Highlighted
Super Contributor.
Super Contributor.
353 views

scripting driver 4.7 powershell scripting

Jump to solution

Hi There,

I am trying to configure scripting driver for my windows machine. Since I am new to scripting driver. I have configured RL and everything else same as mentioned in doc and is able to communicate with with windows machine. I am not able to figure out following things 

1. Which all application can be used with scripting driver. Since in example it is only written 

appadd -n "Bob Smith" -t "818-555-2100"

2. How to define data defination?

3. Please share powershell script for  adding user to idvault for AD/Azure.

4. How to use Microsoft VBScript.

Please guys i really need help this for demonstration.

Thanks 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.
Super Contributor.

I didn't have time to make a new example, but here are some older examples from the internet:

IDM Scripting Driver for Windows Domain and Local Accounts

The above link is for a package of VBScript scripts that allow you to sync from eDirectory to Windows accounts. Since it is old, you may need to make some small changes to the scripts.

Identity Manager Exchange 2007 Scripts

The above link is for a package of PowerShell scripts that allow interaction with the IDM AD Driver to provide customization of Exchange mailbox operations. The scripts were updated to support Exchange 2010.

NOTE: the ZIP package links won't work--instead use this link to Google Drive:

IDM Windows Scripting Driver - Script Packages

I hope these are helpful!

-- Sam

View solution in original post

0 Likes
6 Replies
Highlighted
Super Contributor.
Super Contributor.

The Scripting Driver offers a "blank slate" for targeting applications not supported by other drivers. Let me see if I can answer your questions.

1. On Windows, ssentially any application that supports some form of interaction via PowerShell or VBScript. This could be a executable like the example "appadd" or perhaps it has its own API that could be loaded using PowerShell's .NET (object-oriented) capabilities. That said, if NetIQ offers a driver that targets a specific application--you mention Azure/AD--you should use that Driver.

2. Data definition is completely custom. Data types would correspond to attribute types supported by the target application and any needed in eDirectory.

3. As mentioned, I believe there is a driver for Azure/AD. In any case, full solutions are a matter for Consulting, though you may find some examples on the internet.

4. The Driver Documentation has a chapter on VBScript. For both PowerShell and VBScript, you customize files that correspond to Identity Manager events. So for a subscriber (eDir) add, you customize either Add.ps1 or Add.vbs. On the Publisher (application-side) channel, you might customize Poll.ps1/vbs. This is all explained in the documentation.

I can answer specific technical questions, but full solutions would have to be done by Consulting.

-- Sam S.

0 Likes
Highlighted
Super Contributor.
Super Contributor.
Thanks Zygomax,
Can you name any application so i can try doing it on my local ?
Please , I need some experience on scripting driver and do a demonstration.
0 Likes
Highlighted
Super Contributor.
Super Contributor.
I work in US Eastern Time (UTC-5). In the evening in my time zone I can provide some example scripts.
0 Likes
Highlighted
Super Contributor.
Super Contributor.
Thanks @Zygomax,

It will be great help. Please do so
0 Likes
Highlighted
Super Contributor.
Super Contributor.

I didn't have time to make a new example, but here are some older examples from the internet:

IDM Scripting Driver for Windows Domain and Local Accounts

The above link is for a package of VBScript scripts that allow you to sync from eDirectory to Windows accounts. Since it is old, you may need to make some small changes to the scripts.

Identity Manager Exchange 2007 Scripts

The above link is for a package of PowerShell scripts that allow interaction with the IDM AD Driver to provide customization of Exchange mailbox operations. The scripts were updated to support Exchange 2010.

NOTE: the ZIP package links won't work--instead use this link to Google Drive:

IDM Windows Scripting Driver - Script Packages

I hope these are helpful!

-- Sam

View solution in original post

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

HI,

 

Here is a powershell script example that provision and deprovision AD account according specific edir attribute, hope this will help.

function idm_modify
{
  # ******************************************
  # * Add implementation-specific code here. *
  # ******************************************
  # Modified date :
  # MOdifier      :
  # Version       : 1.00

# Load Windows Powershell snap-ing cmdlet
get-pssnapin -registered | add-pssnapin
# Get Exchange cmdlet remotely
$exsession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://server.domain.com/Powershell/?SerializationLevel=Full' -authentication Kerberos
#Import-PSSession $exsession | out-null
function validateADUser($username){
#validate input vars first
try {
        $ADUsername = (get-aduser $userName)
        return $ADUsername
                }             
                catch {
        return $null
    }         
}
$classname = idm_geteventvalue "CLASS_NAME"
$ADaccountname = idm_geteventvalue "ASSOCIATION"
$idmstatus = idm_geteventvalue "TESTIDMSTATUS"
$vfiller = Connect-NaController "san2"
$NewUserShare = "{0}$" -f $ADaccountname
$NewUserDocSharePath = "/vol/san2_cifs_users/{0}/documents" -f $ADaccountname
  if ($classname -eq "" -or $ADaccountname -eq "" -or $idmstatus -eq "") {
    idm_statuserror "Modify event: missing CLASS_NAME and/or CN and/or testIdmStatus Option"
  }
   elseif ($idmstatus -eq "1"){
        $ADUser = validateADUser $ADaccountname
        if ($ADUser -ne $null){
        idm_statussuccess "Modify event succeeded for $ADaccountname testIdmStatus = $idmstatus"
        }
        else {
        idm_statuserror "Modify event failed for $ADaccountname object does not exist in AD - testIdmstatus= 1"
      }
  }
   elseif ($idmstatus -eq "2"){
        $ADUser = validateADUser $ADaccountname
        if ($ADUser -ne $null){
  # Create user storage on network
  copy-item "\\san2.agv.test.com\users\ZZZ_Template" "\\san2.agv.test.com\users\$ADaccountname" -Recurse
  # Make this folder 'hidden'
  Get-Item "\\san2.agv.test.com\users\$ADaccountname" | Set-ItemProperty -Name Attributes -Value "Hidden"
        # Create CIFS share
  add-NaCifsShare -share $NewUserShare -Path $NewUserDocSharePath -ErrorAction Continue
  #Set Acls
        $NewUserSharePath = "\\san2.agv.test.com\users\{0}" -f $ADaccountname
        $acls = Get-Acl $NewUserSharePath
        $acls.SetAccessRuleProtection($True, $True)
  $ruleModify = New-Object System.Security.AccessControl.FileSystemAccessRule($ADaccountname,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
        $ruleDeleteSubf = New-Object System.Security.AccessControl.FileSystemAccessRule($ADaccountname,"DeleteSubdirectoriesAndFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acls.AddAccessRule($ruleModify)
        $acls.AddAccessRule($ruleDeleteSubf)
        Set-Acl $NewUserSharePath $acls
  #Set Profile path, homedrive and homedir
  #Set-ADUser $ADaccountname -ProfilePath '\\san2.agv.test.com\Users_All$\$ADaccountname\Profile_NT' -HomeDrive 'U:' -HomeDirectory '\\san2.agv.test.com\$ADaccountname$'
  if ($error.count -eq 0){
        idm_statussuccess "Create share success for $ADaccountname on NetApp storage - testIdmStatus = $idmstatus"
        }
        else {
        idm_statuserror "Create share for $ADaccountname failed with error code $Err"
       }
   }
   else {
  idm_statuserror "Modify event failed for $ADaccountname object does not exist in AD - testIdmstatus= 2"
  }
    }
   elseif ($idmstatus -eq "6"){
        $ADUser = validateADUser $ADaccountname
        if ($ADUser -ne $null){
  idm_statussuccess " AD User object found and Full distinguished name is $ADUser.DistinguishedName"
  # create left user archive folder
        $ArchiveDate = Get-Date -Format yyyyMMdd
        $pathToArchiveFolder = "\\agvarchive\usersleft_archiv\{0}_{1}" -f (Get-Culture).textinfo.totitlecase($ADaccountname), $ArchiveDate
        New-Item -type directory -path $pathToArchiveFolder
        idm_statussuccess "New path to archive folder created for for $cn testIdmStatus = $idmstatus"
  # Drop user share on SAN
        $UserShare = "{0}$" -f $ADaccountname
        Remove-NaCifsShare $UserShare
  idm_statussuccess "NACifs user share removed for $cn testIdmStatus = $idmstatus"
  # Move personal files to left user archive folder
        $pathToUserFolder = "\\san2\users\{0}" -f $ADaccountname
        robocopy /move $pathToUserFolder $pathToArchiveFolder /E /ZB /R:2 /W:10
  # Remaining items after robocopy ?
        if (Test-Path $pathToUserFolder) {
        #take ownership first...
        $blankdirAcl = New-Object  System.Security.AccessControl.DirectorySecurity
        $blankdirAcl.SetAccessRuleProtection($False, $true)
        $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'agv.test.com\domain admins')
        # Acl
        Get-Item $pathToUserFolder.setaccesscontrol($blankdiracl)
  idm_statussuccess "Path to user folder is $pathToUserFolder"
  # and drop...
        Remove-Item $pathToUserFolder -Force -Recurse
  idm_statussuccess "User AD account $ADaccountname profile folder deleted"
  }
  # Finally disable mailbox and AD account
        Disable-Mailbox $ADaccountname -Confirm:$false
  idm_statussuccess " AD User $ADaccountname Exchange Mailbox disabled"
  #idm_statuserror "Error Disable-Mailbox AD USer $ADaccountname with error code $Err"
        Remove-ADObject $ADuser.DistinguishedName -recursive -Confirm:$false
  idm_statussuccess " AD User $ADaccountname deleted in AD"
  #idm_statuserror "Error Remove-ADObject for AD USer $ADaccountname with error code $Err"
  }
  else {
        idm_statuserror "Modify event failed for $ADaccountname object does not exist in AD - testIdmstatus= 1"
      }
  }
  }

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.