0 votes

Hello!

I am creating a scheduled task, which in pseudocode does the following:

1st action:

If account is locked AND
if extensionattribute6 is empty
 send email to the locked account
 set extensionattribute6 to %datetime,+20m%

2nd action:

If account is locked AND
My custom PS script checks that the datetime from extensionattribute6 has passed
Clear the info in extensionattribute6

This works pretty good. I set this script to run every 2 minutes, and with the extensionattribute set after the first mail has been sent, it stops the script from spamming a locked out user with mail every 2 minutes until the account gets unlocked.

HOWEVER:
"If account is locked" seems to not check both our domain controllers - only one of them?
I purposely lock my account, then browse to my user in the OU list in adaxes, refresh it, and see that the "Bad Password Time" attribute is not up to date. If I check with Powershell straight to one of my DC's, the value is correct.

How do I work around this?

Thanks!

by (160 points)

1 Answer

0 votes
by (215k points)

Hello,

The Bad-Password-Time attribute is indeed not replicated in AD, however Adaxes doesn't use it to determine whether an account is locked out. The UF_LOCKOUT flag in the ms-DS-User-Account-Control-Computed attribute is used instead. If an account is locked out, the UF_LOCKOUT flag is set in the ms-DS-User-Account-Control-Computed attribute, and this is immediately replicated among Domain Controllers.

0

Thanks for your reply.

I still am experiencing some problems, but I have narrowed it down to my custom powershell script. However, I am finding it hard to debug what is going on in the Powershell script. $context.logmessage("blah","Information") does nothing (because the workflow fails at some point, so there is no execution log), and I will post my script to get some experienced eyes on it. :)

The actual workflow:
#This script runs every 2 minutes, so I need some anti-spam logic so the user doesn't end up with 10-15 emails while his account is locked
IF Account is Locked Out AND
script "Anti Spam" returns true, then
Send Email-notification (Your account has been locked)
Set ExtensionAttribute6 to %datetime,10m%

#Anti Spam script
Import-Module Adaxes
$user = Get-AdmUser -identity %username% -Properties ExtensionAttribute6
$now = Get-Date
$mailtime = [datetime]::ParseExact($($user.extensionattribute6),"dd.MM.yyyy H:mm:ss", $null)

#If the user doesn't have the ext-att set, it's probably the first time the account has been locked
If (!($user.extensionattribute6))
    {
        $context.ConditionIsMet = $true
        #The workflow should carry on and send notification email and set the ext-att to %datetime,+10m%
    }

else
    {
        #ExtensionAttribute does exist - let's check if the value is older than Get-Date
        if ($now -gt $mailtime)
        {
            $Context.ConditionIsMet = $True
            #It's older than Get-Date, so the workflow should send a new email and set the ext-att to an update value
        }

        else
        {
            $Context.ConditionIsMet = $false 
            #Get-Date is LESS THAN the value of extensionattribute6, so the user should NOT be sent yet another mail - he has already been notified.
        } 
    }

Now for some reason, this does not work, or seems to work randomly. How do I see what is going on in the PS engine when the script is triggered? Some debug mode would help me out a lot :)

And if anyone else is interested, I have another scheduled task as well that does some cleanup of the ExtensionAttribute6 for all users. In short, if the value is in the past, just remove it.

If Ext-Att6 property is not empty AND
Script "Ext-Att6 value is in the past" returns true then
Modify the user: Clear Ext-Att6

#"Ext-Att6 value is in the past" script
Import-Module Adaxes
$user = Get-AdmUser %username% -Properties ExtensionAttribute6
$now = Get-Date
$mailtime = [datetime]::ParseExact($($user.extensionattribute6),"dd.MM.yyyy H:mm:ss", $null)

        #ExtAtt6 value is in the past, carry on with the workflow
        if ($now -gt $mailtime)
        {
            $Context.ConditionIsMet = $True
        }

        #ExtAtt6 value is in the future, do nothing
        else
        {
            $Context.ConditionIsMet = $false   
        } 

Any help would be appreciated :)

0

Hello,

Actually, you can do this with a single Scheduled Task instead of 2. Also, we recommend using Adaxes virtual attributes because, unlike Exchange Custom Attributes, they can store date/time values, which will make the script faster to complete and much simpler. Adaxes virtual attributes are not stored in AD, but can be used the same as any other attributes of AD objects. Date/time values are stored in the following attributes: CustomAttributeDate1 ... CustomAttributeDate5.

Thus, the Scheduled Task will look something like this:

The 'Anti Spam' script used in the Scheduled Task is as follows:

$Context.ConditionIsMet = $True

try
{
    $mailTime = $Context.TargetObject.Get("adm-CustomAttributeDate1")
}
catch
{
    return
}

# Check if the $mailTime is older than the current time
if ($mailTime -lt [System.DateTime]::Now)
{
    # Clear the custom attribute
    $Context.TargetObject.Put("adm-CustomAttributeDate1", $NULL)
    $Context.TargetObject.SetInfo()

    # Exit from script
    return
}

$Context.ConditionIsMet = $False

Related questions

0 votes
1 answer

My Help Desk users can unlock accounts one at a time under user management, Unlock Account. However, under the "Locked out Users" on the Home Page, there is no option to select multiple users to unlock- the check boxs are not visible.

asked Mar 12, 2020 by msylvester (60 points)
0 votes
1 answer

We have configured Adaxes to make accounts that have been Deprovisioned be disabled and hidden from GAL but they are still showing up in GAL. In Adaxes the account ... the sync is not completely working. Any suggestions on configurations will help. Thank you

asked Apr 2 by rujimg (40 points)
0 votes
0 answers

Nevermind - we figured out the issue was with a changed GPO that nobody knew changed.

asked Dec 22, 2014 by danftasc (440 points)
0 votes
1 answer

Hello The danish/norwegian letter "Ø" is not handled correctly in Adaxes. Even if regexp is set to ^[A-Z] , it's still possible for the user to enter and use the letter "Ø" in their ... : - "Ø" = U+00d8 (upper case) - "ø" = U+00f8 (lower case) - Thanks

asked May 11, 2016 by Boxx.dk (2.6k points)
0 votes
1 answer

In Web Configuration, under advanced section we have set the Iddle Sessiom time out limit to 20 minutes and also the Authentication idle time out limit to 20 minutes, however ... there is any other way we can enforce re-login after session times out ? Thanks

asked Feb 13 by rsaran (70 points)
2,599 questions
2,338 answers
6,212 comments
848,473 users