Pull a value out of policy or enforce a policy on one user.

Perhaps you can share a bit more about your use case?

Also, how well do you understand the concept of the Active Roles event handlers mentioned above:

onPreCreate, onPostCreate, onPreModify, onPostModify, and onCheckPropertyValues

The names are pretty self-explanatory except for the last one - that event is fired both when you click Save/Finish and also Next when moving pages in a wizard (example:  user creation).

To answer your question about the Policy Rule - that would be the name of the individual rule residing within a Provisioning Policy object.

This looks like only a part of a custom solution. The ExecutePolicyRule function is not one of the built-in Active Roles triggering event functions and would not work in a Policy script.

From what you are describing, I think that you need to implement a Policy Script which is triggered by an onGetEffectivePolicy event. This is an expensive call and would need to be narrowly scoped to ensure that complex computations are only performed when applicable. I suggest using the IsAttributeModified method from the Best Practises Library to confirm that your attributes are in the request

I have worked with policy scripts using the event handlers. For this one I'd planned to use onPostUnDeprovision.

I have ~60 agencies each with its own provisioning policy. I want to populate homePath and homeDirectory on an undeprovision if homeDirectory is $null. 

I'm doing this with a hard-coded path for one of these agencies now, but I'd rather if the script could pull the value out of policy. This way there aren't multiple places that need to be updated when things change.

function onPostUnDeprovision($Request)
{

Connect-QADService -proxy localhost

$user = get-qaduser $Request.GUID -IncludedProperties homeDirectory

$homeDirectory = "\\servername\path\" + $user.SamAccountName

if ($user.homeDirectory -eq $null){set-qaduser $Request.GUID -HomeDrive H: -HomeDirectory $homeDirectory}

}

Ah so you want to find out what the home directory property should be for the un-deprovisioned users who don't have one set at un-deprovision time.

So what you could do is trigger from onPreUnDeprovision handler to see if the homedirectory is being set.  You can trap this using the IsAttributeModified function as Terrance suggested and then you would need to find out what the value should be and inject this into your in-process $Request.  That's where the reading of the homedirectory policy object for the object OU comes into play.

I think you might be able to do something like this:

$PossibleHomeDirs = $Request.GetEffectivePolicyInfo('homedirectory',3)

# '3' above is the integer representation of EDS_EPI_UI_POSSIBLE_VALUES which reads back the possible values for the attribute per the effective policy rule

What's not clear to me is whether you can call the GetEffectivePolicyInfo just like this in your onPreUnDeprovision or if you have to do it within an OnGetEffectivePolicy handler.

Thank you both.  This gets me where I need to go. I should be able to figure it out with this help.

I figured out how to pull the value out of the policy if I know the DN of the policy. I have been pretty good about how I name policies so I might be able to cheat and use this in a pinch. 

$DN = "CN=User Provisioning,CN=Administration,CN=Policies,CN=Configuration"

$obj = [ADSI] "EDMS://$DN"

$PVGName = "Provisions users with home folders and home shares"

$PVGPolicy = $obj._NewEnum | where {$_.Name -eq $PVGName}

$PVGsetting10 = $PVGpolicy | where {$_.SettingID -eq 10}

$PVGsetting22 = $PVGpolicy | where {$_.SettingID -eq 22}

$PVGsetting22.value

$PVGsetting10.Value

H:

\\server\path\%username%