", letting IDM do
the work of building the correct dest-dn.


> I havce also tested this rule but also doesnt work.


Level 3 trace?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Remove AD Group Memberships when Login is Disabled

Hendrik wrote:

>
> Hi I need to remove AD group memberships when an account is disabled
> in the ID Vault.
>
> My current Rule Looks like this but doesnt seem to work.



Try something like the following:

(note this code won't work if your ou attribute is multi-valued)

<rule>
<description>TEST Remove Users to their default Exchange Distribution
List PTA</description>
<comment xml:space="preserve">Remove PTA users to default groups based
on their placement context in AD.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-attr mode="nocase" name="city" op="equal">PTA</if-attr>
<if-attr mode="regex" name="OU" op="equal">.+</if-attr>
<if-attr mode="regex" name="OU"
op="not-equal">FMDP|CSD|LSD|HRD</if-attr>
<if-op-attr mode="nocase" name="Login Disabled"
op="equal">true</if-op-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="destGroup" scope="policy">
<arg-string>
<token-text xml:space="preserve">CN=All-</token-text>
<token-escape-for-dest-dn>
<token-attr name="OU"/>
</token-escape-for-dest-dn>
<token-text xml:space="preserve">,OU=Dist
List,DC=ORG,DC=co,DC=za</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="grpAssoc" scope="policy">
<arg-string>
<token-resolve datastore="dest" notrace="true">
<arg-dn>
<token-local-variable name="destGroup"/>
</arg-dn>
</token-resolve>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="grpAssoc"
op="equal">.+</if-local-variable>
<if-dest-attr mode="nocase" name="Group Membership" notrace="true"
op="equal">$destGroup$</if-dest-attr>
</and>
</arg-conditions>
<arg-actions>
<do-remove-dest-attr-value class-name="Group" name="Member">
<arg-association>
<token-local-variable name="grpAssoc"/>
</arg-association>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-remove-dest-attr-value>
<do-set-xml-attr
expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/v
alue[last()]" name="association-ref">
<arg-string>
<token-xpath expression="./association/text()"/>
</arg-string>
</do-set-xml-attr>
</arg-actions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Group : </token-text>
<token-local-variable name="current-node"/>
<token-text xml:space="preserve"> does not exist, or user is not
currently a member. Cannot revoke membership for user: </token-text>
<token-src-name/>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</actions>
</rule>



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.