AD Identity Service: Delete or Disable users that aren't found?
We currently set users to be "disabled" but then we have to periodically remember to go in there and delete them manually. It also creates issues with duplicate login names. Do you delete your users automatically? I've always been concerned that if something goes wrong with a sync then all my users would be deleted.
We had the same issue here, so I wrote an external operation that piggybacks on the user sync job and deletes any disabled users older than X amount of days. For instance, in our case users are deleted after 180 days of being disabled (this is a bit extreme). This way you can give yourself a few days before the users are actually deleted, but keep the process automated. There are a couple of options built in, which should be discernible from the source code. Here is the source:
package com.oracle.services.jobs;
import com.oracle.services.utility.SessionManager;
import com.plumtree.openfoundation.util.XPCalendar;
import com.plumtree.openfoundation.util.XPDateTime;
import com.plumtree.portaluiinfrastructure.resultwrapper.ASQueryResultWrapper;
import com.plumtree.server.IPTObjectManager;
import com.plumtree.server.IPTQueryResult;
import com.plumtree.server.IPTSession;
import com.plumtree.server.IPTUser;
import com.plumtree.server.IPTUserManager;
import com.plumtree.server.PT_LOCKSTATES;
import com.plumtree.server.PT_PROPIDS;
* This class takes care of the automation server job for deleting user accounts
* which have been disabled for some number of days.
* @author hross
public class DeleteDisabledAccountsJob {
// filter for only deleting agent disabled accounts
private static String FILTER_AGENT = "This user has been locked by a User Synchronization Job.";
// filter for deleting all disabled accounts (including those disabled by an
// admin)
private static String FILTER_ALL = "";
public static void main(String[] args) {
// check arguments
if ((args.length < 2) || (args.length > 4)) {
System.err.println("usage: ");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days>");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days> all");
return;
// get a session from the login token
IPTSession session = SessionManager.createSession(args[0]);
// get a number of days
int numDays = 0;
try {
numDays = Integer.parseInt(args[1]);
} catch (Exception ex) {
System.err.println("Number of days not a valid integer.");
return;
// filter all or just the agent?
boolean filterAll = ((args.length > 2) && (args[2].equals("all")))
|| ((args.length > 3) && (args[3].equals("all")));
boolean test = ((args.length > 2) && (args[2].equals("test")))
|| ((args.length > 3) && (args[3].equals("test")));
if (test) {
System.err.println("This is a just a test. Nothing will be deleted.");
if (filterAll) {
System.err
.println("This job will delete all disabled accounts (even those disabled by an admin).");
} else {
System.err
.println("This job will delete only users disabled by an authentication source.");
// calculate 180 days in the past based on today's date
XPDateTime cutOff = new XPDateTime();
XPCalendar xpCalendar = XPCalendar.GetInstance();
xpCalendar.Add(XPCalendar.HOUR, -(24 * numDays));
cutOff = xpCalendar.GetTime(); // subtract 180 days from current time
System.err
.println("This job will delete any user accounts disabled before: "
+ cutOff.toString());
// query for disabled user accounts
IPTUserManager userManager = (IPTUserManager) session.GetUsers();
IPTQueryResult result = userManager.GetLockedAccounts(filterAll ? FILTER_ALL
: FILTER_AGENT, 0, -1);
//ASQueryResultWrapper ptqrUserLock = new ASQueryResultWrapper(result);
for (int i = 0; i < result.RowCount(); i++) {
// get some basic user info
int userId = result.ItemAsInt(i, PT_PROPIDS.PT_PROPID_OBJECTID);
String name = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_NAME);
String login = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_USER_LOGINNAME);
XPDateTime dt = result.ItemAsXPDateTime(i, PT_PROPIDS.PT_PROPID_CREATED);
// System.err.println("Found account: (" + userId + ") " + login
// + ", " + name);
// check to see if we need to delete the user
if (dt.Before(cutOff)) {
if (!test) { // if test, we just want to see who we would have delted
// we have to try to unlock the user b/c of a bug in
// automation
// server
IPTUser user = (IPTUser) ((IPTObjectManager) userManager)
.Open(userId, false);
try {
user.SetLockedStatus(false);
user.Store();
} catch (Exception ex) {
// we expect this will fail b/c of a bug
// make sure the account gets unlocked
if (user.GetLockState() == PT_LOCKSTATES.PT_LOCKED)
user.UnlockObject();
// okay, now we can delete the user
((IPTObjectManager) userManager).Delete(userId);
System.err.println("Removed user account: " + userId + " - " + login + " - " + name);
}
Similar Messages
-
How do I delete songs from icloud that aren't on my itunes?
I have songs that only show up when I turn OFF the option that says "Show All Music" (Settings > Music), but not when that option is enabled. I don't know where to delete these songs, as they aren't showing on my computer either. Thanks for any help.
SteveHi steve,
Not sure if I understand. The music that should be showing when you turn off "Show All Music" is any music you have downloaded to your device.
To delete it from the device, you would click on Songs in the Music tab, and then swipe left on any that you want to delete, and tap delete to remove them from the device.
You may not be seeing them in iTunes, because you may not have "Show Music in the Cloud" turned on in iTunes on your computer. This option is under the View option in the menu at the top.
Does that help?
Cheers,
GB -
How do I delete an email address that cannot be found in my contacts app
An unknown email address always pops up when I try to select a recipient
That email address cannot be found anywhere in the contacts app when I try to get it deleted.
It is an invalid address, as when I sent out a testing email, it was bounced as delivery failed.
Is there a way to delete it ?
Thank you.No there is no way to delete it. The addresses that the mail app "remembers" have nothing to do with what is in the Contacts App. If you mistakenly typed an incorrect email address at one time in the mail app - it is going to continue to come up as a suggestion from now on. There is no way to remove those short of restoring the iPad as a new device.
-
How to create a form for registration available to users that aren't logged
Hi all,
I am new to IDM.
I have a task in that I have to create a form that can be accessed from the login screen for users which will enable the user to register. The user should register in the lighthouse database.
Is that possible? Where should I find documentation for this?
Thank you.Thank for your reply.
But being new to this I don't know where to find this topic. Could you please point me in the right direction. -
Disable User in Postprocess Handler?
Hi,
we try to disable an user account by using a postprocess handler (entity-type="User" operation="CREATE"), because every created user should be disabled by default. (OIM 11.1.1.5)
I use the following code snippet:
UserManager um = this.getUserManager();
// 1. create an empty User object
User userObj = new User(null);
//2. set attribute to identify uniquely the user to modify
userObj.setAttribute("User Login", usr_login);
//3. set attribute to be modified (in this case Display Name).
//userObj.setAttribute("Display Name", userDisplayName);
userObj.setUserDisabled("1");
//4. update the user
//userOperationsService.updateUser(arg0, arg1, arg2);
System.out.println("Disabling user...");
um.modify("User Login", usr_login, userObj);
which gives us the following exception:
<Aug 19, 2012 2:36:15 PM CEST> <Error> <oracle.iam.identity.usermgmt.impl.handlers.modify> <IAM-3050119> <Modify User API cannot change user status.>
<Aug 19, 2012 2:36:15 PM CEST> <Warning> <oracle.iam.platform.kernel.impl> <IAM-0080002> <Orchestration validation failed on the event handler - IAM-3050119:Modify User API cannot change user status.:>
<Aug 19, 2012 2:36:15 PM CEST> <Error> <oracle.iam.identity.usermgmt.impl> <IAM-3050029> <The user cannot be created due to validation errors.
oracle.iam.platform.kernel.ValidationFailedException: IAM-3050119:Modify User API cannot change user status.:
at oracle.iam.identity.usermgmt.utils.UserManagerUtils.createValidationFailedException(UserManagerUtils.java:721)
at oracle.iam.identity.usermgmt.utils.UserManagerUtils.createValidationFailedException(UserManagerUtils.java:751)
at oracle.iam.identity.usermgmt.impl.handlers.modify.ModifyUserValidationHandler.validate(ModifyUserValidationHandler.java:373)
at oracle.iam.identity.usermgmt.impl.handlers.modify.ModifyUserValidationHandler.validate(ModifyUserValidationHandler.java:187)
at oracle.iam.identity.usermgmt.impl.handlers.modify.ModifyUserValidationHandler.validate(ModifyUserValidationHandler.java:174)
at oracle.iam.platform.kernel.impl.OrchProcessData.validate(OrchProcessData.java:217)
at oracle.iam.platform.kernel.impl.OrchProcessData.runValidationEvents(OrchProcessData.java:180)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.validate(OrchestrationEngineImpl.java:644)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:497)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:444)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:378)
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.modify(UserManagerImpl.java:899)
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.modify(UserManagerImpl.java:974)
at oracle.iam.identity.usermgmt.api.UserManagerEJB.modifyx(Unknown Source)
I have also tried other API calls (e.g. UserManager.disable()), but that also resulted in Exceptions.
Is it possible to disable users that way?
How can this be achived?
Thanks in advance,
FlorianSome additional information:
OIM / LDAP Sync seems to accomplish an LDAP search operation and then decides user is already there ... No modify operation on LDAP.
[2012-08-23T09:19:48+02:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: idmhost] [pid: 3157] [tid: 8] [ecid: 004lyajFIOqDkZWFLzYROA0000lL0000ds,0] ServerWorker (REG):[[
BEGIN
ConnID:7285 mesgID:105 OpID:104 OpName:search ConnIP:192.168.2.111 ConnDN:cn=oimldap,cn=systemids,dc=secaron,dc=com
orclinmemFilter:
Orig Filter(numAVAFilters=2):(&(cn=wwwww eeeee)(objectclass=inetorgperson))
Removed Filter: (objectclass=inetorgperson)
New Filter(numAVAFilters=1):(cn=wwwww eeeee)
2012-08-23T09:19:48 * INFO :gslfseADoSearch BASE = cn=Users,dc=secaron,dc=com FILTER = (cn=wwwww eeeee) #REQDATTR = 4 SCOPE = 1 REQDATTRS = cn orclguid cn objectclass
TIMELIMIT = 3600 SIZELIMIT = 0 DEREF = 3
2012-08-23T09:19:48 * gslfbpsParsePagingCtrlValue: exit with status = 0 pagesize = 1
2012-08-23T09:19:48 * INFO:gsleswrASndResult OPtime=1570 micro sec RESULT=0 tag=101 nentries=1
END
]] -
I configured the OEM 12c to provide DBaaS, ans Schema as a Service in a test environment.
I was able to configure all the necessary settings, created the pools, admin users and end users.
I created database and schema requests that were created successfully.
My question is, Can the Cloud admin user delete the service that any user requested Via OEM or always has to be done by the end user that created the service via the Self Service Portal?
Thanks,
DanielWill,
The answer varies from service to service. For example, you can make simple
changes to the catalog schema by editing the wlcs-catalog.properties file.
Please refer to the documentation for more details.
Sincerely,
Daniel Selman
"Will Young" <[email protected]> wrote in message
news:3c8e30fa$[email protected]..
>
Hello,
I've been combing through the docs, but I can't realy find a definitiveanswer
for this. If I have an existing Order, Customer, Product catalog, etc.schema,
can I integrate WL Portal 4.0 with it and not use the WLCS_* tables?
As for as I can tell, I could re-write ALL the Pipeline Components thatdeal with
data access. Is that the only way? Is that even advised?
Thanks,
Will Young -
How to do Archiving of deleted & disabled users in OIM11g
Hi All,
As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
Regards,
user7609Just to recap:
Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users. -
How do I delete a Dependant Activity that was accidentally added to a Service Request?
It does not let me "delete" the activity, any other I add I can delete. Also I tried to "Cancel" the Service Request, and it gave me an error, shown below.
Any Suggestions? This is the second time I have had this issue, but before I was able to cancel the Service Request for the User. This specific Request has already been worked, and they are just trying to close it, and that is where they saw that the dependant
activity was used instead of Manual Activity, and they can not close it.
FYI, we do NOT have change management turned on yet, we are fairly new to SCSM.Was the activity already in-progress or pending? Once an activity has a status, it can no longer be deleted. This is based partly on ITIL principles as well as Service Manager's design. Once an activity "exists", it should only be pending, on hold,
in progress, completed, or skipped (or canceled/failed when things go wrong).
In my opinion, if you accidentally add an activity, you should simply set it to "Skip" and it won't interfere with your work item any longer.
You're free to delete activities that have no status (indicated by the yellow "star" icon on the activity). Typically activity templates will not have a status so you can easily add/remove them from a work item template. However, once you submit
a new activity to an existing work item, SCSM's workflow engine will set that activity's status which will prevent you from deleting it.
So, basically, if you see the star icon, you can delete the activity..otherwise, just set it to skipped.
If you want to get technical, you can use powershell or the SDK to really delete any activity, but there are pitfalls to watch out for. For example, if you delete an activity, make sure you adjust all the other activity's SequenceId values or the activities
probably won't run through their lifecycle properly.
As for the error you got when you tried to cancel it the first time, I'm not sure what caused that. -
How do I delete a User that does not appear in Users & Groups?
A leftover user (former employee account) that won't go away. Phantom User account becomes the default login account regardless of the new employee's login attempts. The phantom account Home folder appears in the Users folder at the root level, but not in the Users & Groups panel in System Preferences. I have logged in as tech admin and deleted the phantom User folder (while it is not the Home folder), but it comes right back again as soon as the new employee logs in as himself. ***???
I'd just updated this iMac to Yosemite, but this issue predates any specific OS update. Has persisted from 10.5 - 10.10. but is becoming an issue with permissions.
Any thoughts other than having to reinstall the OS from scratch? I was about to, but thought I'd see if anyone else has ever heard of this.....Back up all data.
Triple-click anywhere in the line of text below on this page to select it:
/System/Library/CoreServices/Directory Utility.app
Right-click or control-click the selected text and select
Services ▹ Open
from the contextual menu.* The Directory Utility application will launch.
In the application window, click the lock icon and authenticate. Select the Directory Editor tool in the toolbar. Select Users from the Viewing menu in the toolbar, if not already selected. Locate the user you want to delete in the list and click the minus-sign icon at the bottom. Select Groups from the Viewing menu, and look for a group in the list with the same name as the user you just deleted. If found, delete. Quit Directory Utility.
Be very careful when editing the directory. Many hidden users and groups are present by default, and are needed for the normal operation of OS X. Never delete or modify a directory entry unless you’re sure you know what you’re doing. If in doubt, leave it alone.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return. -
Disabling User instead of deleting
I'm using OIM 9031.
I've created a custom access policy which grants user a resource (OEBS) based on his group membership.
When user is no longer a member of group, his account is deleted from assigned resource. How do I change the behavior of OIM so that user account in OEBS would be blocked instead of completely deleted?Yes, I want the account to be reanabled after the user is a member of a group again. No idea how to change the provisioning workflow...
Maybe, I should add two new tasks, for enabling/disabling user, but then I must somehow incorporate 'enable user' task into my workflow. It may require 3rd task which checks if user account already exists (e.g. is user already provisioned the resource) and depending on response code, it may launch either create or enable task... -
Getting users disabled/deleted with disabled resources in OIM
Hi,
Consider following use case related to OIM:
To get the Users deleted or disabled on a particular date with their 'AD User' resources which are in disabled state.
By means of built in reports i can get the users disabled or deleted for particular date.... how do i get the disabled AD User resource for each user....
i can go for scheduler task but how to proceed on that?the exact requirement here is to get the users/deleted a day before along with their 'AD User' resources which are disabled
getObjectsByTypeStatus(long plUserKey, java.lang.String psObjectType, java.lang.String psStatus)
Gets a list of all the objects of the specified type that have been provisioned for a user and are in the specified status.
What i can make out here is that:
i need to write some logic that would give users disabled/deleted say yesterday... after this i would loop in these user keys into getObjectsByTypeStatus that would give resources disabled for each user.
Am i correct?
Now how do i get the users disabled/deleted yesterday. This is realised by default Users Disabled/Users deleted report.
But how do i use it in my scheduler
Edited by: Chhavi Saluja on Jun 30, 2010 1:20 AM -
Identity Services Engine 1.1.4: REPLICATION DISABLED
Hey, guys.
Has anyone accountered the problem, that replication between ISE nodes stops after an unpredictable timeframe ???
This is the result after one day:
I have set up a distributed deployment of ISE nodes, seven in total, split up into two nodes for each service (monitoring, administration, policy and profiling).
Each of the nodes is running in an ESX 5.x environment, ESX itself is running on two hosts (two UCS with lots of ram and CPUs), each node has 8 virtual CPUs and 16GB ram, the virtual harddisks are 750GB and on some nodes even 2000GB .....
This is a testing environment, radius accounting data is sent to the ISEs by a small number of switches only (but production switches, so that I can see profiling of our real clients), no authentication or authorization is done by the ISEs (yet).
Profiling is configured in the following way:
- a single node receives the HTTP probe (via a spanned port of our proxy server) on gig 1 (box does nothing else)
- two nodes listen to the DHCP, DNS, RADIUS and SNMP probes, these two nodes have the policy service enabled also (but do nothing with it)
All nodes run the same version of ISE:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.120
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-worf
Version information of installed applications
Cisco Identity Services Engine
Version : 1.1.4.218
Build Date : Wed Apr 10 22:20:22 2013
Install Date : Fri May 3 19:16:05 2013
Cisco Identity Services Engine Patch
Version : 1
Install Date : Wed May 29 08:16:58 2013
The database on this deployment contains about 5100 clients at this time:
which is very little compared with the number of the rest of the endpoints that are connected to all the switches that do not send radius-accounting to the ISE deployment yet ....
Anyone has a solution or a clue what to do ???
In this state, ISE seems not capable to handle enterprise environments ....
Btw, backups of the database do not work either, when you have more than 50% diskspace occupied ......
Rgs
FrankHey, guys.
Here is a little update, repication is still disabled, but it seems to be getting even worse:
This happens when trying to connect via SSH AND via the vCenter Console window ......
A reboot of the box enabled ssh again, but the application cannot be started again ...
Disk full .... but full with what ???
Replication is disabled, so no new database entries etc. can make the db grow, I guess .. ??
The virtual disk that has been assigned to this vm is the largest size, that vmware can handle:
The only thing I can do now, is to reimage the machine (again).
Sadly, I do not expect things to be any different with the new installed ise, because I have done this three times before already...
At this point I feel the urgent need to throw this whole project onto the dumpster and take another look at ISE when version 3.0 is released, because in this state it is not enterprise scalable software ....
Rgs
Frank -
User Task: Custom Identity Service
Hi my friends
Have anyone tried to use a custom Identity Service with BPEL User Tasks (I meam other than LDAP or JAZN)? Problems? Issues? Limitations?
I know I have to implement a set of interfaces (BPMIdentityService interface and others)...
Thanks.
Message was edited by:
mmenezesPablo;
I just read your post and hearing that you have the basic methods working has me very interested - I implemented all the Interfaces (BPMIdentityService, BPMProvider, BPMUser, BPMRole, BPMGroup) and changed the is_config.xml file. My realm showed up, and the connection pool I'm using seemed to work just fine, but when I tried to setup a Human Workflow using the new realm, I get an error on my searchUsers method (just hardcoded).
I read that you need to add your classes to the application.xml file and that makes sense - but when I add them, no realms show up at all - one step backward - AND the method still doesn't work.
Could you spare a desperate developer some advice on how you got yours working - a brief description of how to register your classes, if there's more than adding them to application.xml would be wonderful!
Cheers - -
How to Use PowerShell to Delete FIM Users That Have a Null attribute name
FIM Community Information Center Article
Wiki Page:
How to Use PowerShell to Delete FIM Users That Have a Null <attribute name>
Go to the FIM Community Information Center
Mike Crowley | MVP
My Blog --
Planet TechnologiesHave you run side-by-side metrics on this?
I've run the Delete Object method and your script against similar data sets and yours appears to take a fair bit longer. I'd have to re-run in identical circumstances, a few times, to really say for sure, but my initial impression is that it will take hours
longer.
I guess the point is somewhat moot anyway, as for me the bit that generally takes longest is the actual query, rather than the deletions.
Boy how I wish I could just enter something into the FIM Portal directly that would blast out a bunch of users matching a query. One day...
FIMSpecialist.com | MCTS: FIM 2010 | Now Offering
ECMA1->ECMA2 Upgrade Services -
Apple cause the disabled user identity?
apple cause the disabled user identity?
If your account is disabled then depending on the reason why, you might be able to re-enable it via this page : http://appleid.apple.com, then 'reset your password'
Or you might need to contact Apple : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page
If it then works on your computer's iTunes but not your iPad then try logging out of your account on the iPad by tapping on the id in Settings > Store and then log back in and see if that 'refreshes' the account on it
Maybe you are looking for
-
Recording from a camcorder directly to a MacBook harddrive - Possible?
Hi, I'm trying to find a way to record performances of a show I'm directing onto my MacBook harddrive directly. After looking at options, like recording to DVDs, etc., it seems that the only way I can record something that will be a little over an ho
-
BPC Mass User Management Tool error in BPC 10
Hello, I've downloaded tranport files from How to use BPC Mass User Management Tool in Netweaver. But Transport import fails with RC12 without any shortdump. ABAP program ZUJE_MASS_USER_MGMT is not created. Version used - BPC 10 CPMBPC 801 on Netweav
-
Hi There, I constantly get a timeout while updating CRM How can I prevent BizTalk SQL adapter for timing out while trying to update CRM? Regards, Sibusiso
-
Hi. My situation Current VDisk size 200Gb at VM ESXi ver 5.0.0 Copy current VDisk to new VM Host VM ESXi ver 6 Want to expend VDisk from 200Gb to 1.2Tb (Total datastore1 size = 1.9Tb) Expend from 200Gb to 1.2Tb at Edit Setting > Hard disk 2 > Disk Pr
-
After instaliling lion I get this error on Facetime "The server encountered an error processing registration. Please try again later." what can I do?