• State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 62 subscribers
  • Views 14467 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

finding an attribute from within a scheduled workflow with powershell - msds-userpasswordexpirytimecomputed

klojewski
over 7 years ago

Hi, 

I'm working on a password expiry notification, using ARS 7.0 workflow interface.

First, I use a find activity to scope certain users.

Then, I'd like to use an if-then branch, to evaluate the msds-userpasswordexpirytimecomputed property.

From what I've read, this value is a number that can't be evaluated by the "workflow computed" date and time.

I found this in the community that does essentially what I'm looking for in an even-driven workflow:

function onpremodify($Request)
{
$integerDate = $Request.Get('expires')
$convertedDate = [datetime]::fromfiletime($integerDate)
return $convertedDate
}

Except I'm trying to convert the msds-userpasswordexpirytimecomputed value.

That would (if it worked) convert the property to a text value, that can be evaluated by the workflow computed date.

However, I can't seem to find logic that actually returns meaningful data to the workflow. This code just returns an error: "Object reference not set to an instance of an object"

Though I've tried several iterations of function name, $Reference and $Dirobj, can't seem to return a usable value to the workflow.

Is this do-able?

Thanks so much for any thoughts.

 

  • 0 over 7 years ago
    Not sure if this is helpful or not but if you do:

    $ExpirationDate = Get-QADUser -identity jsmith | select passwordexpires

    ...you get back a usable date which you then do whatever math you want on - e.g AddDays etc.
  • 0 over 7 years ago
    Let me elaborate a bit on this.

    You can use a script activity to get your list of users based on whatever expiration criteria you like.

    You can then pass the list of users to another activity - an Update, or Deprovision etc.

    All you have to do is return the user list as the last line of your script - for example:

    $ReturnedUsers

    ...much like you would do for a function. The next activity in the workflow can then "pick this up" and act on the list.
  • 0 over 7 years ago
    Understood. My goal here was to do as much of the work inside the the AR workflow as possible, without writing a script to do everything.
    Like:
    1. use a Find activity in a workflow to find users in AD.
    2. Use an if-then branch, to evaluate each user.
    3. Return the password expiry date for the user being evaluated, in the right format.
    This is where the PowerShell comes in, I believe. Here, I think I can call a PowerShell function that gets the password expires value for the current user, and converts it [FromFileTime] to a format that the workflow can evaluate. Then returns it to the if-then evaluation.
    4. Evaluate the converted password expires value, against a workflow date and time format.

    If it can be done.
  • 0 over 7 years ago
    Was just looking at including that expiry time attribute you cited in a workflow If-Else. The If-Else understands that this is a date-time and for the "Value to compare to" it offers "Fixed date and time", "Workflow date and time" etc. If you look at the option "Value generated by rule expression", there's an option in there to obtain a value from a script. So for example, you could calculate $(Get-Date.AddDays(30)) to compare your expiration with 30 days from today and have the workflow If-Else compare to that.
  • 0 over 7 years ago
    That worked!

    The if-then activity pulls the value of the current user property 'msds-userpasswordexpirytimecomputed'.
    Then checks if that number is less than or equal to the value returned from the script below.

    function onExecute {
    $futuredate = (Get-Date).AddDays(+8).ToFileTime()
    return $futuredate
    }

    Thank you.

    Would still like to know how to work with the other side of the equation using $Response or $Dirobj to pull a property from the current user, for future use.
  • 0 over 7 years ago

    I'm not 100% sure what you mean but if you are talking about working with the results of a search activity, here's a trivial example.

    Suppose you made a search that finds users with physicaldeliveryofficename = "Chicago".

    You called the search "Find Chicago Users"

    Now you want to do something with the found users.

    Let's say you want to get their account expiration date and shove it in a file:

    In PoSh, you would implement something like this:

    Function GetFoundAccountExpires ($Request)
    {
    Add-Content "Expiration_Info.txt" -Value $($workflow.FoundObject("Find Chicago Users").get("accountexpires"))
    }

    That script containing the function would get called for each user found.

  • 0 over 7 years ago
    When I try to revise this in the context of my workflow, I get an error:

    function GetPasswordExpires($Request)
    {
    $Intgerdate = $workflow.FoundObject("found -a object").get('msds-userpasswordexpirytimecomputed')
    $convertedDate = [datetime]::fromfiletime($Intgerdate)
    return $convertedDate
    }
  • 0 over 7 years ago
    Activity name: ifElseActivity1
    Details:
    At line: 3 char:1. You cannot call a method on a null-valued expression.

    The find activity is searching for 1 user. I know the find works, because I've been using it for other testing.
  • 0 over 7 years ago
    Couple of things:

    1) Make sure you have spelled the name of the Find Activity correctly in your FoundObject parameter.
    2) Suggest double quotes around the attribute name.
    3) If it still doesn't work, change the attribute to something common like distinguishedname. I have a feeling that the search is not going to return your attribute as part of a found user object. You will probably have to make a subsequent Get-QADUser call using the returned found object's distinguishedname as the identity in order to get the actual attribute you want.