• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Restrict who can Disable users while allowing Enable
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • +PowerShell
    • -VBScript
      • VBScript Library source code
      • -VBScript samples
        • A Managed Unit with users which have not logged on for last 90 days
        • Adjust the case of usernames to title case (first letter of each part of the name)
        • Advanced group creation/provision
        • Advanced shared folder creation
        • Bulk policy incompliance fixing
        • Check unique value of an attribute
        • +Computer management
        • +Exchange management
        • Function that converts regular date into integer8 format
        • Get effective policy info list
        • +Group management
        • How to find a request source in script policy
        • How to send emails based on scripts policy parameters and Virtual Attribute values
        • +Permissions Management
        • Policy incompliance reporting & fixing for specified policy
        • Populate values from a SQL database to an AD Attribute
        • Prevent copying an attribute on user copy
        • Prohibite a permission propagation to AD
        • Prohibite an AD native security editing
        • Read large integer date attributes and display them in date and time readable format
        • Read XML Node text or attribute value
        • Read XML Node with Children into DictionaryObject
        • Standalone script that requests built-in password generation policy
        • -User management
          • Copy additional attributes on user copy
          • Create/Delete local user accounts, basing upon creation/deletion of user accounts in Active Directory
          • Custom script-based PVG-policy with generation rule
          • Custom script-based PVG-policy with possible values list
          • Custom script-based User Logon Name Generation policy
          • Delete Expired Users and Home Directory
          • Detailed debug information on the script policy request object
          • Function to get a DN of a user object using samAccountName
          • Get user account properties after it had been deleted
          • How to enable cross-domain moving of user accounts
          • How to enforce the use of the "Generate Password" function
          • How to prevent Active Roles interaction with file servers on User Home Folder Provision
          • How to prohibit specifying a user password that never expires
          • Last Bad Password Time
          • Manage country codes, names and abbreviations
          • Move a user to some OU upon creation
          • Notify manager when user object is deprovisioned
          • Populate a PVG policy with a possible values list from external source
          • Populate user attributes based on another attribute - e.g. 'Company'
          • Programmatically deprovision a user
          • Re-locates users according to a value set in a virtual attribute
          • Remove characters with an umlaute (öäü) and replace with corresponding characters
          • Restrict who can Disable users while allowing Enable
          • Review for user personal data
          • Script Policy to set account expiration for every created user account
          • Script-based "Last N characters of X attribute"-rule as part of User Logon Name Generation policy rules
          • Set correct country code for user
          • Simplified version of the script-based PVG-policy with a possible values list
          • Stamping manager DN by given manager Id
          • Standalone script to set logon hours of a user account
          • Tree of trust - allow objects to be managed only by their direct or indirect managers
          • User logon name generation without national characters
          • User Provisioning - Home Drive Location and Profile based on UserID
        • Validate moving operations
        • +VBScript: Approval

You are currently reviewing an older revision of this page.

  • History View current version

Restrict who can Disable users while allowing Enable

Back to User management: Disable, Delete, Deprovision

Back to Permission management

DESCRIPTION

Allows you to selectively define who can disable users while allowing free access to enable. The group defining who should be denied access to disable is stored as a parameter of the policy entry called 'Disable User Group', and should be stored in distinguishedName format.


Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.


SCRIPT

'*********************************************************************************

' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

'

' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.

'*********************************************************************************

'

' This code is published on the ActiveRoles Script Center:

' http://communities.quest.com/docs/DOC-9991

'

' This code may use functions from the ARS Script Policy Best Practices:

' http://communities.quest.com/docs/DOC-10016

'

' Please, follow the link to obtain instructions and code for those functions.

'*********************************************************************************

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'' (C) 2007 Quest Software, Inc.

'' This script is a part of custom solution for Quest ActiveRoles Server

'' delivered by Quest according to applicable Statement of Work. For

'' support policy please refer to Exhibit 2 of SOW.

''

'' PLEASE DO NOT MODIFY THIS FILE. It is protected by cryptographic

'' digital signature to ensure original contents.

''

'' $ QARS Version: 6.0.2

''

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Sub onPreModify(Request)

' Shawn Ferrier, Quest Software shawn.ferrier@qu[[ars-script-wiki&mce_rdomain=dell.com:mailto:shawn.ferrier@quest.com|]]est.com

' May 17, 2007

If Request.Class <> "user" Then Exit Sub

' If the user disabled state is not one of the attributes being modified, exit the function

If IsEmpty(Request.Get("edsaAccountIsDisabled")) Then Exit Sub

' If the user is being enabled, exit the function

If Request.Get("edsaAccountIsDisabled") = False Then Exit Sub

Dim strDeniedGrp

Dim objDeniedGrp

Dim strInteractiveUsrSAN

Dim strInteractiveUsrDN

Dim blnDenied

Dim objGroupList

' The group defining who is permitted to disable users is defined by the policy entry parameter called

' "Disable User Group". It should be specified in distinguishedName syntax.

strDeniedGrp = PolicyEntry.Parameter("Disable User Group")

'Set objDeniedGrp = GetObject("EDMS://" & strDeniedGrp)

' Retrieve the name of the user making the request, and find out if they are a member of the allowed

' users group.

Request.WhoAmI strInteractiveUsrSAN, strInteractiveUsrDN

' This dictionary object is used by the IsMember function to prevent checking membership of the

' same group twice. Otherwise you run the risk of entering an infinite loop if there is any circular

' group memberships.

Set objGroupList = CreateObject("Scripting.Dictionary")

objGroupList.CompareMode = vbTextCompare

blnDenied = IsMember(strDeniedGrp, strInteractiveUsrDN, objGroupList)

' If they requesting user is not in the allowed list, record an event to the EDM event log and

' display an error message to the user. The Err.Raise method will abort execution before any change to

' the user is made. If they are permitted, then execution continues normally, allowing any and all

' changes.

If blnDenied Then

EventLog.ReportEvent EDS_EVENTLOG_AUDIT_FAILURE, strMeSAN & " attempted to enable '" & Request.Name & "'."

Err.Raise -1, "Access Denied", vbCRLF & vbCRLF & "You are not permitted to disable this user object. Please contact your network administrator."

End If

End Sub

Private Function IsMember(strGroupDN, strUserDN, ByRef objGroupList)

' This recursive group membership check function needs to exist since the IsMember method is, by

' itself, not recursive. Moreover, please be aware that this function does NOT work on your primary

' group (i.e., Domain Users in most cases).

Dim objGroup

Dim objMember

Dim strMemberDN

Set objGroup = GetObject("EDMS://" & strGroupDN)

IsMember = objGroup.IsMember("EDMS://" & strUserDN)

If IsMember Then Exit Function

For Each objMember In objGroup.Members

If objMember.Class = "group" Then

strMemberDN = objMember.Get("distinguishedName")

If Not objGroupList.Exists(strMemberDN) Then

objGroupList.Add strMemberDN, strMemberDN

IsMember = IsMember(strMemberDN, strUserDN, objGroupList)

If IsMember Then Exit Function

End If

End If

Next

End Function

'***** END OF CODE ***************************************************************

COMPATIBILITY

Script compatible with the following version(s): ARS 6.0 or later

Back to User management: Disable, Delete, Deprovision

Back to Permission management

  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center