Using a managed Unit for highlighting incorrectly set up accounts

I’ve been using a script that I got from the Quest ( now Dell ) support site for dynamically building a query for a Managed Unit to show inactive accounts.  The thought occurred to me that I could do this to highlight accounts that have not been set up properly.

Yes I know ARS should do this when the service desk are creating the users – but what if someone manually create an account using ADU&C or a script then the integrity rules enforced by ARS are not always adhered to.

It’s also nice to have a quick way of seeing these anomalies.

Anyway, for what ever reason you use this idea the point is to explain how to update a managed unit dynamically.

A Managed Unit is an Active Roles Dynamic OU an object can only be in one OU in AD but it can be in multiple Managed Units in ARS.  It’s a brilliant Idea!  You can then apply permission templates or ARS policies to control how the objects are managed and setup.

Why would I want to dynamically manage the “filter” used to build the Managed Unit?  Well two examples already alluded to above are where one of the filter variables is based on a date, e.g. accounts not used for 30 days – accounts created in the last 30 days etc.

Here’s how to do it – using powershell 🙂

Create a Managed Unit and set the filter.  e.g.
(&(sAMAccountType=805306368)(!(|(employeeID=*)(employeeNumber=*)(sAMAccountName=svc*)(title=*_*)(secretary=*)(userAccountControl:1.2.840.113556.1.4.803:=2)))(whenCreated>=19990224103016.0Z))

or

(&(employeeID=*)(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(lastLogonTimestamp<=130749192000000000))

The interesting bit in both these examples is the date.  These numbers represent a time.  Lastlogon using a lareg integer – you convert this using this formula:  $objLargeInteger90 = $(Get-Date).Date.AddDays(-90).ToFileTime().

The whenCreated attribute uses a simpler string which is human readable YYYYMMDDHHMMSS.OZ

So what we need is a script to dynamically build these queries once a day and then update the managed unit filter.  Hopefully the below needs little explanation and you can easily modify it for your environment.

$Rule.Base can be used to narrow down the search – I search all of my managed domains in this example.

How did I figure out the rule type?  Well I didn’t really what I did was examine the existing setting and then reused it by examining the value in $RuleCollection when debugging my script.

$ManagedUnitDN = “CN=New Accounts Incorrectly Tagged Created in the Last 30 Days,CN=Admin Action Required,CN=User Management,CN=Managed Units,CN=Configuration”
$ManagedUnit = [ADSI]”EDMS://$ManagedUnitDN”
$RuleCollection = $ManagedUnit.MembershipRuleCollection
$daysAgo = 30
$dateThreshold = Get-Date( $(Get-Date).adddays(-$daysAgo) ) -uformat %Y%m%d%H%M%S.0Z
do {
$RuleCollection.RemoveAt(0)
} while ($RuleCollection.Count -gt 0)
$Rule = New-Object -ComObject “EDSIManagedUnitCondition”
$Rule.Base = “EDMS://CN=Active Directory”
$Rule.Filter = “(&(sAMAccountType=805306368)(!(|(employeeID=*)(employeeNumber=*)(sAMAccountName=svc*)(sAMAccountName=saPLON*)(sAMAccountName=saBLON*)(title=*_*)(secretary=*)(userAccountControl:1.2.840.113556.1.4.803:=2)))(whenCreated>=$dateThreshold))”
$Rule.Type = 1
$RuleCollection.Add($Rule)
$ManagedUnit.SetInfo()

You can add multiple rules by repeat the lines of code that set the $rule attribute and then add the rule to the collection.
I did a little research to discover the possible rulecollection types and came up with this:

The BASE defines the scope of the search in all of the rulecollection types where one is needed.  The path uses EDMS://

Type 1 is include by query and requires an LDAP query to define the objects to include
Type 2 is exclude by query and requires an LDAP query to define the objects to exclude
Type 3 is include explicity and does not require a filter.  The Base is the DN of the object to include
Type 4 is exclude explicity and does not require a filter.  The Base is the DN of the object to include
Type 5 is include group members and does not require a filter.  The Base is the DN of the group to include
Type 6 is exclude group members and does not require a filter.  The Base is the DN of the group to exclude
Type 7 is user to keep Deprtovisioned users in the group.  The filter is set to (edsvaDeprovisionStatus=*)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.