• State Verified Answer
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7445 views
  • Users 0 members are here
Options
Related

Is it possible to apply a VA value to multiple users in one pass?

dyannic
over 2 years ago

I have a few thousand users to apply a VA value to - in order for a DynamicGroup to pull them in as members.

Other than my normal practice, of looping through the list - is there an array way to feed set-qaduser an attributeValue append that would take the 3K and do it at once, rather that through loop?

AD has a way with 'group' membership - and exchange has a way with Update-DistributionGroupMember  - using a list of users "," - or ";" separated, and making that one-call, that's-all ...

can ARS do this too?  say yes. and show me how.

Parents
  • 0 over 2 years ago

    So - maybe nothing in the box ...

    maybe out of the box?

    My working assumption in this task - is,
    that the VA value lives completely inside ARS config. 
    And ARS config is stored in SQL.
    SQL has tables that can be updated.


    can, a SQL query be structured to update a table that contains the VA's tied to an AD user object

    - and push the VA via SQL command in one pass.
    and on ARS restart, the aradminsvc will associate the VA values with the live user.

  • 0 over 2 years ago in reply to dyannic

    You definitely don't want to get into doing an manipulations of the AR SQL tables as this would put you off-side from a Support perspective.

    I was going to suggest a programmatic trigger of a policy check.

    So initially, you set a provisioning policy PVG rule that says that myVA "MUST BE" value "X"  and then programmatically trigger AR to check objects for compliance with this policy and correct those that are not.

  • 0 over 2 years ago in reply to dyannic

    Am curious, how exactly are you writing to the VAs?

    Are you using the Quest PoSh cmdlets or ADSI-style calls?

  • 0 over 2 years ago in reply to JohnnyQuest

    I do as much up front external to ARS - so I am doing an adsi search for the AD user object to be updated

    $strRoleType = 'IMASPECIALROLE'
    $objUser = ([adsisearcher]::new([ADSI]"LDAP://$strContainerDN","(&(objectcategory=person)(objectclass=user)(name=$username))",('name','canonicalname','dn','memberof'),"subtree")).findone()

    I validate the user isn't sitting in an off-limits subOU of the parent search path, and is not yet a member of the dynamic group - among other pre-checks.

    - If the user is still a target of the VA change - I then run the following QAD command

    Set-QADUser -Identity $objUser.properties.canonicalname[0] -ObjectAttributes @{'edsvaRoleBean'=@{Append=@("$strRoleType")}} -connection $ARSession  | out-null

  • 0 over 2 years ago in reply to Terrance.Crombie

    Hmmm .. <peeks over glasses>  that is worth a real shot, Terrance.  

  • 0 over 2 years ago in reply to dyannic

    Try this instead of your Set-QADUser

    $ADObj = [ADSI]("EDMS://" + $objUser.distinguishedname)

    # 2 indicates append

    $ADObj.putex(2,”'edsvaRoleBean'”,@(“$strRoleType″))

    $ADObj.setinfo()

  • 0 over 2 years ago in reply to JohnnyQuest

    Encountered an error with the putex as written.

    $ADObj.putex(2,"'edsvaRoleBean'",@("$strRoleType")) 

    I removed the double quotes - and left the singles on the rolebean - ran without error, but replaced the existing roles under that VA name with just the one.
    whoops.  I can roll that back - but, here's the error that was returned as written above -
    $ADObj.putex(2,"'edsvaRoleBean'",@("$strRoleType"))
    Exception calling "putex" with "3" argument(s): "The directory datatype cannot be converted to/from a native DS datatype

  • 0 over 2 years ago in reply to dyannic

    $ADObj.putex(2,'edsvaRoleBean',@($strRoleType)) 


  • 0 over 2 years ago in reply to JohnnyQuest

    $ADObj.putex(2,'edsvaRoleBean',@("$strRoleType"))

    Exactly as I ran it - and it didn't error .. Try catch let it run in peace for a small test collection.

    and checking the change history - shows the before and after values in edsvaRoleBean to be just the one 'new' value rather than the 'list' showing the new one appended.     2 means 2 ... until it doesn't  : )  I had a math teach tell me that once.

    well - on second look - I left the double quotes on the $strRoleType ... I'll remove it on my end and re-test.

  • +1 over 2 years ago in reply to dyannic

    My bad... I believe the '2' should be a 3 for an Append.

  • 0 over 2 years ago in reply to JohnnyQuest

    see - my math teacher was right.   I'll re-test. Thanks Johnny

  • 0 over 2 years ago in reply to dyannic

    there had been a post by one of the Nova Scotia support peeps - on how to query SQL to return the before and after values of an attribute changed via active roles...   I can't find it now here- or in my own notes.    That knowledge would come in handy now.    Quest/OI change history commandlets only show the after value - but the sql query nugget buried somewhere in the forum  / KA's here has that query spelled out.    Can you share that here?

Reply
  • 0 over 2 years ago in reply to dyannic

    there had been a post by one of the Nova Scotia support peeps - on how to query SQL to return the before and after values of an attribute changed via active roles...   I can't find it now here- or in my own notes.    That knowledge would come in handy now.    Quest/OI change history commandlets only show the after value - but the sql query nugget buried somewhere in the forum  / KA's here has that query spelled out.    Can you share that here?

Children
No Data