0 votes

I created a new interface...on the Home Page Action, it only has new user.
after the fields are filled out, I get "name is not specified for the new object".

Please advise.

by (1.7k points)

1 Answer

0 votes
by (216k points)

A user cannot be created without the Name property specified. For users, the value of the Name property always equals to Full Name. If you removed the Full Name property from the user creation form together with the properties it consists of (by default, First Name and Last Name), you will not be able to create users.

As a workaround, you can add the property to your Home Page Action as a predefined field.

For instructions on how to do this, see Step 4 under Create New Object in Configure Home Page Actions.

0

thanks. I did remove it.
I put it back and all is well.

Another Error when adding user to a group, I get the below: FYI - the user account is not apart of the HR manager-copy rule. and I am using the Member of field within the form, which I think is the reason why...but I'd like you to confirm.

Just to clarify, when I create a user, I want to be able to add them to a group manually.

"Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: newscorp.com)

Details

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: newscorp.com)

Business Rules: Command Processor 'Business Rules' threw an exception when processing the command. A list of actions to be triggered by Business Rules couldn't be generated. Failed to check the following condition of the 'User Provision' business rule: If the initiator is assigned to the 'Builtin\HR Manager - copy' role. The 'distinguishedName' property cannot be found in the cache"

0

Also, within the admin console, for user objects, under view--it has the option for group membership and the ability to allow add/update membership.
How can I include that under the create tab for an user object?

0

can someone please advise?

0

Hello,

Yes, sure. The thing is that when you add a user to a group, you don't modify the user, you modify the group. You add the user's Distinguished Name (DN) to the Member property of the group. The Member Of property of the user is updated automatically by Active Directory, and Active Directory does not allow anyone update the property.

Also, you cannot add the user to a group before a user is created. When a user is not yet created, he/she does not yet have a Distinguished Name. That is, there is yet nothing to store in the Member property of the group.

In the Web Interface forms that are used for viewing/editing users, the Member Of section (not property) is used to update the user's membership in group. That section was especially designed to allow adding/removing users from groups directly from the pages for viewing/editing users. That section updates the Member property of the group that you add the user to. But as we've already mentioned above, this approach cannot be used as the new user does not yet have a DN that can be added to the Member property of the group.

To workaround this, you can add newly created users to groups automatically with a Business Rule triggered after creating a user. For example, take a look at the following tutorial that describes how to accomplish the task: http://www.adaxes.com/tutorials_Automat ... rtment.htm .

Alternatively, we can suggest the following approach: you can add one more text field to the form for creating users. For this purpose you can use one of Adaxes virtual properties, for example, CustomAttributeText1. In that field you can specify the name(s) of the group(s) the newly created user should be added to. Then, you can create a Business Rule triggered after creating a user that will use a PowerShell script to read the group name(s) stored in the virtual property and add the user to the specified groups. The only drawback of the method is that you will have to type in the groups manually, there won't be a window to select/browse for groups. If you are interested in such a solution, we will provide more details.

0

thanks.

the alternative option will not work b/c it's various groups that various users may be added too.

how can I add the Member Of section back to the view tab in the forms customization?

0

Take a look at section AD object group membership in the Customize Forms for User Creation and Editing Tutorial.

0

i'm still getting the below:
the user is not apart of the builtin\HR manager security role

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: newscorp.com)

Business Rules:

Command Processor 'Business Rules' threw an exception when processing the command. A list of actions to be triggered by Business Rules couldn't be generated. Failed to check the following condition of the 'User Provision' business rule: If the initiator is assigned to the 'Builtin\HR Manager - copy' role. The 'distinguishedName' property cannot be found in the cache.

0

Did you remove the Member Of property from the form for creating users?

0

yes

0

OK, can you send us screenshots of the complete form to our support e-mail (support[at]adaxes.com)? Also, can you send a screenshot of the error?

0

email sent.

0

hello-

Are there any checks and balances in place for account creation when similar user have the same initial/last name?

I attempted to create a user w/ the same initials and same last and realized I didn't get notification for the new hire. When I checked the log, it says the account already exist. Would checking the logs be the only place to know when an acct isn't created and why?

0

Hello,

How did you create the user? Did you do it manually or was it some sort of import? If manually, was made in Adaxes Administration Console or Web interface?

0

I created via the web interface.

0

Hello,

And did you see the Operation Succeeded message? The thing is that a similar error is returned by Adaxes service when a new user is created, and another user with the same username already exists, but such an error is always displayed by Adaxes Web interface.

Can you try reproducing the issue by attempting to create a user with a username that already exists in your AD? Does Adaxes Web interface show you the error?

0

I ran another test. We have an approval process in place before the user account is created. When I went in to approve(diff account), I received the message the approval request is approved and received the approval email.
The account wasn't created and a message wasn't received.
Checked the logs and it says account already created.

I am trying to mimic how our HR dept will use. So if there is a manager approving, HR gets the email that it was approved and assumes the acct is created, when in actuality it's not being created.

FYI-- on one of our other interfaces, where an approval process is not in place, it does display a message that the account already exist.

0

Hello,

To take such a situation into account, you can automatically send an email notification to the user who sent the operation for approval if the operation fails. To do this, you need to create a Business Rule as follows:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
  3. On the 3rd step, add the Send e-mail notification action.
  4. In the Action parameters section, specify the %adm-InitiatorEmail% value reference in the To field. When the action will be triggered, the value reference will be replaced with the email address of the user who sent the operation for approval.
  5. Modify the message template and click OK.
  6. Double-click the If the operation succeeded condition.
  7. In the Condition parameters section, select If the main operation failed.
  8. Click OK and finish creation of the Business Rule.

Also, we would advise completely eliminating such situations when user creation could fail. For example, if user creation failed because the users have identical usernames specified, you can create a Business Rule that will automatically add a digit to the username if the username is not unique. For information on how to accomplish the task, take a look at the following tutorial: http://www.adaxes.com/tutorials_Simplif ... Script.htm (Example 2 in step 5).

0

Ok, if I go w/ the first option, then HR would have to recreate the account and have the manager re-approve.

If I go w/ the second option, within the example, it doesn't update the email address.
What would be the best way to implement if it still has to go through the approval process?
Would I create a B.R. that runs the powershell script and if its true, then it will update the logon name etc., then have it sent to the hiring manager for approval?
Having the powershell do its thing, will that also update the fields within the notification email?

Once its approved, will the updated info be in the Request Approved form that the initiator receives?

0

If I go w/ the second option, within the example, it doesn't update the email address.

The script can be modified to update all the properties you need. How is email address generated?

Would I create a B.R. that runs the powershell script and if its true, then it will update the logon name etc., then have it sent to the hiring manager for approval?
Having the powershell do its thing, will that also update the fields within the notification email?
Once its approved, will the updated info be in the Request Approved form that the initiator receives?

If you do it as described in the tutorial, then everything will be automatically updated in the Approval Request, notifications sent to the initiator and approver etc. You only need to keep in mind that the PowerShell script should be triggered before sending for approval. That is, the script that generates a unique username and the Send operation for approval action should be in the same Business Rule, and the script should precede the Send operation for approval action.

0

The email address is generated FNInitialLastName@domain.com.
Can you send me how to update email address. I'd like to try option 2.

Thank You!

0

Hello,

Actually, there is one option. The only option is to update the script. We only wanted to say that if the script is executed in your Business Rule before sending the operation for approval, than the Approval Request will be updated with new values set by the script.

We've asked our script guys to modify the script for you. We'll update you as soon as the script is available.

0

ok, thanks.

0

Hello,

The following script also updates the user's e-mail address. Use it instead of the script that you currently have.

Import-Module Adaxes
$emailLocalPart = "%firstname,1%%lastname%" # TODO: modify me

function IsUserNameUnique($username)
{
   $user = Get-AdmUser $username -erroraction silentlycontinue
   return $user -eq $Null
}
# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")
# Check if the username is unique
if (IsUserNameUnique($username))
{
    return
}
# If the username is not unique, generate a unique one
$uniqueUsername = $Null
for ($i = 1; $True; $i++)
{
    $uniqueUsername = $username + $i;
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$userLogonName = $uniqueUsername + "@" + $domainName
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
  + ".", "Information")

# Update email address
$mailAddress = "$emailLocalPart$i@$domainName"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")
0

ok thanks. I will test this out.

0

disregard.

Helpdesk gave me incorrect information.

0

so if they do receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can make that field = the user logon name w/o affecting the integrity of the form itself?

FYI- on the current form, user logon name = %firstname:lower,1%%lastname:lower%
user logon name (pre-windows 2000) = %firstname:lower,1%%lastname:lower%

0

I tested the script w/o an approval which worked beautifully. However, because we have a different UPN suffix and have hardcoded it within the forms, when the account is created it is using the former UPN suffix.
Can the script be updated for the new UPN suffix? or if its as simple as updating the fields in the script(which I didn't see), I can modify.

Thank you.

0

Sorry, we forgot about the requirement to have a custom UPN suffix in your environment. Here's a script that meets your requirements. The custom UPN suffix is specified by $upnSuffix.

Import-Module Adaxes
$emailLocalPart = "%firstname,1%%lastname%" # TODO: modify me
$upnSuffix = "example.com" # TODO: Modify me

function IsUserNameUnique($username)
{
   $user = Get-AdmUser $username -erroraction silentlycontinue
   return $user -eq $Null
}
# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")
# Check if the username is unique
if (IsUserNameUnique($username))
{
    return
}
# If the username is not unique, generate a unique one
$uniqueUsername = $Null
for ($i = 1; $True; $i++)
{
    $uniqueUsername = $username + $i;
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$userLogonName = $uniqueUsername + "@" + $upnSuffix
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
  + ".", "Information")

# Update email address
$mailAddress = "$emailLocalPart$i@$domainName"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")
0

Thanks! I'll test this out.

Also, can you reply to this-

once they receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can I make user logon name= user logon name(pre windows 2000) w/o affecting the integrity of the form itself?

FYI- on the current form, user logon name = %firstname:lower,1%%lastname:lower%
user logon name (pre-windows 2000) = %firstname:lower,1%%lastname:lower%

0

Thanks for the updated script.
Instead of using a number to make the username unique.
we'd like to make the username firstName.lastName if its not unique. can I have an updated script for this?

0

Hello,

Instead of using a number to make the username unique.
we'd like to make the username firstName.lastName if its not unique. can I have an updated script for this?

And what should the script do if firstName.lastName is also not unique?

once they receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can I make user logon name= user logon name(pre windows 2000) w/o affecting the integrity of the form itself?

May be we are not getting something, but since you have a script that always generates a unique username, users are not supposed to0 see such a message if the username is non-unique. With the script in place, they can see such a message only if a user with the same full name exists in the same OU.

0

Hello,

And what should the script do if firstName.lastName is also not unique?

I guess at that point the number can be added. Listings in the GAL with numbers at the end of usernames/email addresses wouldn't be a first choice. Also in the past when numbers were added, it was b/c of either corrupted account for diff resources for an example, which eventually got really messy.

once they receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can I make user logon name= user logon name(pre windows 2000) w/o affecting the integrity of the form itself?

May be we are not getting something, but since you have a script that always generates a unique username, users are not supposed to0 see such a message if the username is non-unique. With the script in place, they can see such a message only if a user with the same full name exists in the same OU.

The script will be used only when HR is creating accounts. Trying to make the process seamless as possible since its a bit challenging to have them use the new system.

I didn't apply this script with our helpdesk b/c there is no approval process in place since its just service/resource accounts.

0

Hello,

I guess at that point the number can be added. Listings in the GAL with numbers at the end of usernames/email addresses wouldn't be a first choice. Also in the past when numbers were added, it was b/c of either corrupted account for diff resources for an example, which eventually got really messy.

OK. Here's a version of the script that first attempts to switch to the firstName.lastName format for the username and e-mail. If such a user also exists, it will start adding a number to the end of the username in the format firstName.lastName.

Import-Module Adaxes
$upnSuffix = "example.com" # TODO: Modify me

function IsUserNameUnique($username)
{
   $user = Get-AdmUser $username -erroraction silentlycontinue
   return $user -eq $Null
}
# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")
# Check if the username is unique
if (IsUserNameUnique($username))
{
    return
}
# If the username is not unique, generate a unique one
$username = "%firstname%%lastname%"
$uniqueUsername = $username
for ($i = 1; $True; $i++)
{
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }

    $uniqueUsername = $username + $i;
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$userLogonName = $uniqueUsername + "@" + $upnSuffix
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
  + ".", "Information")

# Update email address
$mailAddress = "$uniqueUsername@$upnSuffix"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")

once they receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can I make user logon name= user logon name(pre windows 2000) w/o affecting the integrity of the form itself?

I didn't apply this script with our helpdesk b/c there is no approval process in place since its just service/resource accounts.

OK. So, as far as we understand, for these service accounts the user logon name should be equal to the user logon name(pre windows 2000), and your custom UPN suffix should be ignored. Is that correct?

Where (and how) do your helpdesk people create the accounts? Maybe they are created in a special OU or there's a separate Home Page Action for service accounts?

0

Thanks for the updated script. I will test today.

The accounts are being created via home page action for a new user. The pattern is assigned to a couple of OU's.
The custom UPN is ignored as it's already in the user logon field.

0

2nd question-

we have existing users that have the former domain in the UPN field.
When I attempt to edit, it doesn't allow me to. no message is displayed, it just goes to the previous screen when I hit backspace.

fyi- for the property pattern it relates to, that field is selected on creating and modifying.

EDIT--
RESOLVED - FYI - I added the new @ UPN suffix next to the user logon name and the box that had the former domain disappeared. this allows us to edit.

0

once they receive a message that the account already exist and need to modify the user logon name(pre Windows 2000) to make it unique. How can I make user logon name= user logon name(pre windows 2000) w/o affecting the integrity of the form itself?

The accounts are being created via home page action for a new user. The pattern is assigned to a couple of OU's.
The custom UPN is ignored as it's already in the user logon field.

Hello,

Can you send us / post here a screenshot of the Property Pattern that adds the custom UPN? It seems to me that the Property Pattern should do what you need automatically.

0

hello-

I sent a screenshot yesterday.

0

Hello,

To generate User Logon Name based on User Logon Name (pre-Windows 2000), do the following:

  1. Launch Adaxes Administration Console.
  2. Expand the service node that represents your service.
  3. Expand Configuration \ Property Patterns.
  4. Select the Property Pattern that sets the custom UPN suffix (the one that you sent us).
  5. Double-click the User Logon Name property.
  6. In the Generate default value field, type %samAccountName%@domain.com, where domain.com is your custom UPN suffix.
  7. Click OK and save the Property Pattern.

%samAccountName% is a value reference that will be replaced with the value of the User Logon Name (pre-Windows 2000) property. Since you specified an identical template for generating both the properties (save the custom UPN suffix), this will not break anything.

Also, can you clarify if there is a difference with regards to group membership between ‘Write All Properties’ and ‘Write member property’ ?

The Write All Properties permission allows a user to modify all properties of an object. With regards to groups, this allows to modify not only group membership, but also all other properties, such as, for example, Group Name, Description or Managed By. The Write 'member' Property permission allows only to add/remove members from the group, and nothing else.

0

Thank You!
Worked like a charm.

0

hello-

can you help me with a script for unique name for consultants?
currently, our naming convention for consultants are consultant.firstnameInitialLastNameInitial, ex-john doe = consultant.jd@domain.com
if that account exist, we'd like consultant.jdoe@domain.com

would it be possible to add the code to the current script or would it be best if I add a condition/action for consultants within the 'before user creation' business rule? fyi-there is a designated OU that these accounts will go in.

Thanks in advance.

0

Hello,

Yes, sure. We've already assigned our script guys to work on the script. We'll update you as soon as they come up with something.

0

Hello,

Here's a modified version of the script that meets your requirements. in the script, $consultantsOUDN specifies the Distinguished Name (DN) of the OU with accounts of consultants.

Import-Module Adaxes
$upnSuffix = "example.com" # TODO: Modify me
$consultantsOUDN = "OU=consultants,DC=domain,DC=com" # TODO: Modify me

function IsUserNameUnique($username)
{
   $user = Get-AdmUser $username -erroraction silentlycontinue
   return $user -eq $Null
}

# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")
# Check if the username is unique
if (IsUserNameUnique($username))
{
    return
}

# If the username is not unique, generate a unique one
$userDN = $Context.TargetObject.ObjectInfo.DN
if ($userDN.IsDescendantOf($consultantsOUDN))
{
    $username = "consultant.%firstname,1%%lastname%"
}
else
{
    $username = "%firstname%%lastname%"
}

$uniqueUsername = $username
for ($i = 1; $True; $i++)
{
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }

    $uniqueUsername = $username + $i;
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$userLogonName = $uniqueUsername + "@" + $upnSuffix
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
  + ".", "Information")

# Update email address
$mailAddress = "$uniqueUsername@$upnSuffix"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")
0

thanks.
There is 3 diff OU for the temps(NY/LA/DC) - sorry about that,I should've mentioned that. Would I put all three in the variable used or would more variables be needed?
Temp_consultants_Intern_Accounts(domain.com/NY)
" (domain.com/LA)
" (domain.com/DC)

Also-
the current B.R that request an approval before creating an account checks if the intiator is in the HR group, then runs the script your previously provided, and then sends the approval.

What would be the best way to check that its an consultant account if there are 3 OUs and the initiator is in the HR group?

Thank You

0

Hello,

Here's the script that you can use with multiple OUs for consultants. Specify the OUs where consultants are located in $consultantsOUDNs.

Import-Module Adaxes
$upnSuffix = "example.com" # TODO: Modify me
$consultantsOUDNs = @("OU=Temp_consultants_Intern_Accounts,OU=NY,DC=domain,DC=com", "OU=Temp_consultants_Intern_Accounts,OU=LA,DC=domain,DC=com", "OU=Temp_consultants_Intern_Accounts,OU=DC,DC=domain,DC=com") # TODO modify me

function IsUserNameUnique($username)
{
    $user = Get-AdmUser $username -erroraction silentlycontinue
    return $user -eq $Null
}

function IsConsultant ($userDN, $consultantsOUDNs)
{
    foreach ($ouDN in $consultantsOUDNs)
    {
        if ($userDN.IsDescendantOf($ouDN))
        {
            return $True
        }
    }
    return $False
}

# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")
# Check if the username is unique
if (IsUserNameUnique($username))
{
    return
}

# If the username is not unique, generate a unique one
$userDN = $Context.TargetObject.ObjectInfo.DN
if (IsConsultant $userDN $consultantsOUDNs)
{
    $username = "consultant.%firstname,1%%lastname%"
}
else
{
    $username = "%firstname%%lastname%"
}

$uniqueUsername = $username
for ($i = 1; $True; $i++)
{
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }
    $uniqueUsername = $username + $i;
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$userLogonName = $uniqueUsername + "@" + $upnSuffix
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
    + ".", "Information")

# Update email address
$mailAddress = "$uniqueUsername@$upnSuffix"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")

What would be the best way to check that its an consultant account if there are 3 OUs and the initiator is in the HR group?

If it is for the purpose of setting the correct username, then the check whether it is a consultant is already done in the script, and you do not need to make any additional modifications to your Business Rule besides applying the new version of the script provided above. If it should be done for other purposes, could you explain your task in more detail?

0

thanks.
Currently I have 1 B.R. before an acct is created that will chk if initiator is a member of HR group, run powershell to chk if username is unique(for our full-time employee), and send approval.

Based on what you provided for the consultants, I wasn't sure where I should put the script. Should I create another action within the current B.R. with perhaps an AND stmt distinguishing it from full time employees or just add it and Adaxes will know which one to run?

0

Hi Eugene,

can you reply to my last comment? thanks

0

Hello,

You don't need to create any extra actions. Just use the last version of the script instead of the script that you currently have. The proper handling of consultants vs permanent employees is done by the script itself.

Don't forget to update $consultantsOUDNs with DNs of the OUs where consultants are located.

0

2 things -

  1. Will the script only check for unique username within the OUs or will it check across the entire domain?
    I attempted to add temp and intern code (my 2nd request below) and it actually created 2 accounts with the same username. Was it because I changed the $consultantsOUDNs to point to an test OU or did I totally screw up the code :oops: ?
    I'd like to knw where I went wrong and confirm that it will check across the domain.

  2. can this script be updated to include temp and intern?
    temp, intern, and consultants will be located in the same OUs, however the naming convention is different for each with it being temp.firstNameInitialLastNameInitial, and intern.firstNameInitialLastNameInitial...and if those are already taken, the user account should be temp.firstNameInitialLastName.....intern.firstNameInitialLastName etc.

Temporarily - I am telling HR to ensure the user logon name pre windows is set to what you'd like the email address to be, but I'd like a better solution.

Essentially, we like to be able to select an employee type and based on that, the user logon name pre win 2000, user logon name, and email to match while the user is filling out the form.
not sure if that's possible in real time(I changed the option to generate value on creating and editing obj but that didn't work for me or I'm misunderstanding it). or if its better created as a Business rule?

my attempt at adding to the script

Import-Module Adaxes  
$upnSuffix = "domain.com" # TODO: Modify me  
$consultantsOUDNs = @("OU=Operation Team,DC=domain,DC=com") # TODO modify me  

function IsUserNameUnique($username)  
{  
 $user = Get-AdmUser $username -erroraction silentlycontinue  
 return $user -eq $Null  
}  

function IsConsultant ($userDN, $consultantsOUDNs)  
{  
 foreach ($ouDN in $consultantsOUDNs)  
 {  
 if ($userDN.IsDescendantOf($ouDN))  
 {  
 return $True  
 }  
 }  
 return $False  
}  

function IsTemp ($userDN, $consultantsOUDNs)  
{  
 foreach ($ouDN in $consultantsOUDNs)  
 {  
 if ($userDN.IsDescendantOf($ouDN))  
 {  
 return $True  
 }  
 }  
 return $False  
}  

function IsIntern ($userDN, $consultantsOUDNs)  
{  
 foreach ($ouDN in $consultantsOUDNs)  
 {  
 if ($userDN.IsDescendantOf($ouDN))  
 {  
 return $True  
 }  
 }  
 return $False  
}  

# Get the username  
$username = $Context.GetModifiedPropertyValue("samAccountName")  

# Check if the username is unique  
if (IsUserNameUnique($username))  
{  
 return  
}  

# If the username is not unique, generate a unique one  
$userDN = $Context.TargetObject.ObjectInfo.DN  
if (IsConsultant $userDN $consultantsOUDNs)  
{  
 $username = "consultant.%firstname,1%%lastname%"  
}  
else  
{  
 $username = "consultant.%firstname%%lastname%"  
}  

if (IsTemp $userDN $consultantsOUDNs)  
{  
 $username = "temp.%firstname,1%%lastname%"  
}  
else  
{  
 $username = "temp.%firstname%%lastname%"  
}  

if (IsIntern $userDN $consultantsOUDNs)  
{  
 $username = "intern.%firstname,1%%lastname%"  
}  
else  
{  
 $username = "intern.%firstname%%lastname%"  
}  

$uniqueUsername = $username  
for ($i = 1; $True; $i++)  
{  
 if (IsUserNameUnique($uniqueUsername))  
 {  
 break  
 }  
 $uniqueUsername = $username + $i;  
}  

# Update User Logon Name (pre-Windows 2000)  
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)  

# Update User Logon Name  
$userLogonName = $uniqueUsername + "@" + $upnSuffix  
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)  
$Context.LogMessage("The username has been changed to " + $userLogonName `  
+ ".", "Information")  

# Update email address  
$mailAddress = "$uniqueUsername@$upnSuffix"  
$Context.SetModifiedPropertyValue("mail", $mailAddress)  
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")
0

Hello,

1.Will the script only check for unique username within the OUs or will it check across the entire domain?

The script checks within the entire domain.

  1. can this script be updated to include temp and intern?
    temp, intern, and consultants will be located in the same OUs

Yes, this can be done, however the logic of the script needs to be changed, because currently it distinguishes between a consultant and a non-consultant only basing on the OU where the user is created. If temp, intern, and consultants are located in the same OUs, there will be no way to distinguish whether it is a temp, an intern, or a consultant. Further:

Essentially, we like to be able to select an employee type and based on that, the user logon name pre win 2000, user logon name, and email to match while the user is filling out the form.
not sure if that's possible in real time(I changed the option to generate value on creating and editing obj but that didn't work for me or I'm misunderstanding it). or if its better created as a Business rule?

This can be done, but currently not in real time. You can create a Business Rule executed after creating a user. Depending on the employee type, the script will assign a proper username and e-mail for the user. For us to be able to change the script for you, can you tell us what property are you going to use to specify the employee type (will it be the Employee Type property or something else?) and what are the exact possible options for the property?

By the way, since the script will rely on the exact wording of a specific employee type, we recommend providing the list of possible employee types as a drop-down list, where an HR can pick an appropriate employee type. For information on how to specify a list of possible values for a property, see Specify List of Departments to Avoid Repetitive Typing.

0

We are using the Employee Type property.
Current options are Consultant, Temp, Intern.

When this is done via Business Rule, what do you suggest the filler be in those fields(user logon and email address) on the form?

0

Current options are Consultant, Temp, Intern.

What option is/will be set for regular employees?

When this is done via Business Rule, what do you suggest the filler be in those fields(user logon and email address) on the form?

So, you want the user logon name and e-mail address to be generated completely automatically regardless of what the users enters? Are we getting you right?

0

What option is/will be set for regular employees?

Currently for regular employees, we have Inter-Company Transfer, Permanent, Rehired Employee.

So, you want the user logon name and e-mail address to be generated completely automatically regardless of what the users enters? Are we getting you right?

No. I'd prefer what they choose as employee type for Consultants, Temp, and Interns to be reflected in logon name and email, i.e - intern.xx etc....For regular employees, it would be what we have now, firstInitialLastname and if that isn't unique, firstname.lastname.
Based on your previous response, I thought this couldn't be done b/c it can't happen during real time? So my concern/question is what the user sees when filling out the form in real time, if this is taking place within a Business rule before the account is created.

0

Based on your previous response, I thought this couldn't be done b/c it can't happen during real time? So my concern/question is what the user sees when filling out the form in real time, if this is taking place within a Business rule before the account is created.

No, this can't be done in real time while the user fills in the form. The Business Rule will be triggered once the user presses the Create button, prior to creation of the new user account.

Before pressing the button, the field for the username will contain the value generated by the Property Pattern applied to the new user or, if the value generated by the Property Pattern is modified, the modified value.

0

1. Is there a way to have notification about a new hire(new account) go to the assistant of the hiring manager?

0

Hello,

Yes, it is possible with a PowerShell script. You can create a PowerShell script that sends an e-mail message to the new user's manager's assistant and use a Business Rule to run it automatically after creating each new user.

For information on how to send email messages with a PowerShell script, see Sending Emails and SMS. Also, see Run PowerShell Script after Creating a User.

If you need assistance with the script, we can help you.

0

thanks. a script will be helpful.

0

Hello,

Try this one:

$subject = "Account for %fullname% created"
$text = @"
New account created for user %fullname%.

Account details:
Username: %sAMAccountName%
Manager: %manager%
Department: %department%
Office: %physicalDeliveryOfficeName%

Please do not reply to this e-mail, it has been sent to you for notification purposes only.
"@

# Get the new user's manager
try
{
    $managerDN = $Context.TargetObject.Get("manager")
}
catch
{
    $Context.LogMessage("Cannot notify the manager's assistant because the user does not have a manager", "Warning")
    return
}
$manager = $Context.BindToObjectByDN($managerDN)

# Get the manager's assistant
try
{
    $assistantDN = $manager.Get("assistant")
}
catch
{
    $Context.LogMessage("Cannot notify the manager's assistant because the manager does not have an assistant", "Warning")
    return
}
$assistant = $Context.BindToObjectByDN($assistantDN)

# Get the assistant's e-mail
try
{
    $mail = $assistant.Get("mail")
}
catch
{
    $Context.LogMessage("Cannot notify the manager's assistant because the assistant does not have an e-mail address", "Warning")
    return
}

$Context.SendMail($mail, $subject, $text, $NULL)

In the script, $subject and $text specify the subject and the text of the email message. To insert information about the new user in the message, use value references (e.g. %username%).

0

Thanks a lot. I will test.

I see it has a warning condition, who will get that message?

0

Hello,

The warning message will be shown to the user who creates a new user. Also, it will be stored in the Execution Log of the operation and will be shown when viewing th operation in Logging.

0

hi, it seems the email is going to the manager and not the manager's asst.
Please advise.

FYI - I resolved...the $assistant was passing the $managerDN instead of the $assistantDN.

0

when using the default Bus Rule to create exchange MB, I see in the logs an error message that the account must be logon-enable for user's MB.
Why am I getting this and what would cause the account to not be logon enabled if its new?

I also noticed that the account is being created as an disabled object. please advise

0

Hello,

FYI - I resolved...the $assistant was passing the $managerDN instead of the $assistantDN.

Thanks, a good catch. We've modified the script in the original post.

Why am I getting this and what would cause the account to not be logon enabled if its new?

The Create an Exchange mailbox action that is used in the built-in Create Exchange Mailbox Business Rule always creates user mailboxes, Exchange does not allow creating user mailboxes for those uses who cannot login to your domain (for example, disabled users). You can create an Exchange mailbox for a disabled user if you are creating an equipment or room mailbox, for example.

As you mentioned:

I also noticed that the account is being created as an disabled object

That's the main cause for the issue.

When a user is created as a disabled user, does there appear any Execution Log with a list of Business Rules triggered by the operation and actions performed by them? Can you send the Execution Log to our support e-mail (support[at]adaxes.com)?

Also, can you send us a copy of the log record for this operation? To do this:

  1. Open the properties of the log record that represents the operation of creating a disabled user per step 7 of the following help article: http://www.adaxes.com/help/Logging.ViewServiceLogl.html.
  2. At the top of the Properties dialog, right-click the description of the operation that is displayed next to an icon.
  3. Click Select All.
  4. Right-click again.
  5. Click Copy.
  6. Send the copied text to us.
0

hi-

Are the script guys still working on the other script regarding temps, intern, consultants?

0

Hello,

Actually, it's ready. Here you are.

Import-Module Adaxes
$upnSuffix = "example.com" # TODO: Modify me

function IsUserNameUnique($username)
{
    $user = Get-AdmUser $username -erroraction silentlycontinue
    return $user -eq $Null
}

# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")

# Get employee type
$employeeType = $Context.GetModifiedPropertyValue("employeeType")
$usernameNotChanged = $True
if (-not([System.String]::IsNullOrEmpty($employeeType)))
{
    # Check the username if it does not contains the Employee Type, add it
    if (-not($username.StartsWith($employeeType , "CurrentCultureIgnoreCase")))
    {
        $username = "$employeeType.$username"
        $usernameNotChanged = $False
    }
}

# If the username is not unique, generate a unique one
$uniqueUsername = $username
for ($i = 1; $True; $i++)
{
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }
    $uniqueUsername = $username + $i;
    $usernameNotChanged = $False
}

# if the user name has not changed, exit
if ($usernameNotChanged)
{
    return
}

# Update User Logon Name (pre-Windows 2000)
$Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

# Update User Logon Name
$userLogonName = $uniqueUsername + "@" + $upnSuffix
$Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
$Context.LogMessage("The username has been changed to " + $userLogonName `
    + ".", "Information")

# Update email address
$mailAddress = "$uniqueUsername@$upnSuffix"
$Context.SetModifiedPropertyValue("mail", $mailAddress)
$Context.LogMessage("The email address has been changed to $mailAddress", "Information")
0

hello--

A couple questions about the script--

1.The variable used $employeeType relates to my drop menu on the new hire form. However, does it matter that my label have a space?

2. On the action page, there's 2 sections. One for Permanent/Full time employers, which I have specific OUs for. The employee type drop down consist of Inter-company, Permanent, Re Hire.
For permanent accounts, you've supplied me with a script that will chk if the username is unique and if not, update it to be firstname.Lastname@domain.com, which is executed Business Rule before the account is created, and before the approval.

For the 2nd section on the action page, it's for consultants/interns/temp, with OUs specially for those as well. The employee type drop down has Consultants, interns, temps.
To make this affect only the consultants/temp/interns, I will have to make another Bus Rule before account creation and have it check what OU the account will reside, then add this script before the approval, right? or just add as a condition.

Also, in the script, when it checks to see if it unique, will it be adding a #1 to the unique name?
We'd prefer it to be employeeType.firstIntialLastName if it isn't unique. Can you update to reflect?

Thanks!

0

Hello,

1. In PowerShell scripts, you should use LDAP names of properties instead of their display names that are used in the Web Interface / Administration Console. employeeType is the LDAP name for the property that is displayed as Employee Type in the Web interface / Administration Console. As for $employeeType, it is a PowerShell variable. Actually, you can call it the way you like ($myValue, for example). We called it the same as the LDAP name for simplicity sake.

2. We think it would be better to launch the necessary script based on the value of the Employee Type property, for example:

For this purpose, you can use the If <property> <relation> <value> condition type.

Also, in the script, when it checks to see if it unique, will it be adding a #1 to the unique name?

No, if the username is already unique, the script will simply check whether the necessary prefix (for example, intern.) is added to the beginning to the username and add it, if necessary. If the username is unique and already contains the prefix, the script will leave it as it is.

0

Ok, but what if an account already with the proper prefix?

On the current form, I hard coded consultant.%firstname:lower,1%%lastname:lower,1% for the user Logon name.
I just changed it to %employeeType%.%firstname:lower,1%%lastname:lower,1% and reflects the user Logon name! YAY! :D so that totally takes care of HR having to enter that. The script could now check to see that the samAccount is unique, and if not, add the the users lastname.

Thanks for the suggestion. Currently, I have the business rule setup to check if the user is apart of the HR and then execute the proceeding actions. This is kind of like my insurance in the event an issue comes up.
The activity scope is currently on all objects, which I will change to match same OUs the current user property pattern uses.
If I do the above, I think this just may satisfy the request.

0

Hello,

Ok, but what if an account already with the proper prefix?

The script checks that and will not add a prefix.

The script could now check to see that the samAccount is unique, and if not, add the the users lastname.

What script are you talking about (which of them)? What will be the final procedure of selecting a unique username for the user? Is it like this:

  1. Try what was entered for the username.
  2. If not unique, generate username in the form %employeeType%.%firstname:lower,1%%lastname:lower%.
  3. If not unique, start adding a digit.

Correct?

0

the original script you provided for permanent users.
yes, what you listed below is correct.

Thank You!

0

OK, we've asked our script guys to modify the script for you. We'll update you as soon as they come up with something.

0

Hello,

Here you are:

Import-Module Adaxes
$upnSuffix = "example.com" # TODO: Modify me

function IsUserNameUnique($username)
{
    $user = Get-AdmUser $username -erroraction silentlycontinue
    return $user -eq $Null
}

function SaveChanges($uniqueUsername, $upnSuffix)
{
    # Update User Logon Name (pre-Windows 2000)
    $Context.SetModifiedPropertyValue("samAccountName", $uniqueUsername)

    # Update User Logon Name
    $userLogonName = $uniqueUsername + "@" + $upnSuffix
    $Context.SetModifiedPropertyValue("userPrincipalName", $userLogonName)
    $Context.LogMessage("The username has been changed to $userLogonName.", "Information")

    # Update email address
    $mailAddress = "$uniqueUsername@$upnSuffix"
    $Context.SetModifiedPropertyValue("mail", $mailAddress)
    $Context.LogMessage("The email address has been changed to $mailAddress", "Information")
}

# Get the username
$username = $Context.GetModifiedPropertyValue("samAccountName")

# Get employee type
$employeeType = $Context.GetModifiedPropertyValue("employeeType")
$usernameChanged = $False
if (-not([System.String]::IsNullOrEmpty($employeeType)))
{
    # Check whether the username contains Employee Type
    if (-not($username.StartsWith($employeeType , "CurrentCultureIgnoreCase")))
    {
        $username = "$employeeType.$username"
        $usernameChanged = $True
    }
}

# Check if the username is unique
$uniqueUsername = $username
if (IsUserNameUnique($uniqueUsername))
{
    # Username unique, but Employee Type was added. Save the changes
    if ($usernameChanged)
    {
        SaveChanges $uniqueUsername $upnSuffix
    }
    return
}

# If the username is not unique, generate a unique one
$uniqueUsername = $NULL
$username = $NULL
if (-not([System.String]::IsNullOrEmpty($employeeType)))
{
    $username = "$employeeType."
}
$username += "%firstname:lower,1%%lastname:lower%"
$uniqueUsername = $username
for ($i = 1; $True; $i++)
{
    if (IsUserNameUnique($uniqueUsername))
    {
        break
    }
    $uniqueUsername = $username + $i;
}

# Save the changes
SaveChanges $uniqueUsername $upnSuffix
0

hi-

I'm am testing the newly created script and it doesn't seem to be behaving as expected.
I located an account that already exist and created an account similar to it. It is sent to the approver, but within the approval form, the fields aren't being updated with a unique name.

I looked at the execution log and all the conditions are being checked:
For this particular test B.R. -'Create unique username-TEST', I took your advice and have it checking the employee type, but that seems to satisfy both conditions...

execution log:
Business Rules: 1 rule encountered while processing your request
'Create unique username-TEST': Run PowerShell script 'Enforce Pwd Policy' for the user
'Create unique username-TEST': Run PowerShell script 'Generate unique username and update respective fields for Regular Employees' for the user
'Create unique username-TEST': Send this operation for an approval.
Your request has been submitted for approval.
'Create unique username-TEST': Run PowerShell script 'Enforce Pwd Policy' for the user
'Create unique username-TEST': Run PowerShell script 'Generate Unique username for Consultans/Interns/Temps' for the user
'Create unique username-TEST': Send this operation for an approval.

I figured it was the order that I screwed up so I changed it. That too didn't help--
Business Rules: 1 rule encountered while processing your request
'Create unique username-TEST': Run PowerShell script 'Enforce Pwd Policy' for the user
'Create unique username-TEST': Run PowerShell script 'Generate Unique username for Consultans/Interns/Temps' for the user
'Create unique username-TEST': Send this operation for an approval.
Your request has been submitted for approval.
'Create unique username-TEST': Run PowerShell script 'Enforce Pwd Policy' for the user
'Create unique username-TEST': Run PowerShell script 'Generate unique username and update respective fields for Regular Employees' for the user
'Create unique username-TEST': Send this operation for an approval.

I also noticed that in the approval form, its showing the adm-customattributes instead of the friendly name, even though I restarted IIS a few times after adding them.

EDIT - I now see why the script is running for the employee type not being equal to whatever is selected. Logically, it does satisfy the other 2 conditions. So how can I distinguish between the 2?

0

Hello,

Business Rule issue:

Can you send us or post here a screenshot of the actions and conditions of your Business Rule?

Friendly names issue:

Have you restarted your Adaxes Service?

Are your Adaxes service and Web Interface installed on different computers? If so, you need to make the changes described in this article both on the computer where Adaxes service is installed and on the computer where the Web Interface is installed.

0

Hi-

Adaxes web interface and Service are on the same machine.
I have not restarted the adaxes service yet, but will do so. Thanks!...I don't remember having to do that in the past when this initially came up nor does the article says so.

Screenshot sent.

0

Can you also send us the file that you modified per the instructions in the article?

0

Business Rule issue:

Sorry, our mistake. The 2nd set of actions/conditions must be joined with an AND, not OR.

0

Thanks.

file sent.

0

The file looks OK. Try restarting Adaxes service.

However, keep in mind restarting Adaxes service will not affect the Approval Requests that have been created before restarting the service. The new friendly names will apply only to Requests generated after restarting the service. The thing is that the operation description is generated by Adaxes service (that's why you also need to restart the service) at the time when the Request is created. After that, the Web interface simply shows the description that was generated at that time.

0

good to go.
script works and after restarting the service, friendly shows up as expected.

thanks again.

Related questions

0 votes
0 answers

I have been getting the following error when running the built in user creation script. This has worked fine up until about 2 months ago. As you can see Adaxes sees my ... error. The account that I am using has the correct permissions to Exchange as well.

asked Dec 9, 2020 by joshua.velez (20 points)
0 votes
1 answer

Hi all, I want to create an external Username (username-ext). Loginname is the same as the initials. Changing the intiakls -&gt; intials-ext ... CommandPipeline.Actions.ActionBase.Execute(ICommand command) --- Ende der internen Ausnahmestapelüberwachung ---

asked Jun 13, 2016 by massimo.ibba (450 points)
0 votes
1 answer

Hi When one of our admins create a user through the webinterface, the following error appears, and the user is not created: Access to the attribute is not permitted because ... is owned by the Security Accounts Manager (SAM). (Server: domain.local) Any ideas?

asked Jun 4, 2013 by kjesoo (960 points)
0 votes
1 answer

Hello, We have hybrid setup with Azure AD sync. Sometimes when creating a user, we face below warning where in user is just created on-prem and not on o365. This is the ... happens after couple of user creations. Please let me know if there is any fix. Thanks!

asked Feb 3, 2021 by sarang.raval (20 points)
0 votes
1 answer

I’m looking for a way to take a unique number from Adaxes and use part of it to create an employee ID for the AD attribute field.

asked Dec 25, 2023 by cewilson (190 points)
3,501 questions
3,193 answers
8,145 comments
547,392 users