Workflow and get attributes than the changed attribute

Question

Hello, 
 I have this script in a workflow where the trigger is changed attribute extensionattribute1 OR physicaldeliveryoffice. Thing is that When one of these attributes change, the worklow is launche but the script only can get the changed attributte. 
 In the same way, When one of these attributes is change I cannot get any oher attributes like DN or samaccountname. 
 How can i get any other attribute in addition to the change attribute that launch the workflow. 
 
 function GetValue { param ( $Request, $Attribute ) try { $Value = $Request.Get($Attribute) if(-not $value) { $Value = $DirObj.Get($Attribute) } } catch { $value = $null } return $value } 
 function CalculOUdestination($Request){ 
 $oupath = ",OU=Colisee,OU=Usuarios,DC=local,DC=colisee,DC=es" $OU = "" 
 $code_eta = GetValue $Request "physicalDeliveryOfficeName" $code_eta2 = $Request.get("physicalDeliveryOfficeName") 
 $dep_title = GetValue $Request "extensionAttribute1" $dep_title2 = $Request.get("extensionAttribute1") $code_user = GetValue $Request "sAMAccountName" $code_user2 = $Request.get("sAMAccountName") 
 $OU = "OU="+$dep_title2+",OU="+$code_eta2+",OU=Colisee,OU=Usuarios,DC=local,DC=domain,DC=local" 
 return $OU 
 }

Richard.Lambert · Accepted Answer

Hello, is the use case here to move the user to a new OU based on the values set in ' physicalDeliveryOfficeName' and 'extensionAttribute1'? If so, then there might be a solution to this that won't involve any code. 
 Leave the Change workflow as is, which is to execute based on a change to either or both of these attributes. Then, within the bottom half of the workflow, under the 'Operation execution' section, place a Move workflow activity. 
 Opening the Properties of the Move step, the 'Activity Target' would be the 'Workflow Target'. The 'Destination Container' would be set to 'Object identified by DN-value rule expression'. This is where you can build out the new OU destination, similar to what is being done in the above script. When clicking the 'Add entry' button, create the new OU location string by adding multiple values. 
 Select 'Text strings' when clicking 'Add entry' and type in the hardcoded OU= location values 
 Select 'Property of object from workflow data context' when wanting to insert an attribute value. From the 'Target object' select 'Workflow Target'. And for 'Target Property' select the attribute from the presented list (Office Location is in this default list) or select 'More choices' at the bottom to search for the attribute (extensionAttribute1). The resulting rule would look something similar to this:

Stu.Pollock · Answer

Hi miguel hernandez 
 From an ease of working, I like Richard.Lambert approach, less to support in the longer term and easier for others to pickup who either a new to ARS, PowerShell or both. 
 However what you're trying to do, should be possible, and if it's not working that would be an issue. 
 
 This session from one of the Unite conferences is on the request object is available here: The Request Object: The Heart of Active Roles (oneidentity.com) (you might need to registered to watch it) 
 
 The request object ($Request) is basically the inflight object being changed, but it only contains some base object information, plus a property cache of all the attributes changed as part of the request. 
 You're script get this information with this line of code: 
 $Value = $Request.Get($Attribute) 
 
 However if you've modified one of the two attributes you need, that second attribute will not be in the $Request cache (unless its part of a base object), therefore you need to get the unchanged information direct from the object, this is done using the $DirObj object, you're doing that in this code, 
 $Value = $DirObj.Get($Attribute) 
 However if attribute is not in the default object cache, no value will be returned, as you need to load the attribute into the $DirObject objects cache. This is done with the below code where $AttributeName is the property you want to look up. Note that this line is only adding it to the property cache, you still need to do your .Get method to return it to wherever you want to use it. 
 [void]$DirObj.GetInfoEx(@($AttributeName),0)

Below are a couple of functions (GetActualAttribute, GetAttribute and IsAttributeModified) taken from the " Best Practices Library For PowerShell" library script 
 The function you'd call is "GetActualAttribute", this should check if the attribute you'd provide has been modified 
 
 if it has it calls "GetAttribute" to return that value from the $Request object 
 otherwise it requests that your attribute being added to the DirObj property cache, t hen its calls GetAttribute to return the required value from the $DirObj object

function GetActualAttribute ([string]$AttributeName, $ADSIObject)
{
 if (IsAttributeModified $AttributeName $ADSIObject)
 {
 return (GetAttribute $AttributeName $ADSIObject)
 }
 else
 {
 trap { continue }
 [void]$DirObj.GetInfoEx(@($AttributeName),0)
 return (GetAttribute $AttributeName $DirObj)
 }
}

function IsAttributeModified ([string]$AttributeName, $Request)
{
 $objEntry = $Request.GetPropertyItem($AttributeName, $Constants.ADSTYPE_CASE_IGNORE_STRING)
 if ($objEntry -eq $null) { return $false }
 if ($objEntry.ControlCode -eq 0) { return $false }
 return $true
}
#-- IsAttributeModified

function GetAttribute ([string]$AttributeName, $ADSIObject)
{
 trap { continue }
 return $ADSIObject.Get($AttributeName)
} #-- GetAttribute 
 Using this code should mean that if you request an attribute in the $Request properties, it will be returned first, IE you had a Department value which was set to "Sales" and is now set to "IT" it would return "IT" 
 If you are trying to retrieve a property which has not been modified, it should return "Sales" which it will get from the $DirObj object. 
 
 The video I mentioned about will give you a much deeper dive into the subject.

Endpoint Privilege Management

Workflow and get attributes than the changed attribute

Top Replies