DESCRIPTION
This standalone script (not a script policy!) removes any memebership rules from specified Managed Unit, and adds a new membership rule with query for users which have not logged on for last 90 days to that Managed Unit. You can use the script as scheduled task in Active Roles. You can schedule the script to run every day, and you'll daily get actual user list in the Managed Unit.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
Dim dtDate, objLargeInteger, objMU, objRuleCollection, objRule
'--- prepare date of 90 day ago
dtDate = DateAdd("d", -90, Now)
'--- convert this date to large-integer format
Set objLargeInteger = CreateObject("AelitaEDM.EDMLargeInteger")
objLargeInteger.SetDate(dtDate)
'--- bind to the Managed Unit
Set objMU = GetObject("EDMS://CN=Last Logon,CN=Managed Units,CN=Configuration")
'--- get membership rule collection
Set objRuleCollection = objMU.MembershipRuleCollection
'--- remove all membership rules
Do While (objRuleCollection.Count > 0)
objRuleCollection.RemoveAt(0)
Loop
'--- create a new membership rule - include all user that have not logged on for 90 days
Set objRule = CreateObject("EDSIManagedUnitCondition")
objRule.Base = "EDMS://DC=foocompany,DC=com"
objRule.Filter = "(&(objectSid=*)(objectCategory=person)(objectClass=user)(lastLogonTimestamp<=" & objLargeInteger.GetString() & "))"
objRule.Type = 1
'--- add this rule
objRuleCollection.Add objRule
'--- create a new membership rule - exclude service account from Service Account OU
Set objRule = CreateObject("EDSIManagedUnitCondition")
objRule.Base = "EDMS://OU=Service Accounts,DC=foocompany,DC=com"
objRule.Filter = "(&(objectSid=*)(objectCategory=person)(objectClass=user))"
objRule.Type = 2
'--- add this rule
objRuleCollection.Add objRule
'--- apply settings
objMU.SetInfo
'--- end of code
'***** END OF CODE ***************************************************************