I’ve been using a script that I got from the Quest ( now Dell ) support site for dynamically building a query for a Managed Unit to show inactive accounts. The thought occurred to me that I could do this to highlight accounts that have not been set up properly.
Yes I know ARS should do this when the service desk are creating the users – but what if someone manually create an account using ADU&C or a script then the integrity rules enforced by ARS are not always adhered to.
It’s also nice to have a quick way of seeing these anomalies.
Anyway, for what ever reason you use this idea the point is to explain how to update a managed unit dynamically.
A Managed Unit is an Active Roles Dynamic OU an object can only be in one OU in AD but it can be in multiple Managed Units in ARS. It’s a brilliant Idea! You can then apply permission templates or ARS policies to control how the objects are managed and setup.
Why would I want to dynamically manage the “filter” used to build the Managed Unit? Well two examples already alluded to above are where one of the filter variables is based on a date, e.g. accounts not used for 30 days – accounts created in the last 30 days etc.
Here’s how to do it – using powershell 🙂
Create a Managed Unit and set the filter. e.g.
The interesting bit in both these examples is the date. These numbers represent a time. Lastlogon using a lareg integer – you convert this using this formula: $objLargeInteger90 = $(Get-Date).Date.AddDays(-90).ToFileTime().
The whenCreated attribute uses a simpler string which is human readable YYYYMMDDHHMMSS.OZ
So what we need is a script to dynamically build these queries once a day and then update the managed unit filter. Hopefully the below needs little explanation and you can easily modify it for your environment.
$Rule.Base can be used to narrow down the search – I search all of my managed domains in this example.
How did I figure out the rule type? Well I didn’t really what I did was examine the existing setting and then reused it by examining the value in $RuleCollection when debugging my script.
$ManagedUnitDN = “CN=New Accounts Incorrectly Tagged Created in the Last 30 Days,CN=Admin Action Required,CN=User Management,CN=Managed Units,CN=Configuration”
$ManagedUnit = [ADSI]”EDMS://$ManagedUnitDN”
$RuleCollection = $ManagedUnit.MembershipRuleCollection
$daysAgo = 30
$dateThreshold = Get-Date( $(Get-Date).adddays(-$daysAgo) ) -uformat %Y%m%d%H%M%S.0Z
} while ($RuleCollection.Count -gt 0)
$Rule = New-Object -ComObject “EDSIManagedUnitCondition”
$Rule.Base = “EDMS://CN=Active Directory”
$Rule.Filter = “(&(sAMAccountType=805306368)(!(|(employeeID=*)(employeeNumber=*)(sAMAccountName=svc*)(sAMAccountName=saPLON*)(sAMAccountName=saBLON*)(title=*_*)(secretary=*)(userAccountControl:1.2.840.1135220.127.116.113:=2)))(whenCreated>=$dateThreshold))”
$Rule.Type = 1
You can add multiple rules by repeat the lines of code that set the $rule attribute and then add the rule to the collection.
I did a little research to discover the possible rulecollection types and came up with this:
The BASE defines the scope of the search in all of the rulecollection types where one is needed. The path uses EDMS://
Type 1 is include by query and requires an LDAP query to define the objects to include
Type 2 is exclude by query and requires an LDAP query to define the objects to exclude
Type 3 is include explicity and does not require a filter. The Base is the DN of the object to include
Type 4 is exclude explicity and does not require a filter. The Base is the DN of the object to include
Type 5 is include group members and does not require a filter. The Base is the DN of the group to include
Type 6 is exclude group members and does not require a filter. The Base is the DN of the group to exclude
Type 7 is user to keep Deprtovisioned users in the group. The filter is set to (edsvaDeprovisionStatus=*)