• State Not Answered
  • Replies 1 reply
  • Subscribers 62 subscribers
  • Views 130 views
  • Users 0 members are here
Options
Related

Generate UPN and sAMaccountName values based on values entered in FirstName and LastName entries before creating the user object

joseph duenas
18 days ago

I have seen one good thread about this a couple of months ago demonstrating the use of the "onGetEffectivePolicy" handler, but I can't seem to get a script to work for my needs. What I want to accomplish is multi-tiered, and my script is complete and is falling down somewhere as a result.

The objective is for the admin to:

  1. Select a value from a drop down menu configured in a policy (which writes to an AD extension attribute)
  2. Populate the First Name entry ("givenName") and Last Name entry ("sn"),
  3. Have a script module read the value from the drop down selection, and based on the value:
    1. Generate a custom, appended value in the UPN and sAMAccount entries, e.g.:

Drop down selection: "Privileged account"

First Name: John

Last Name: Smith

Generated UPN: "XXX_JSmth@<domain>"

Generated sAMAccountName: "XXX_JSmith

This is far as I have gotten, (and I recognize it's pretty far from the goal):

function onGetEffectivePolicy($Request)
{
   if ($Request.Class -ne "user") {return}
        
    $AccountType = $Request.Get('<attribute>')
    $Firstname = $Request.Get('givenName')
    $LastName = $Request.Get('sn')
    $CustomVar = "XXX_"+$Firstname[0]+$LastName
    $ResponseValue = GenerateCustomVar $CustomVar
    $strAttrName = "sAMAccountName"
    
            
    if ($AccountType -eq 'Privileged account'){
    
    $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_RELOAD_EPI_BY_RULE, "AccountType")
    $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_AUTO_GENERATED, $strAttrname)
    $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_GENERATED_VALUE, $ResponseValue)   
    }

    else {return}

What am I missing?

  • 0 17 days ago

    Hi, Joseph.

    Couple of things that immediately came to mind on looking over your sample code. First, I would suggest that you try to use the out-of-the-box ability for the product to generate a samAccountName value for you without having to resort to code. If you do write it yourself, then you lose out on all of the built-in capabilities like auto-generating a guaranteed unique value. Bear in mind that the Logon name generation rule does allow you to construct a generation pattern like this:

    %<edsva_AccountType>_%1<givenName>%<sn>{@counter(optional)}

    In that example, "edsva_AccountType" is a stand-in for whatever attribute contains the three-letter code associated with your account type ("XXX" in your example).

    Also, not a complete answer, but one thing that caught my attention is the fact that these two lines:

        $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_RELOAD_EPI_BY_RULE, "AccountType")
    $Request.SetEffectivePolicyInfo($strAttrname, $Constants.EDS_EPI_UI_AUTO_GENERATED, $strAttrname)

    should not be inside the "if" statement. You are telling the product that samAccountName should be auto-reloaded when/if "AccountType" is changed, and this fact is not conditional in $AccountType being "Privileged account" or not - it is always true. So those two lines should be outside the "if" statement. The construction of "$ResponseValue" and setting of EDS_EPI_UI_GENERATED_VALUE, however, should be inside that "if".

    Hope that lends a hand!

    Cheers,
    Shawn