• State Not Answered
  • Replies 22 replies
  • Subscribers 66 subscribers
  • Views 3521 views
  • Users 0 members are here
Options
Related

Workflow vs Deprovisioning Policy

allison.lethy
9 months ago

Hi there...

I am trying to determine the order of operations between a deprovisioning policy and a a workflow with deprovisioning activities.

Here is what I need to do.  I need to set the Home Drive and Home Path so that the Home Folder deprov policy assigns the manager access to the home folder.

If I manually add the home drive and path in the user record first, then deprov user - the manager gets access.  But if I try to set it via either calling (1) a PreDeprovision script in the policy object or (2) add the two attributes with values to 'Properties to be Updated'.... then the manager is not getting access to the home folder.  The results pane says the user doesn't have a home folder.

I can't use a workflow... because it looks like these don't kickoff until AFTER a deprov policy object.

Any help would be appreciated!

Thanks

Parents Reply Children
  • 0 9 months ago in reply to Terrance.Crombie

    I shouldn't need to use a workflow at all.  The Deprovisioning Policy Object offers the ability to set the values of attributes or call a script in the policy object to do so.
    Either way, I can get the home drive and home folder path set for the user object, but when it gets to the Home Folder policy rule (that is configured to give the manager read access)... the error states "User doesn't have a home folder".

    It's almost as when the policy sets the drive/path, it needs to be saved/applied before it process the Home Folder policy rule.  UGH!

  • 0 9 months ago in reply to Terrance.Crombie

    I did create a workflow to run a script (onPreProvision) to set the Home Folder attributes.  I want this workflow to run first.  The Deprov Policy object hasedsvaPrecedeWorkflowActivities=False. That was the default setting.  If False, then the Workflow should run first. 

    But it is not.  When I look at the Deprov results, it is clearly showing timestamps that the policy objects settings are running first, then the workflow.

  • 0 9 months ago in reply to allison.lethy

    Rather than triggering on Deprovisioning per se, why don't you trigger based on the setting of a virtual attribute - for example, edsvaTriggerPreDeprovisionAction and have this be the start condition for your Change Workflow that handles the home folder stuff?

  • 0 9 months ago in reply to JohnnyQuest

    I'm hoping to not have to use a workflow to achieve this.  It really seems like it should be straight forward but I am getting inconsistent results.

    In my Deprov Policy Object, in this order:

    1. Run script to set home folder.  I assume by using $dirobj.setinfo() that the home folder settings are actually being saved ... so that #4 below will see that a home folder exists and give manager READ access.  

    function onPreDeprovision($Request)
    {
    Set-QADUser $request.dn -HomeDrive "H:" -HomeDirectory "\\lethbridge\users\cityhome\%username%"
    $dirobj.setinfo()
    }

    2. Make account ineligible for login (disable account)

    3. Delete account after 30 days

    4. Prevent user from access home folder (assign read access to manager)

    5. Move the user to a different OU.

    After deprovisioning a user, all is good EXCEPT for the Home Folder settings.  It says it is skipped because there is no home folder for the user.  UGH!

    If I add the home folder on the users AD Profile tab first... and then deprovision... all works as it should.

    I will also say that I have had the Deprov policy work twice out of 50 times trying.  Which makes it even more difficult to troubleshoot.

    Any help would be super appreciated.