Syncing only users without "Disabled" in description attribute

Hi!

I'm using quickconnect to sync two active directories.

In the source Active Directory, there are some users with a description that has the word 'Disabled'. I do not want to sync those users.

In workflow provisioning wizard, if I create a condition description doesn't contain Disabled it does not capture ANY users!

I'm trying to use powershell condition instead due to the issue above.

My condition for the source objects is if ($srcObj["description"] -notcontains '*Disabled*'){$srcObj}

This doesn't work as well (no users are being provisioned). I've checked that if I take this condition out of the picture, all users are captured and synced.

Any ideas? I'm new to this tool.

Thanks!

Parents
  • Hi, arjuna.

    Just throwing an idea out there. Beyond the obvious version difference between what you're doing versus what John & Terrance have discussed is the fact that you're forced to resort to a scripted solution since the version of the product that you're using doesn't offer the "does not contain" operator in the interface.

    Here's what I'm thinking. The Sync Service (QuickConnect) loads the set of attributes for each object into the cache that it thinks are relevant to the mapping operation. Because you're using the scripted condition, I don't think that the description attribute is actually being loaded into the cache, therefore the condition will fail for all users.

    There may be some way to force the tool to load the description into the cache, but without spending a bunch of time investigating, perhaps a solution like this could work:

    $srcGuid = $srcObj["objectGuid"]
    $adObject = [ADSI]("EDMS://<GUID="+([GUID]($srcGuid)).Guid+">")
    $adObject.RefreshCache("description") > $null
    
    if (($adObject.Properties.PropertyNames -contains "description") -and ($adObject.Properties["description"].Value -notcontains "disabled")) {
      return $true
    }
    else {
      return $false
    }

    This would likely come with a performance penalty, but if it worked, at least it would prove if this is the problem or not, in which case it may be worth spending more time seeing if there is some other way to force description into the cache.

    Good luck!

  • Hello Shawn!

    Thanks for the suggestion! I literally copied/pasted your script in the provisioning criteria. I'm getting the below error when I run the workflow step.

    An exception has occured while executing 'PowerShell script'
    script invocation exception
    The following exception occurred while retrieving member "RefreshCache": "Unknown error (0x80041452)"
    Unknown error (0x80041452)

    Also, to clarify, this version DOES have the "Does not contain" option in the interface for the source provisioning criteria.

    Thanks,

    Arjuna

  • Also, to clarify, this version DOES have the "Does not contain" option in the interface for the source provisioning criteria.

    Ah, in that case I misread your statement above and my theory may be quashed :(

    The error that you're receiving suggests that the object is failing to bind; without inserting debug statements, I'm wouldn't be able to figure out why. You could start out with something crude like:

    $logFile = 'd:\test.log'
    (get-date) | out-file -filepath $logfile 
    
    # This should output all available attributes to the log file.
    "connection srcObj:`r`n"+($srcobj | fl * | out-string).trim()+"`r`n" | out-file -filepath $logfile -append
    "srcObj type: `'"+$srcObj.GetType()+"`'" | out-file -filepath $logFile -append
    "srcObj basetype: `'"+$srcObj.GetType().basetype.name + "`'" | out-file -filepath $logfile -append
    
    $srcGuid = $srcObj["objectGuid"]
    if (($null -eq $srcGuid) -or ($srcGuid.Length -ne 16)) {
      throw("source object GUID was not returned")
    }
    "source object GUID: `'"+([guid]($srcGuid)).Guid+"`'" | Out-File -FilePath $logFile -Append
    $adObject = [ADSI]("EDMS://<GUID="+([GUID]($srcGuid)).Guid+">")
    if (($null -eq $adObject) -or ($null -eq $adObject.Guid)) {
      throw("failed to bind to the source object")
    }
    "AD object:`r`n"+($adObject | fl * | Out-String).Trim()+"`r`n." | Out-File -FilePath $logFile -Append
    $adObject.RefreshCache("description") > $null
    
    if (($adObject.Properties.PropertyNames -contains "description") -and ($adObject.Properties["description"].Value -notcontains "disabled")) {
      return $true
    }
    else {
      return $false
    }

    Not sure how much it's worth going down that path, though: it could be a wild goose chase.

Reply
  • Also, to clarify, this version DOES have the "Does not contain" option in the interface for the source provisioning criteria.

    Ah, in that case I misread your statement above and my theory may be quashed :(

    The error that you're receiving suggests that the object is failing to bind; without inserting debug statements, I'm wouldn't be able to figure out why. You could start out with something crude like:

    $logFile = 'd:\test.log'
    (get-date) | out-file -filepath $logfile 
    
    # This should output all available attributes to the log file.
    "connection srcObj:`r`n"+($srcobj | fl * | out-string).trim()+"`r`n" | out-file -filepath $logfile -append
    "srcObj type: `'"+$srcObj.GetType()+"`'" | out-file -filepath $logFile -append
    "srcObj basetype: `'"+$srcObj.GetType().basetype.name + "`'" | out-file -filepath $logfile -append
    
    $srcGuid = $srcObj["objectGuid"]
    if (($null -eq $srcGuid) -or ($srcGuid.Length -ne 16)) {
      throw("source object GUID was not returned")
    }
    "source object GUID: `'"+([guid]($srcGuid)).Guid+"`'" | Out-File -FilePath $logFile -Append
    $adObject = [ADSI]("EDMS://<GUID="+([GUID]($srcGuid)).Guid+">")
    if (($null -eq $adObject) -or ($null -eq $adObject.Guid)) {
      throw("failed to bind to the source object")
    }
    "AD object:`r`n"+($adObject | fl * | Out-String).Trim()+"`r`n." | Out-File -FilePath $logFile -Append
    $adObject.RefreshCache("description") > $null
    
    if (($adObject.Properties.PropertyNames -contains "description") -and ($adObject.Properties["description"].Value -notcontains "disabled")) {
      return $true
    }
    else {
      return $false
    }

    Not sure how much it's worth going down that path, though: it could be a wild goose chase.

Children
No Data