0 votes

I would like to have a business rule check before a new user is created to see if the ExtensionAttribute4 value(we use this like a primary key across our 3 domains) of the new user matches any existing user across the Org(3 domains, not in same forest, all in Adaxes), including expired/disabled accounts. If it does match an existing ExtensionAttribute4 do not create the user and display an error stating a duplicate user has been found. I'm assuming I can do this with a Business Rule set to before new user account is created, using the PowerShell Script return true option, I just don't know what to put in the PowerShell script.

by (470 points)
0

Hello,

Please confirm that we've got you right:

If it does match an existing ExtensionAttribute4 do not create the user and display an error stating a duplicate user has been found.

That is, a user is considered to be a duplicate if a match has been found, is that correct? That is, ExtensionAttribute4 must be non-unique?

0

Correct, a user would be a duplicate if a matching EA4 has been found in any directory, active or expired, and the create user process should not take place. EA4 needs to be a unique value, there should only be 1 EA4 anywhere across the 3 domains for a user. So if any account attempts to be created with a EA4 value that already exists we want the creation process to stop and an error to be displayed saying the EA4 already exists.

0

OK, got you. That's possible. We've asked our script guys to write a script that will do the job. We'll update this topic as soon as they come up with something.

0

Any update on this? Thank you.

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The necessary script is ready. To create a Business Rule that will cancel creation of a new user if a user account with the same ExtensionAttribute4 already exists:

  1. Create a new Business Rule.

  2. On step 2 of the Create Business Rule wizard, select User and Before Creating a User.

  3. On step 3, add the Cancel this operation action. Specify a reason for canceling, if necessary.

  4. Click OK.

  5. Now, you need to specify when the Business Rule will cancel user creation. Double-click Always.

  6. Select If PowerShell script returns true.

  7. In the Script field, paste the following script that will return True if a user with the same ExtensionAttribute4 already exists:

     $value = $Context.GetModifiedPropertyValue("extensionAttribute4")
    
     $Context.ConditionIsMet = $False
     if ([System.String]::IsNullOrEmpty($value))
     {
         return
     }
    
     $searcher = $Context.BindToObject("Adaxes://rootDSE")
     $searcher.SearchFilter = "(&(sAMAccountType=805306368)(extensionAttribute4=$value))"
     $searcher.PageSize = 500
     $searcher.SearchScope = "ADS_SCOPE_ONELEVEL"
     $searcher.SizeLimit = 1
     $searcher.VirtualRoot = $True
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $objects = $searchResult.FetchAll()
    
         $Context.ConditionIsMet = !($objects.Count -eq 0)
     }
     finally
     {
         $searchResult.Dispose()
     }
  8. Enter a short description for the script and click OK.

  9. Finish creation of the Business Rule.

Related questions

0 votes
1 answer

Good Afternoon, I currently have our AD navigation divided up by specific countries. The user is able to select the country OU and navigate down into the specific department OU. ... country OU's so I can force the user to drill down before creating? Thanks

asked Jun 1, 2018 by jhair (520 points)
0 votes
1 answer

Hello, I am working on delegating the ability to create user accounts. One thing I'm not sure how to handle is duplicate user names. I would like it if I could have an ... gets passed off to me to create manually so I'd love to be able to automate it!

asked Mar 24, 2016 by drew.tittle (810 points)
0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
0 votes
1 answer

Hi team, I am facing currently an issue with new user/employee creation. I have this simple form And getting this error each time I already disabled all business rules and even property patterns - but still the same issue. What do I miss or oversee here ...?

asked Feb 19 by wintec01 (1.1k points)
0 votes
1 answer

Hi team, I am trying to limit the list of possible countries during user creation by this Property Pattern How ever during the creation the list is still full of other ... checked possibility to modify the form it self for Country - but no options available.

asked Jan 31 by wintec01 (1.1k points)
3,326 questions
3,026 answers
7,727 comments
544,678 users