Update specific property for a user is not working during deprovision.

I have a deprovision policy which is supposed to update the property msExchHideFromAddressLists to True. This property takes boolean values only. When deprovisioning a user however, the policy fails to update this specific property.

What could be the reason for this?

Parents
  • There is a specific Deprovisioning policy option for this. Under User Deprovisioning Policies, select Exchange Mailbox Deprovisioning. The next screen has a bunch of options for handling the mailbox deprovisioning, including "Hide the mailbox from the Global Address List (GAL)".

    However, when performing this manually as you have described, I was able to successfully set the referenced attribute to TRUE and upon deprovisioning the attribute was set accordingly. The upper/lower case of the word true does not seem to matter.

    Does the Deprovisioning Results dialog or the Change History on the user that was deprovisioned show any errors when trying to set a value of True on the msExchHideFromAddressLists attribute?

  • The exchange mailbox deprovisioning policy seems to only work for On Premise Exchange. It updates a different attribute from what I can tell. We are syncing AD to O365 for account management. This attribute when it syncs up will automatically hide the user from the Address book.

    The error I am getting is the following:

    • Failed to change some property values.
       Details <<<
      Administrative Policy returned an error. Object reference not set to an instance of an object.
  • The Exchange Mailbox Deprovioning Policy sets msExchHideFromAddressLists to TRUE. You should get the same result from using the policy or by setting the boolean manually.

    What version of Active Roles?

Reply Children
  • Currently on 7.4. The exchange mailbox deprovision policy does not set the attribute. Currently this will only function if you have on-premise exchange server.

    I opened a ticket with One Identity Support. The response I received is this is a known issue and will be resolved in version 7.4.3.

  • Sorry, I see this now.

    This does look to be related to Defect ID 125877, which is currently flagged to be resolved in Active Roles 7.4.3.

    I don't have a firm release date on that version at this time.

  • Was this resolved in 7.4.3, as we are seeing the same basic behavior. Trying to modify msExchHideFromAddressLists results in "Object reference not set to an instance of an object.", but we are at 7.4.3.110? Asking before I open a ticket.

     

    FYI, release notes for 7.4.3 say no resolved issues for the release and this issue is also not in the known issues list.

  • I had to use a work around. I created a script which uses the Set-ADUser cmdlet. The Set-RemoteMailbox cmdlet does not work as we synchronize Active Directory to the cloud.


    The two functions I created are as follows:

    function onDeprovision($Request)
    {
        if ($Request.Class -ne "User"){return}
        if ($Request.Get("msExchHideFromAddressLists") -eq $true){return}
        
        $User = $Request.Get("DistinguishedName")
        Set-ADUser -Identity $User -Replace @{msExchHideFromAddressLists = $true}
    
    }
    
    
    function onUnDeprovision($Request)
    {
        if ($Request.Class -ne "User"){return}
        if ($DirObj.GetInfoEx(@("msExchHideFromAddressLists"),0) -eq $true){return}
        
        $User = $Request.Get("DistinguishedName")
        Set-ADUser -Identity $User -Clear msExchHideFromAddressLists
    }


    I then set the deprovision policy and undo deprovision policies to run these scripts.

  • Ken,

    Unfortunately, it appears that this defect was updated since the last time that I checked. The fix for this did not make it into Active Roles 7.4.3. It is now targeted to be resolved in Active Roles 7.5. I don't have a firm release date on that version at this time, but I don't expect that it will be out this year.