Block disabled users from AD

 
Author
Message
SysAider
8
 
HI,

How we can configure SysAid not to import disabled users from AD.

Thank you,
Rolf
SysAid Customer Relations
156
 
In order to prevent SysAid from importing disabled user accounts, please go to Preferences -> Integration -> LDAP and set the User class filter to:

(&(objectcategory=user)(!(userAccountControl=514)))

If you have LDAP integration with more than one domain, you will need to perform this operation with each domain.

After saving your changes, please delete all user accounts and import them once again from LDAP.

This will only bring back the non-disabled users.

SysAider
8
 
Thanks Adam, with this info now we are able to block disabled users from AD during initial import.

we need one more info, after initial import if we disable any user in AD how we can make this reflect in SysAid database. Or this has to be done manually?

Thank you,
Rolf
SysAid Customer Relations
93
 
Dear Rolf

In order to reflect this in SysAid database you will need to run the LDAP wizard again .

Please let us know if that answers your question. If not, or you need further assistance, please don't hesitate to contact us. Your response will be highly appreciated.



SysAider
8
 
Hello Shay,

You mean "Refresh User List From LDAP" or delete all the users from SysAid database and import them once again.


Thank you,
SysAid Customer Relations
93
 
Dear Rolf ,

We mean delete all the users from SysAid and run again the "Refresh User List From LDAP" .

Super SysAider
72
 
Rolf - one thing to watch out for if you do this is that some reports will not show data for users who are deleted from the database (see post https://www.sysaid.com/Sysforums/posts/list/668.page)
SysAid Customer Relations
93
 
dear Rolf ,

andrewl94133 is correct , what we suggest in this case is to disable users insted of deleting them .
And while you running reports ,you will be able to see information regarding thos users as well .
SysAider
8
 
Thanks Andrew..


Shay- your method is time consuming and it can lead to other complications. Instead of this, after we disable user in AD we can disable/delete that user from SysAid.

It would have been really good if SysAid had capability to reflect changes made to user account in AD into its database.


Thank You,

This message was edited 1 time. Last update was at Aug. 21, 2008 06:34 AM

SysAider
1
 
I have created a VBScript that parses active directory for disabled accounts and then updates the sysaid database to disable the user. It updates sysaid_user and sets disable = 'Y'

The script is below. You will need to update for your own database server, and database. Also update your DC's netbios name, and the domain name in the ldap query.

' Creates the Standard Objects used
Set WshShell = CreateObject("Wscript.Shell")
Set FileSysObj = CreateObject("Scripting.FileSystemObject")
Set WshNetwork = CreateObject("Wscript.Network")

strDomainController = "DCNETBIOSNAME"




'############################################################################

strSQLServerName="DATABASESERVER.DOMAIN.COM"
strSQLInstance= "" ' FOR DEFAULT INSTANCE MAKE EQUAL ""
strSQLDBName = "DATABASENAME"

If strSQLInstance ="" Then
strSQLServerInstance = strSQLServerName
Else
strSQLServerInstance = strSQLServerName & "\" & strSQLInstance
End If


Set objConn = CreateObject("ADODB.Connection")
Set ResultRS1 = CreateObject("ADODB.Recordset")
strConn = "Driver={SQL Server}; Server=" & strSQLServerInstance & "; Database=" & strSQLDBName & ";;"

strLDAP = "<LDAP://" & strDomainController & "/dc=DOMAIN,dc=COM>" _
& ";(&(objectClass=user)(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" _
& ";sAMAccountName" _
& ";subtree"

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCreateRecordSet = objConnection.execute(strLDAP)

objCreateRecordSet.MoveFirst
While Not objCreateRecordSet.EOF
strusername = objCreateRecordSet.Fields(0).Value
'wscript.echo strusername


sqlQuery = "update sysaid_user set disable = 'Y' where user_name = '" & strusername & "'"


'RUN THE QUERY
objConn.Open strConn
ResultRS1.Open sqlQuery, objConn, 0, 4
objConn.close

objCreateRecordSet.MoveNext

Wend
WScript.Echo "Script Complete"
WScript.Quit



I hope this helps. I have to run it from time to time, but it is better than deleting all of the users and reimporting.

SysAid Customer Relations
319
 
Deal all,

Please don't use this solution as it is not working properly.

I can assure you that disabled users in LDAP will be disabled in SysAid so you do not lose any license End Users.

Best Regards
Ido Shomer
SysAid CSS
Super SysAider
88
 
I made the change before reading all of the posts! I didn't write down what it was originally set too! I know, I should know better. What was the default setting???
SysAid Product Manager Community Manager
5260
 
Hi brberglund,

What are the exact change you have made so far from this thread?

Thanks,
Danny
Super SysAider
88
 
In order to prevent SysAid from importing disabled user accounts, please go to Preferences -> Integration -> LDAP and set the User class filter to:

(&(objectcategory=user)(!(userAccountControl=514)))

What is the default setting?

Thank you,

Bruce
SysAid Product Manager Community Manager
5260
 
To return all the LDAP values to default, you can use the LDAP Wizard and it will reconfigure everything.

If you're still interested in the option to not only disable the disabled users imported from LDAP, but not to import them at all, this is the correct option:
Import only enabled users from LDAP
(&(objectcategory=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Cheers,
Danny