Delete User ini File when account is deprovisioned

Hi All

I need a way of deleting the users ini file as part of the deprovision or when I delete the account from AD. Any Ideas?. I assume it will have to be a script but i've yet to use a script as part iof Activeroles. We're using Activeroles Server version 6.8.

Thanks

  • I would implement a new script module that has onDeprovision() handler (and maybe onPostDelete()) and include this script into a deprovision policy.

    this script would use target user name to calculate .ini-file name, and next would call Remove-Item cmdlet to delete file:

    $userName = $DirObj.Get('name')

    $fileName = '\\fileserver1\share\' + $userName + '.ini'

    Remove-Item $fileName

  • One of the advantages of doing a deprovision is the fact that you can undodeprovision.  If you are going to delete stuff then you won't be able to undodeprovision so keep that in mind?  it might be better to archive that file for a while and then in an undoDeprovision policy you can use a script to copy it back. 

    In my deprovision policy I was asked to disconnect the users mailbox - this broke the undodeprovision as now the mailbox was disconnected however a simple script could easily reconnect it as part of the undoDeprovision policy.

    it would be nice to see this fucntionality added to ARS natively with an option to delay the mailbox deprovision for a configurable number of days.

  • I was think that , but i need a tidy up script as we use citrix they have a INI file containing settings for there terminals, and these are currently left behind and a manual removal?

  • Do i have to use a workflow for the script above? As I said i've not used this before

  • How would I script this into Activeroles, as i've never done a script?

  • Using Sargeys example code you create a script policy here: CN=Script Modules,CN=Configuration - ideally create a container to hold your scripts.  Right click and select new and the wizard will walk you through - select powershell as the language and onDeprovision as the handler and put Sargeys code inside the event handler that will be created for you.

    Now create a deprovision policy or edit your current one which wil be located somewhere here: CN=Administration,CN=Policies,CN=Configuration - rightclick and select new deprovision policy then add the policy script.  Link the policy to the container where the user obejcts are, either a managed unit or an OU / domain.

    You should read the scripting best practice because Sargays code is just the basics - you should include checks like is the object being changed a user e.g. if ( $request.class -ne user ) { return }  and also error handler - you can use workflow to generater deprovision reports but yo may want to also include logging / error emails from the script itself.

  • Hi Lee, Thanks

    This is what i've done:

    Create New Script Policy (Delete User INI File as below):

    $userName = $DirObj.Get('name')

    $fileName = '\\fileserver1\share\' + $userName + '.ini'

    Remove-Item $fileName

    Added policy as last step to Default User Deprovision which is assigned to correct managed unit.

    But it doesn't remove file, nor does it give any errors. The Deprovsion results seem to ignore it?

    Ideas?

  • Don't forget to read the best practice for ARS scripting and Greg has done a good job of explaining how to use the $DirOBj http://www.pvgconsultants.com/news/workingwithdatasetsinarspolicyscripts%E2%80%93requestvsdirobjvsqadcmdlets and this is a good blog

    http://arsdears.wordpress.com/2012/10/ by Amanda Debler another forum member.

    As best practice you should use a function to get the value to avoid any errors - notice the trap statement

    function Get-Value($obj, $attr)

    {

        trap { continue }

        return $obj.Get($attr)

        return $null

    } # End Function Get-Value

    function onInit($Context) {

    # Sets the parameters

    $par02 = $context.AddParameter("DebugLevel")

    $par02.MultiValued = $false

    $par02.PossibleValues = "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"

    $par02.DefaultValue = "1"

    $par02.Description = "Debugging EventLog Level where: 0 is no debugging; 9 is the most verbose; 1 is the least verbose"

    $par02.Required = $false

    #

    }

    Function onDeprovision {

    # always check if the request object is the class yo are looking for as best practice

    if ( $Request.class -ne "user" ) { return }

    # For debug purposes you can write to the event log or to an external log file.  you can set a debug level in an onInit handler then use this to detemine if the script should write events

    $debuglevel = PolicyEntry.Parameter("DebugLevel")

    if ($debugLevel -ge 5) { $EventLog.ReportEvent($Constants.EDS_EVENTLOG_ERROR_TYPE,"User-reactToDeprovisionRequest $scriptVersion >>>>>>> in onDeprovision Function ") }

    $userName = Get-Value $DirObj "Name" # or try using the $request object I think the sAMAccountName is always in the $Request object

    # check you got a name back

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_ERROR_TYPE,"User-reactToDeprovisionRequest $scriptVersion >>>>>>> DirObj Manager = $userName ")

    $fileName = '\\fileserver1\share\' + $userName + '.ini'

    # check what youa re passing as the file name

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_ERROR_TYPE,"User-reactToDeprovisionRequest $scriptVersion >>>>>>> FileName = $fileName")

    $error.clear()

    Remove-Item $fileName

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_ERROR_TYPE,"User-reactToDeprovisionRequest $scriptVersion >>>>>>> Error = $error")

    }

  • Ok, I've figured it out, it required $userName = $DirObj.Get('sAMAccountName')

    for some reason it didn't like name.

    Works a treat now

    Thanks

  • I use a Debug Policy to dump out the request object when I get stuck as different handlers appear to return different attributes in some cases a recent one I had was chekcing for when an account was disabled - in the preModify handler I userd the VA edsaAccountIsDisabled and in the postModyfy handler I had to use the userAccountControl attribute - the latter attribute was not available to the preModify handler.

    Here are the scripts if you want to use them...

    Sub onPostModify(Request)
    str = vbCrLf
    str = "Property values modified in the directory object" + vbCrLf
    str = str + "PostObject DN: " + Request.Name + vbCrLfEnd
    str = str + "PostObject type: " + Request.Class + vbCrLf + vbCrLf
      ' Retrieve properties from in-process data
    For i=0 To Request.PropertyCount-1
        Set item = Request.Item(i)
        str = str + "PostProperty name: " + item.Name
        str = str + ", PostProperty value(s): "
    ' Retrieve Property values
      For Each value In item.Values
        Select Case value.ADsType
            Case ADSTYPE_DN_STRING
                str = str + value.DNString + "// "
            Case ADSTYPE_CASE_EXACT_STRING
                str = str + value.CaseExactString + "// "
            Case ADSTYPE_CASE_IGNORE_STRING
                str = str + value.CaseIgnoreString + "// "
            Case ADSTYPE_PRINTABLE_STRING
                str = str + value.PrintableString + "// "
            Case ADSTYPE_NUMERIC_STRING
                str = str + value.NumericString + "// "
            Case ADSTYPE_BOOLEAN
                str = str + CStr (value.Boolean) + "// "
            Case ADSTYPE_INTEGER
                str = str + CStr (value.Integer) + "// "
        End Select
      Next
        str = str + vbCrLf
    Next
    ' Write output into log file
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set MyFile = fso.OpenTextFile("c:\temp\PostModReqobj.txt", 8, True)
    MyFile.WriteLine(str)
    MyFile.Close
    End Sub

    Sub onPreModify(Request)
    str = vbCrLf
    str = "Property values modified in the directory object" + vbCrLf
    str = str + "Object DN: " + Request.Name + vbCrLfEnd
    str = str + "Object type: " + Request.Class + vbCrLf + vbCrLf
      ' Retrieve properties from in-process data
    For i=0 To Request.PropertyCount-1
        Set item = Request.Item(i)
        str = str + "Property name: " + item.Name
        str = str + ", Property value(s): "
    ' Retrieve Property values
      For Each value In item.Values
        Select Case value.ADsType
            Case ADSTYPE_DN_STRING
                str = str + value.DNString + "// "
            Case ADSTYPE_CASE_EXACT_STRING
                str = str + value.CaseExactString + "// "
            Case ADSTYPE_CASE_IGNORE_STRING
                str = str + value.CaseIgnoreString + "// "
            Case ADSTYPE_PRINTABLE_STRING
                str = str + value.PrintableString + "// "
            Case ADSTYPE_NUMERIC_STRING
                str = str + value.NumericString + "// "
            Case ADSTYPE_BOOLEAN
                str = str + CStr (value.Boolean) + "// "
            Case ADSTYPE_INTEGER
                str = str + CStr (value.Integer) + "// "
        End Select
      Next
        str = str + vbCrLf
    Next
    ' Write output into log file
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set MyFile = fso.OpenTextFile("c:\temp\PreModReqobj.txt", 8, True)
    MyFile.WriteLine(str)
    MyFile.Close
    End Sub

    Sub onPreUnDeprovision(Request)
    str = vbCrLf
    str = "Property values modified in the directory object" + vbCrLf
    str = str + "Object DN: " + Request.Name + vbCrLfEnd
    str = str + "Object type: " + Request.Class + vbCrLf + vbCrLf
      ' Retrieve properties from in-process data
    For i=0 To Request.PropertyCount-1
        Set item = Request.Item(i)
        str = str + "Property name: " + item.Name
        str = str + ", Property value(s): "
    ' Retrieve Property values
      For Each value In item.Values
        Select Case value.ADsType
            Case ADSTYPE_DN_STRING
                str = str + value.DNString + "// "
            Case ADSTYPE_CASE_EXACT_STRING
                str = str + value.CaseExactString + "// "
            Case ADSTYPE_CASE_IGNORE_STRING
                str = str + value.CaseIgnoreString + "// "
            Case ADSTYPE_PRINTABLE_STRING
                str = str + value.PrintableString + "// "
            Case ADSTYPE_NUMERIC_STRING
                str = str + value.NumericString + "// "
            Case ADSTYPE_BOOLEAN
                str = str + CStr (value.Boolean) + "// "
            Case ADSTYPE_INTEGER
                str = str + CStr (value.Integer) + "// "
        End Select
      Next
        str = str + vbCrLf
    Next
    ' Write output into log file
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set MyFile = fso.OpenTextFile("c:\temp\PreUnDeprovReqobj.txt", 8, True)
    MyFile.WriteLine(str)
    MyFile.Close
    End Sub