How to add a reason to the ActiveRoles Change History

One thing I’d recommend you do is add a “reason” to the ARS change history when ever a policy applies some automated changes.  When you look at the Change History in ARS for an automated update that was applied by a script policy how will you know “why” the attribute was changed unless you do this.

It’s such a simple thing to do too.  Most of the ARS AD cmdlets, like set-qaduser have a control parameter that can be used to add a reason for the change.  To add a reason all you need to is add this command line switch.

-Control @{OperationReason=”SeparationOfDuties_v$Global:scriptVersion”}

Note how I also included a variable in there – this allows me to see not only the script that was run but the version number of the script.  Now the History will show you the reason why an update was made.  Nice don’t you think?

History

 

Advertisements

2 thoughts on “How to add a reason to the ActiveRoles Change History

  1. Nice – I’ve implemented this now for our domain maintenance script – which takes different actions on accounts based on inactive periods of 30, 90, or 120 days … Now my follow-up question has to be, Once you have this data showing up in change history – how do you include the operation reason in the values returned from get-qarsoperation? I followed that rabbit trail and fell off the cliff.

  2. One of my rabbit trails let me to – this – meandering way to extract that information from the command line – though, I sure hope you have a prettier way to do this.

    get-qarsoperation -operationid “3-4009856” | %{ ($_.controls).where({$_.id -eq “OperationReason”})}
    * of course, replace your own operation ID number with the one I quoted above in my convoluted command line

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.