Browse By Tags

  • Access Template for Microsoft LAPS - I have seen a template to grant reader to the ms-Mcs-AdmPwdattributes in ARS, but not a template to Grant Self (the computer account) access to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd.

    I tried to create an access template for granting self write access to the ms-Mcs-AdmPwd attributes and it seemed to do nothing.  I had to manually set the rights using powershell.  It would be so much easier to do this with an ARS Access Template.  This…

  • Access denied managing two domains on single ARS server

    I have ARS configured on one of our domain (, we had a request to setup ARS for an another domain. We want to have both the domain setup on the same ARS Server & both the domain appear & manage under the same ARS website.

    I've added the…

  • ARS - Replication status "unknown" / Publisher - Subscriber


    I have two ARS servers and two DBs, configured one of the ARS servers and promoted it as Publisher.
    I then added the second server as subscriber.

    Both ARS servers 2016 are running under version, SQL servers are 2016.

    In the ARS console, under…

  • ActiveRoles removal from One Identity Manager


    After over a year away from OIM, I've returned to handling the product and tasked to remove or decommission ActiveRoles.  What are some best practices/aspects to accomplish removing ARS from OIM, and replacing it with native Active Directory updates…

  • Exchange Properties of users are not getting open for some users


    We are recently facing the issue on few users for whom we are not able to open exchange properties. Other tabs are working fine, but when we select exchange properties in ARS portal after opening user general properties, it takes time and finally…

  • Launch Windows Command or PS from ARS Web Site

    Is there a way to create a command from the ARS website that would have a remote computer run GPUPDATE /FORCE ??

    I am picturing finding the Computer in ARS Web Site, putting in a check mark then having the command available. Out of the box you can choose…

  • Group membership approval not working for DL

    HI team,

    We have separate user domain and resource domain. Exchange is in resource domain for which users master accounts is in user domain. so linked mailboxes in resource domain.

    Few Distribution list in resource domain's exchange has owners defined…

  • Managed Unit view only

    Hi all,

    I am relatively new to ARS and tried to set up a MU with explicit permission to some groups, this worked well and I have added the specific group with builtin "Managed Units View" and "Group - Read all Properties" access.

  • I want to create computer objects without accessing the ARS console

    I tried with the below code but it gives error.

    powershell.exe -command New-QADComputer -Name <Name of the new computer> -ParentContainer "<OU-Copied the distinguishedName of an earlier computer object from the AD>" -ObjectAttr…
  • Integrating ARS with source control (git)

    Morning all,

    Currently within ARS, you write sript modules of various types and trigger them via policies, schedules, events, etc. Those scripts however must live within the ARS environment, specifically written in the inline script window ARS provides…

  • Undo Deprovision with Workflow fails due to defect.. Work around?

    It seams UndoDeprovison is not possible in a work flow when you have Quest Change auditor integration.

    See this KB for details: UndoDeprovision with Workflow fails with error "Specified method is not supported" if Change Auditor Deprovision policy is applied…

  • Stale User Deprovision and Undoing deprovision

    I have a workflow that runs ever night. It will automatically deprovision any user with a certain timeframe of inactivity. Every now and then, a user does attempt to use their account and we have a process to undo the deprovisioned status in place. However…

  • Prevent ARS from Reusing Usernames

    We have several 3rd party systems that do not allow for usernames to be reused. However, our current setup with usernames in ARS allow for the usernames to be reused once the account is deleted from AD. Does anyone have any suggestions on how we can prevent…
  • Getting msExchRecipientDisplayType values via $dirObj, returns a System.__ComObject reference, not the integer.

    I am writing a powershell policy script to detect remote mailbox types (EXO), ARS is not connected to Azure.

  • -OR condition not working in IF statement

    The script only seems to be working if the first condition is met. It is not working if the User2 is met.  ($Session.Username -ne "user2") Is there some reason why the -OR isn't working in the IF statement. Any ideas?

    function onGetEffectivePolicy…

  • Any possibility to import configuration from 6.9 to a non-newly created 7.4 database ?

    Dear All,

    We built a new ARS farm of 2 servers in 7.4 using 2 mutualized databases (one for config and one for history) 6 monthes ago.

    Our old farm in 6.9 is still in production and we made some changes on it during these 6 monthes (Policies, dynamic…

  • Export All Dynamic groups with its membership rules

    Hello Guys,

    I'm in need of a powershell script to get all dynamic groups in our environment with the membership rules. 

    I can get the list using the below script but the membership rules i get is the membership rules plus GUID & SID of the OU's with…

  • try catch not working

    I wrote a custom powershell script and have it run in a workflow.

    I'm having an issue with the try catch statement. If I remove try catch and just run the command inside the try method, the workflow executes fine. However, when a try catch is added,…

  • ARS: The specified Domain is not available for Management. The specified Domain either does not exist or could not be contacted.


    I've installed ARS on a on a separated Domain and now try to add managed Domains in other non-trusted Domains. All ports form the ARS documentation are open against the specific Domains, but I am still facing the error that the Domain can't be contacted…

  • When launching ActiveRoles74, we receive the following message. Cannot retrieve the Two-Factor Authentication configuration information from the Active Roles Administration Service. This is new installation of 7.4 on new server with new database.

    We have installed version 7.4 on a new server connected to a new database. When launching the ARS console, we get the following message.

    Cannot retrieve the Two-Factor Authentication configuration information from the Active Roles Administration Service…

  • ARS Script Wiki and Best Practices. Still existing on Quest Website? Or only dead links to Dell Software?

    Hello All,

    I have to implement a solution, where I have to use Workflows with partly User Input and also getting Workflow information in Scripting (prefered PowerShell). I searched these forum for Knowledge about it, but I could not find much. And the…

  • Setting Virtual Attribute on the fly when user Properties are opened

    Hey Everyone,

    First post and still quite a newb with Active Roles so don't mind the brief ignorance you may see :)

    Basically my end goal is to make a Tab in the web interface User Object properties window only visible when a virtual attribute is…

  • Upgrade ARS 6.8 and Upgrad Server OS and SQL-Version - All in one step possible?

    Hello All,

    I have to upgrade ARS from Version 6.8 to an up-to-date Version. And I also have to update the Server OS and SQL-Version. For my understanding of the ARS update path document I first have to update to Version 6.9 before I can go to Version…

  • ARS background process

    Hi All,

    I just wanted to know what background process does ARS do to provision objects to AD. Is it LDAP or any scripts that it run in background.



  • ARS V6.9 and V7.3.1 certificates installation


    We have an ARS 6.9 installation and the certificates were installed locally on the server(s).  Question, can we use the load balancer as the certificate holder? I heard ARS requires certificates to be installed locally only?

    Also, can someone provide…