0 votes

Hello -
I'm working on my companies off boarding process and need to run a Custom Command that turns off access to different systems and resources at the time specified. I've been using the code examples on the site to create a scheduled task via PowerShell but I'm stuck on the part where I need to have the action run a custom command for a specific user.

I'm getting the user that should have the work done and I have the custom command GUID, but I'm not sure how to feed that into the Scheduled Task's actions. Any help would be great!

Thanks!

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the 'Scheduled Tasks' container
$scheduledTasksPath = $admService.Backend.GetConfigurationContainerPath(
    "ScheduledTasks")
$scheduledTasksContainer = $admService.OpenObject($scheduledTasksPath,
     $NULL, $NULL, 0)

# Create a new Scheduled Task
$task = $scheduledTasksContainer.Create("adm-ScheduledTask", "CN=Disable %fullname%")

$task.ObjectType = "user"
$task.Description = "Process Off-boarding for %fullname%"
$task.Disabled = $False
$task.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_BEFORE"
$task.OperationType = "none"

# Specify the schedule for the task
$recurrencePattern = $task.GetRecurrencePattern()
$recurrencePattern.RecurrenceType = "ADM_RECURRENCEPATTERNTYPE_ONCE"
$recurrencePattern.PatternStartDateTime = %adm-CustomAttributeDate3%
$task.SetRecurrencePattern($recurrencePattern)
$task.DeleteTaskAfterExecution = $True #Delete after run is turned on

#Define actions and conditions for the task
$actionAndConditions = $task.ConditionedActions.Create()
$action = $actionAndConditions.Actions.CreateEx("adm-OffBoarduser")
$action.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
$removeAction = $action.GetAction()
$removeAction

#Getting the user object
$userDN = %distinguishedName%
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

#Getting the Custom Command
$commandID = "{9db88ec3-1241-4ab1-9612-c7c982baa49f}"
$user.ExecuteCustomCommand($commandID)

# Save the Scheduled Task
$task.SetInfo()
by (190 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

It is possible to use PowerShell to create a Scheduled Task that runs a Custom Command, however we have a better idea. As far as we understand, you already have the date when the Task should run stored in CustomAttributeDate3. Why not create a Scheduled Task that would run daily and execute the Scheduled Task for any users whose CustomAttributeDate3 is the same date as the current date? The task would look like this:

The script to use with the condition will be as follows:

$Context.ConditionIsMet = $False

try
{
    $decomissionDate = $Context.TargetObject.Get("%adm-CustomAttributeDate3%").Date
}
catch
{
    return # No decomissioning date specified
}

$currentDate = [System.DateTime]::Now.Date
if ($decomissionDate -eq $currentDate)
{
    $Context.ConditionIsMet = $True
}
0

I thought about this, the issue is that we need to terminate access within 15 minutes of notice, so if someone is going to be terminated at 2PM it needs to run at 2PM, likewise another employee could be terminated at 8AM.

Any ideas how to handle those business rules?

0

Any ideas how to handle those business rules?

It is, of course, possible to create such Scheduled Tasks from Business Rules, but do you imagine what a mess it will be if you have 15-20 employees dismissed at a time? You mentioned that there is a 15 minutes' notice time. Does it mean that if someone is going to be terminated at 2PM, then, say, 2:10PM will also be OK?

0

It can, and I'm guessing you want me to run a scheduled task every 15 minutes or so. I'd really like to be able to create a scheduled task on demand that runs a custom command for a user, if you can give me an example of that I can adjust it to meet our needs.

Thanks!
Jake

0

Jake,

OK, no problem. Here you are:

$commandID = "{9db88ec3-1241-4ab1-9612-c7c982baa49f}"

# Bind to the 'Scheduled Tasks' container
$scheduledTasksPath = $Context.GetWellKnownContainerPath("ScheduledTasks")
$scheduledTasksContainer = $Context.BindToObject($scheduledTasksPath)

# Check whether a Scheduled Task with the same name already exists
$scheduledTasksPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $scheduledTasksPath
$scheduledTaskPath = $scheduledTasksPathObj.CreateChildPath("CN=Disable %fullname%")
try
{
    $Context.BindToObject($scheduledTaskPath)
    $Context.LogMessage("A task to deprovision %name% already exists.", "Error") # TODO: modify me
    return
}
catch
{
    # There is no task with the same name
}

# Create a new Scheduled Task
$task = $scheduledTasksContainer.Create("adm-ScheduledTask", "CN=Disable %fullname%")

$task.ObjectType = "user"
$task.Description = "Process Off-boarding for %fullname%"
$task.Disabled = $False
$task.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_BEFORE"
$task.OperationType = "none"

# Specify the schedule for the task
$recurrencePattern = $task.GetRecurrencePattern()
$recurrencePattern.RecurrenceType = "ADM_RECURRENCEPATTERNTYPE_ONCE"
$executionDateTime = $Context.TargetObject.Get("adm-CustomAttributeDate3")
$recurrencePattern.PatternStartDateTime = $executionDateTime
$task.SetRecurrencePattern($recurrencePattern)
$task.DeleteTaskAfterExecution = $True #Delete after run is turned on

# Save the task
$task.SetInfo()

# Define actions and conditions for the task
$actionsAndConditions = $task.ConditionedActions.Create()
$actionsAndConditions.ConditionsLogicalOperation =
    "ADM_LOGICALOPERATION_AND"
$actionsAndConditions.SetInfo()
$action = $actionsAndConditions.Actions.CreateEx("adm-CustomCommandAction")
$action.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
$removeAction = $action.GetAction()
$removeAction.CustomCommandId = $commandID
$action.SetAction($removeAction)
$action.SetInfo()
$actionsAndConditions.Actions.Add($action)
$task.ConditionedActions.Add($actionsAndConditions)

# Define the scope for the task
$scopeItem = $task.ActivityScopeItems.Create()
$scopeItem.BaseObject = $Context.TargetObject
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_BASE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$task.ActivityScopeItems.Add($scopeItem)

$Context.LogMessage("%name% will be deprovisioned $executionDateTime", "Information") # TODO: modify me
0

Thanks for your help, this worked perfect! Only adjustment I had to make was that the adm-CustomDate variable stored the DateTime in UTC form, so I added the UTC Offset to ensure the task runs at the same time. Here is what it looks like:

$recurrencePattern.PatternStartDateTime = $executionDateTime.AddHours([TimeZoneInfo]::Local.BaseUtcOffset.ToString().Remove(3,6).Remove(0,1))

I bet there is a better way to go about this but this does do the trick and will remain accurate when Daylight savings changes.

Thanks!
Jake

0

Hello Jake,

Yes, that can be made much easier. You can replace the following 2 lines in the script that we provided:
$executionDateTime = $Context.TargetObject.Get("adm-CustomAttributeDate3")
$recurrencePattern.PatternStartDateTime = $executionDateTime

with the following line:
$recurrencePattern.PatternStartDateTime = [DateTime]"%adm-CustomAttributeDate3%"

Related questions

0 votes
1 answer

I have an ADP Sync scheduled task that modifies and creates users from a csv file. I also have reports that show new users created and management history for user ... ADP Sync scheduled task so that they only run after the ADP Sync task is complete?

asked Jan 7, 2020 by barberk (60 points)
0 votes
1 answer

On Approval Requests, in the web console, Initiator shows "N/A" instead of the custom command scheduled task. The admin console shows the custom command scheduled task though. Any way to fix that?

asked Jan 21 by mark.it.admin (1.7k points)
0 votes
1 answer

I have a feild called Decommissioned Date and I can not figure out how to run a scheduled task the day after that date. So If an account got decommissioned today I want the task to run tomorrow.

asked Jan 9, 2020 by hgletifer (1.2k points)
0 votes
1 answer

Dear support, I'm trying to automate network share creations via custom commands. They idea is to create share and groups with command A and schedule ... "ADS_SCOPE_BASE" $scopeItem.Exclude = $False $scopeItem.SetInfo() $task.ActivityScopeItems.Add($scopeItem)

asked Jan 27, 2020 by Dmytro.Rudyi (850 points)
0 votes
1 answer

Currently, when I disable a user account in Adaxes, the group memberships of the user remain intact. I'd like to automate the removal of group memberships such as distribution ... a list of groups/DL that the user was previously in and removed from. Thanks!

asked Nov 3 by jayden.ang (20 points)
2,607 questions
2,344 answers
6,228 comments
862,509 users