• State Suggested Answer
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 93 subscribers
  • Views 995 views
  • Users 0 members are here
Options
Related

One Identity Manager 8.1.5 Unlock Active Directory Account via API

joshua fellers_78468
over 1 year ago

I cannot find any documentation on how to do this. Trying to simply change the property to false does not work and I noticed in Manager there is a special task to unlock accounts. Is it possible to unlock a locked Active Directory Account via the API? If so - how?

  • 0 over 1 year ago

    Hi,

    The issue you are facing may be that AccountLockedOut in OI is still false as a sync hasn't happened.  Use SQLComponent - Execute SQL to fire an update command to set it to true.

    Then you can use HandleObjectComponent - Update to set AccountLockedOut to false .... this will then provision to AD and unlock the account.

    HTH, Barry.

  • 0 over 1 year ago in reply to Barry Jackson

    I have tried making a call to 'api/entity/ADSAccount/' and set the property to false when it is currently true. This DOES NOT trigger the job ADS_Account_Update/(De-)activate. If I use the same process to say change "User Password Never Expires" to true/false - this works fine and triggers the job - aka a UPDATE to ADSAccount is called. Using the API - how can I trigger a process to fire when changing the AccountLockedOut property? I tried setting a custom process that is checking for a UPDATE event for that property - but it never fires (seems the API does not change anything for AccountLockedOut, like its being ignored). Or do I have to script something and call the script? Trying to keep it simple. Seems this is getting complicated just to unlock a AD account. Has no one already done this (has a working example)? I am surprised there is not a built in method to call? What is manager doing when you click the unlock account button?

  • 0 over 1 year ago in reply to joshua fellers_78468

    I haven't used the API ..... Manager does what I detailed above as far as I know.

  • 0 over 1 year ago in reply to Barry Jackson

    My solution in the end if it helps anyone. Based off your suggestion of setting it to true, then false. Might not be the best... but it works for me anyways. I call this from the API:

    Public Sub CCC_UnlockAdAccount(ByVal UID_ADSAccount As String, ByVal ConnectionString As String)
      Dim conData As ConnectData = DbApp.Instance.Connect(ConnectionString)
      Using conData.Connection
      Dim cSQL As SqlExecutor = conData.Connection.CreateSqlExecutor(conData.PublicKey)
      cSQL.SqlExecuteNonQuery(String.Format("UPDATE ADSAccount set AccountLockedOut = 1 WHERE UID_ADSAccount = '{0}'", UID_ADSAccount))
      End Using
      Dim ADSAccount As IEntity = Session.Source.Get("ADSAccount", UID_ADSAccount)
      Using uow = Session.StartUnitOfWork()
      ADSAccount.PutValue("AccountLockedOut", False)
      uow.Put(ADSAccount)
      uow.Commit()
      End Using
    End Sub

  • 0 over 1 year ago in reply to joshua fellers_78468

    By looking at the processes at the Update event for the ADSAccount and digging down further to the unlock scripts, you have two options.

    • Option A: Set the connection variable UnLock_ForceSyncOf to AccountLockedOut using the REST API first. and then set the column AccountLockedOut to false. This forces the sync to use the value of AccountLocketOut even if it hasn't changed.
    • Option B: Check if AccountLockedOut is true, then just change it to false. If it is false, generate the UPDATE event for the ADSAccount while setting a parameter ForceSyncOf to AccountLockedOut