0 votes

Hello,

We have several actions that run against an object when it's set to pending approval.

If the approval is denied, is there an easy way to revert these changes on the object?

For example, disabling a user and hiding from the Address Book.

Thank you.

by (130 points)
0

Hello,

And why don't you make the action that requires an approval the first action in the sequence? If an action requires an approval, and approval is not granted, all subsequent actions won't be executed either.

0

Because you may have a scenario where deleting a user requires approval, but you need to take actions before the user is deleted.

For example, an employee is exiting the company. A Help Desk technician gets a ticket to delete the user immediately, but this action has to be approved by management. Meanwhile, the user still needs to be disabled, password reset, moved to another OU, and removed from the Exchange Address Book. When the manager approves, the account itself is deleted. This might be several days after the employee has exited.

We have built some custom actions that do all of these things at the same time. But if there is a need to reverse these actions, it will be a manual process.

That's why I was hoping you could do this automatically in some way.. especially if you need to do this for many users. (Obviously I realize that some changes cannot be undone like password resets.)

I have seen other software like ADModify that creates an XML log of bulk changed attributes to AD objects. It gives you the option to access the log and undo those changes if desired.

Might be nice to have something similar in Adaxes.

1 Answer

0 votes
by (1.6k points)

FYI As we do something similar to this...

1. Our workflows make the final deletion the 'approval required' step - similar I guess to you.

2. We actually use a different tool that is capable of rollback of changes if there is a need to (NetWrix if we can mention a different vendor in the forums).

3. However, previously (and actually still do just in case) we performed an automated data export for the user account that lists groups, OU etc (everything but the password) as the first step so we do have a record of the exact setup of the account before the deprovision started (you have to use the additional exe that Adaxes has for exporting, so just call it as an external command).

4. We generally manually moved the account back to the OU, then had a PowerShell script that parsed the export file and added it back to all the groups (and you could easily tack a few Adaxes steps onto the end to enabled in address book etc).

0

FYI This is the external command we call to dump the user data prior to the deprovisioning workflow making changes:-

"C:\Program Files\Softerra\Adaxes 3\Administration Console\admimex.exe" /d HTML /ds /f "D:\Adaxes Exports\Archived Data\Deprovisioned Users\[%name%] [%sAMaccountname:upper%] [%objectGUID%].html" /r "%distinguishedName%"

Rgds

0

This is pretty smart! Thanks for the tip!

0

Would you be willing to show us your PowerShell script that parsed the export file and added it back to all the groups?

Related questions

0 votes
1 answer

We were used to bind to group member object using: $member = $Context.BindToObjectByDN("%member%") which worked perfectly, but now it is not. Its because %member% is returning ... ? And is it possible to get DN of added/removed member using another variable?

asked Sep 14, 2020 by KIT (910 points)
0 votes
1 answer

Hi all, I have a quick question regarding the web interface. Can I constrain a selection, for example Department, based on what the user will choose in the Company field? ... property patterns but wonder if I can take this one step further thank you, ice-dog

asked Mar 4, 2019 by ice-dog (170 points)
0 votes
1 answer

I read the article on using a business rule to automatically set certain field values such as address based on the value of the Office field. Is there any way to do ... on the Office field so the user has immediate feedback and can change it if necessary.

asked Aug 15, 2016 by jscovill (110 points)
0 votes
1 answer

Is it possible to get the pre-modified value for a property, in a PowerShell script in a Business Rule? e.g., I'm using the Username as a key (I know, not a ... I'm not able to get the previous value to use to update the database record, through PowerShell.

asked May 12, 2014 by sdavidson (730 points)
0 votes
1 answer

In most situations in Adaxes when multiple members are added or removed from a group the members are processed individually allowing business rules to run for each of them. ... a business rule to get information about the other members added with the cmdlet?

asked Mar 8 by Carl Bruinsma (120 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users