0 votes

Hi,

I have a business rule setup to perform actions after user creation.

First action is to run a powershell script which works and it sets a required AD attribute (extensionAttribute1). The newly created user object in AD has the attribute set (as per below)

attribute.png

Second action of the business rule is to run a custom command (see below)

custom.png

Business rule is set to run after successful user creation. It runs the powershell script but not the OU custom command

rule.png

The business rule is running but no actions are executed and the new user sits in the original OU and does not move

no exe.png

Am i missing something here?

by (40 points)
0

Hello Lewis,

For troubleshooting purposes, please, provide the Pull employeeID from HR script in TXT format.

0

The script is not the issue, as all its doing is finding the user in a database and then setting the required attribute.

As per my screenshot above, the extensionAttribute1 is being set on the user and can be seen in the user object in AD.

0

Hello Lewis,

The script sets the attribute used in the custom command condition. To check the entire workflow, we need the script. Unfortunately, we have no possibility to assist you without having the script.

0

Hi, Please see script below

Import-Module Adaxes
Import-Module ActiveDirectory
$databaseHost = "SQL.domain.net"
$databaseName = "Database"


$databaseUsername = "domain\Svc_Adaxes"
$databasePassword = ""



$employeeID = $Context.TargetObject.Get("EmployeeID")

$SqlQuery = "SELECT TimGEEmployeeDetails.EmployeeNumber , convert(varchar(10), TimGEEmployeeDetails.JoiningDate, 103) , convert(varchar(10), TimGEEmployeeDetails.LeavingDate, 103), " +,
            "TimGEEmployeeDetails.Title , TimGEEmployeeDetails.Forename , TimGEEmployeeDetails.KnownAs , TimGEEmployeeDetails.Initials, " +,
            "TimGEEmployeeDetails.Surname , TimGEEmployeeDetails.Reference, vw_domain_Departments.Description , Department, " +, 
            "vw_domain_JobDesc.Description , JobTitle , TcfGEEmployeeDetails.LMSJobFamily, PrsInductionSchedule.LineManager, " +, 
            "TimGEEmployeeDetails_1.FullName , TimBEEmployeeDetails.PrimaryLocation , StdBFCodeDescriptions.Description " +,
        "FROM TimGEEmployeeDetails " +, 
        "LEFT JOIN TimBEEmployeeDetails ON TimGEEmployeeDetails.EmployeeNumber = TimBEEmployeeDetails.EmployeeNumber " +,
        "LEFT JOIN vw_domain_JobDesc ON TimBEEmployeeDetails.JobTitle = vw_domain_JobDesc.DetailCode " +,
        "LEFT JOIN vw_domain_Departments ON TimBEEmployeeDetails.Department = vw_domain_Departments.DetailCode " +,
        "LEFT JOIN PrsInductionSchedule ON TimGEEmployeeDetails.EmployeeNumber = PrsInductionSchedule.EmployeeNumber " +,
        "LEFT JOIN TcfGEEmployeeDetails ON TimGEEmployeeDetails.EmployeeNumber = TcfGEEmployeeDetails.EmployeeNumber " +,
        "LEFT JOIN StdBFCodeDescriptions ON StdBFCodeDescriptions.TableCode = 'LOCD' " +,
        "AND TimBEEmployeeDetails.PrimaryLocation = StdBFCodeDescriptions.DetailCode " +,
        "LEFT JOIN TimGEEmployeeDetails AS TimGEEmployeeDetails_1 ON PrsInductionSchedule.LineManager = TimGEEmployeeDetails_1.EmployeeNumber "


 $connectionString = "Data Source=$databaseHost; Database=$databaseName;"
        if ($databaseUsername -eq $NULL)
        {
            $connectionString = $connectionString +
            "Integrated Security=true;"
        }
        else
        {
            $connectionString = $connectionString +
            "User ID=$databaseUsername;Password=$databasePassword;Integrated Security=true"
        }



            $Sqlconnection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
            $Sqlconnection.open()

            $SqlCmd = New-Object System.Data.SqlClient.SqlCommand
            $SqlCmd.CommandText = $SqlQuery
            $SqlCmd.Connection = $SqlConnection

            $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
            $SqlAdapter.SelectCommand = $SqlCmd

            $DataSet = New-Object System.Data.DataSet
            $SqlAdapter.Fill($DataSet) | Out-Null


            #$SqlCmd.Dispose()            
            $SqlConnection.Close()

                $Array = ForEach($Row in $Dataset.Tables[0].Rows){
                $Record = New-Object PSCustomObject
                    ForEach($Col in $Dataset.Tables[0].Columns.ColumnName){
                    Add-Member -InputObject $Record -NotePropertyName $Col -NotePropertyValue $Row.$Col
                    }
                $Record                    
                    #pause
                    if ($Record.EmployeeNumber.Contains($employeeID)){ 
                    break                                         
                    }
                }

                    $GetADUser = get-aduser -filter {EmployeeID -like $employeeID}
                    $UserSAM = $GetADUser.SamAccountName

                    $TrimJob = $Record.Description1.Replace(' ','')
                    $Jobtitle = $Trimjob+$Record.Department

Set-ADuser -Identity $UserSAM -Replace @{BusinessCategory=$Record.LMSJobFamily; extensionAttribute1=$Jobtitle}

1 Answer

0 votes
by (267k points)

Hello Lewis,

Thank you for the provided script. The thing is that the extensionAttribute1 value is set using the Set-ADUser cmdlet. As a result, the update does not involve Adaxes and can be performed on any domain controller (DC) from the AD domain. It can also be done on a DC Adaxes is not connected to. In this ase, Adaxes will not know about the attribute being set by the time when the condition is checked. To achieve the desired, we recommend you to replace this line in the script

Set-ADuser -Identity $UserSAM -Replace @{BusinessCategory=$Record.LMSJobFamily; extensionAttribute1=$Jobtitle}

with the following code:

$Context.TargetObject.Put("extensionAttribute1", $Jobtitle)
$Context.TargetObject.Put("businessCategory", $Record.LMSJobFamily)
$Context.TargetObject.SetInfo()
0

Hi,

Thanks for your help.

So for Adaxes to see anything done by script it requires the $context.TargetObject variable.

Unfortunately that code has not helped. The code works, as it does set the required attributes but the custom command to move OU still does not execute.

0

Hello Lewis,

So for Adaxes to see anything done by script it requires the $context.TargetObject variable.

That is not correct. You just need to make sure Adaxes is directly able to read the changes made. There are a lot of other options that can be used.

Unfortunately that code has not helped.

As per our check, the code works perfectly fine. The fact that the command does not perform the move in your case means that the condition is not met. It can happen if the value obtained from the SQL database does not equal the one in the condition. For example, there can be leading spaces or in the end of a value.

0

Hi,

Can the condition of the custom command be entered manually (as below)

conditionparam1.png

Or does it have to reference a 'value reference' (as below)

conditionparam2.png

If i reference the 'Value reference' the code works and the user is moved to the correct OU. However this isn't going to work going forward as i need to link different OU's depending on jobtitle.

The value does match the condition as i have the code within the powershell script that trims all whitespace from the value (as seen below)

code1.png

0

Hello Lewis,

Can the condition of the custom command be entered manually (as below)

The approach will not work as the value reference will resolve into the property value and the condition will always be met for all users.

The value does match the condition as i have the code within the powershell script that trims all whitespace from the value (as seen below)

The only way for the workflow to work is to make sure the value (not value reference) specified in the condition fully matches the one set by the script.

Related questions

0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (960 points)
0 votes
1 answer

I need a way of triggering a business rule based on the user (and not the group) being added or removed from a group. The reason I would like this triggered on the user is so ... prefer not to do that. I am checking to see if there is another way to do this.

asked May 16, 2023 by mark.it.admin (2.3k points)
0 votes
0 answers

The past week all my scheduled tasks to move users to specific OU's have stopped working. For example I have a scheduled task set up which moves a user to an OU called " ... , but when looking via AD this doesn't reflect what the logs/task say. Any ideas?

asked May 2, 2023 by Homelander90 (330 points)
0 votes
1 answer

Hi team, I have a follow up to this question https://www.adaxes.com/questions/14234/business-after-adding-members-powershell-script-executed Let me explain my setup A rule- ... area% failed due to the following exception: $($_.Exception.Message)", "Error") }

asked Feb 13 by wintec01 (960 points)
0 votes
1 answer

We have a business rule that will update an AD attribute when a new member is added to a group. This business rule works when we use powershell commands or the admin console ... set to trigger "After adding a member to a group". Thank you for your support!

asked Mar 29, 2023 by mark.it.admin (2.3k points)
3,299 questions
2,997 answers
7,673 comments
544,263 users