• Extract Secondary owners from Security Groups

    Hi All,

    I need powershell script to find out secondary owners from all the security groups in my domain. I searched for few blogs and found some suggestion about report but i need script/Powershell to find out the same. 

    We have thousand groups and for…

  • Read Target group's managers and send mail to email attribute value defined in other domain

    Hi ,

    We have Domain A and Domain B in ARS. Domain A and Domain B users are in sync. Domain A does not have email attribute or incorrect email attribute but corresponding user in domain B has correct email attribute. we have security groups in domain A…

  • Computer Dynamic Group Membership Rule Distinguished Name


    I want to create a dynamic group including all computers with a Distinguished Name containing "CRETEIL".
    Unfortunately, the membership rule "Computer distinguishedName Contains CRETEIL" doesn't return any items while many computers have…

  • Cross domain members don't inherit group delegated rights


    I have two ARS managed domains which are in the same forest. Let's pretend domain1 and domain2.

    I also have two groups, domain1\read-domain1 and domain2\read-domain2 which have the rights "All Objects - Read All Properties" respectiv…

  • Azure AD Questions

    Hi all,

    I am new to One Identity products and possibly looking at purchasing Active Roles to automate new user requests from Service Now but I have a few questions that i hope you can help me with:


    We currently create users on our on premise…

  • Active Roles 7.4 SAML configuration

    Recently we configured our dev ARS 7.4 environment with SAML pointing at AzureAD.  We followed the instructions in Active Roles 7.4 Administration guide, creating an App Pool service domain account with kerberos constrained delegation with the required…

  • Group membership approval not working for DL

    HI team,

    We have separate user domain and resource domain. Exchange is in resource domain for which users master accounts is in user domain. so linked mailboxes in resource domain.

    Few Distribution list in resource domain's exchange has owners defined…

  • Component Object Model (COM) File System Object Disablement?

    Forgive me if this is a simple question, but does Active Roles Server 7.3 use the File System Object at all? Been asked to see if this would impact our ARS operations if we were to disable the registry key that is associated with the File System Object…

  • Quickconnect Deprovision from DB2 Table to Active Roles

    Source System: DB2 Table

    Destination: Active Roles Server

    I have the synchronization service read data from a table. This table is formed by user submission to deprovision accounts. From the sync server, I send a deprovision job over to Active Roles…

  • Update description field on a managed unit fail


    In the Helpdesk site I have created custom form with access to the description attribute and linked this to the directory object type of a Managed Unit. I have also created a user account with limited permissions in ARS but enough to allow changes…

  • Active Roles 7.3.3 is now available

    Active Roles 7.3.3 is now live on the Support Portal!

    Software and documentation are available at the following location(s):



  • ARS upgrade path from 6.8 to 7.3?

    I've been tasked with upgrading our Quest ARS environment.  Is there any documentation or recommendation on an upgrade path from ARS 6.8 to 7.3?  Our 6.8 environment is a just single server and management wants to go with a full HA/DR solution with…

  • Perform batch operations on User objects from the web client

    Has anyone been able to create a custom command that can be performed against multiple selected objects?  I created a custom command that would set the edsvaProtectFromDeletion attribute to 'TRUE', but this command only appears when a single objects is…

  • Is it possible to generate a Managed Unit on the fly based on a users department or site code?


    Is it possible to generate a Managed Unit on the fly based on a users department or site code?

    Client has large number of AD user accounts, wants to limit the view and modification to only users in same department or site code.

    I was looking…

  • Get-QADuser not returning values for edsvaHomeDirectory


        Quest is populating this value for us for every new user created.  I would like to pull a report containing username and edsvaHomeDirectory for all users in AD.

    This is what I am running:

    get-qaduser -Identity * -Sizelimit '0' -IncludedProperties…

  • Does Active Roles support Hybrid Joins to Starling Services?

    Yes, starting with Active Roles 7.3.1, we added support for Hybrid Joins to Starling Services.

    Please see the following article for the latest information on what products and minimum versions are required to take advantage of the Starling Services Hybrid…

  • After upgrading to ARS 7.2.1 some users are no longer able to be disabled.

    After upgrading to ARS 7.2.1 some users are no longer able to be disabled. The option is gone from the right click context menu for the user in the console. There is an option to deprovision, but not disable. I'm unable to figure out why. Two different…

  • Workflow to add a user to an Admin group, then automatically remove them in X days.

        Management has asked that we limit the time a user is a member of the Enterprise Admins group.  I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow.  Is…

  • Active Roles Customize Error message in Web Interface

    Hello all,

    I have a script running some checks as part of the PreModify function and throwing and exception if an ID is not unique forest wide, this is working nicely but I was wondering if it is possible to customize what is shown on screen.

    What I mean…

  • Group Approvals

    We have a group that we want to have group approvals. This will computers addded to a group. The problem is the OU is sits in has been excluded from approvals. How can i make this one group have approval

  • finding an attribute from within a scheduled workflow with powershell - msds-userpasswordexpirytimecomputed


    I'm working on a password expiry notification, using ARS 7.0 workflow interface.

    First, I use a find activity to scope certain users.

    Then, I'd like to use an if-then branch, to evaluate the msds-userpasswordexpirytimecomputed property.


  • import-csv giving file not found error

     i am getting file not found error on the below line 

    $file=import-csv c:\temp\input.csv


    file is already in place 

    when i run the same script from windows powershell it is working , but giving error when run the same from ARS scheduled task .


    any idea…

  • Active Roles Server 7.0.2 workflow for automatically assign Office 365 license to AD user

    Hi, I want to specific assign Office 365 license to Active Directory user accounts depending on group membership or OU location.

    What is the best way to perform this process and can you help me by providing information about how to do it.

  • UPN Suffix does not respect the default value

    A customer use Active Roles and I'm following the switch between Quest 6.9 and Dell 7.0. In the new user form, in the UPB Suffix field, the operator can choose between two values, one default and one optional. In the 7.0 installation strangely in the…

  • Use ARS and/or powershell to create groups - nested & add members automatically?

    We use the lousy nested structure for shared folder ntfs permissions where a domain local group contains a universal which contains a global and the global has the users.  I want to find a way to create the 3 groups required when a new folder is setup…