Approval for disabling AD user

Similar Messages

• OIM 11g - Approval workflows for disabled user accounts

  Hi,
  We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
  As submission of New Hire Form is not a straightforward process, we came up with the following design.
  A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
  However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
  How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
  Any kind of help/guidance is greatly appreciated.
  Thanks and Regards
  Deepa

  911709 wrote:
  If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
  Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
  You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
  If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
  >
  Thank you.-Bikash
  Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

• Step by step to disable Folder Redirection for a single user - Windows 7 and SBS 2011 Essentials

  OK...I got chewed (by someone I have a lot of respect for) for pounding on an old thread, so I'm starting a new one. I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is
  exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete answers. If you don't have time to give me the 'For Dummies' version, don't bother. Sorry, but I've done all the Googling I can stand for one day
  and I'm over it! (and a little grumpy)
  Thanks in advance!
  Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP

  ... I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete
  answers....
  Hi Wayne,
  Here's what I'd do. 
  1) create a Security Group in your AD environment. Call it 'Folder Redirection Members' or something like that. Put all the user accounts in your AD environment who you want to have their folders continue to be redirected to the server, do not include the
  one user who you wish to exclude.  in other words, you're going to use a specific security group to target the Folder Redirection policy (right now, it's Domain Users, which is everyone).
  2) Edit the Group Policy that the W7PP created in your AD environment. It's likely called "W7PVP Folder Redirection".  Start with verification under the Settings tab, expand Folder Redirection beneath User Configuration states that
  Policy Removal Behaviouris set to Restore Contents.  Then proceed using the Editor, to make adjustments under the Scope tab; verify membership in Security Filtering.  Remove Domain Users,
  add in Folder Redirection Members (or whatever you named your group in step 1).
  3) on your workstation that your user you are applying the change to disable folder redirection, Log on to the domain account while connected to your network, elevate a command prompt, and perform a 'gpupdate /force' command and then reboot your computer. 
  Folder redirection configuration should be removed from the system and redirected contents should be restored back to your local path. Verify with inspection of the My Documents or other folders.
  Hope this helps. Keep in mind, no warranty implied or expressed in this advice.
  Try not to be so darn grumpy. :-/
  Jason Miller B.Comm (Hons), MCSA:Win7, MCITP, Microsoft MVP

• Disable Fast User Switching for RDP (NOT HIDE ENTRY POINTS!)

  Windows 7 Pro.
  I do virtually all my administration of 150 workstations (various domains and workgroups) remotely via RDP, and with Windows 7, I am finding more and more complications with Fast User Switching. Anything running under another user account may well
  interfere with what I need to do: it may slow me down by consuming system resources, or it may, in fact, lock files that I need to remove or update.
  When I log on remotely via RDP, I am notified that another user is logged on, but I have no option to log the other user off. If I then attempt to update a program that the other user has open, it may not update correctly because the other user has files
  in use. I have been told I can use WMI to force another user logoff. I could probably run shutdown -i and force the user off (but, of course, that might log me off as well). However, this is not a good approach; when I run updates, I typically connect to anywhere
  from five to 30 workstations simultaneously, and by the time I get logged onto all of them, I have no idea which had other users logged on and which did not. I would have to repeat on each of 30 workstations just to find out. I need a way to force-logoff the
  other user during my logon process.
  In the middle of running software installation, I may disconnect (NOT LOGOFF) from a workstation, take it to another site, then reconnect to the station to finish the installation. I may even just walk away from my computer for 15 minutes while updates are
  running. If a non-administrative user attempts to logon, it asks me for permission, but allows the user to logon if I do not manually deny it. All non-administrators must be automatically denied logon when I am logged on.
  It seems that disabling Fast User Switching would do this, but every time I have posted anywhere on the issue, I get another set of instructions on how to hide the entry points for Fast User Switching. That may work well for managing local logons
  but fails miserably to protect my administrative environment.

  Hi Brian,
  Base on the KB article 279765
  How To Use the Fast User Switching Feature in Windows XP, when not using Fast User Switching (FUS) and a non-administrator is logged on, a member of the Administrators
  group can establish a remote desktop connection and has the ability to logon to the machine locally and gets a prompt to logoff previous logged on user. When an administrator is logged, any member of the Administrators group may establish a remote desktop
  connection. If a non-administrator attempts to connect, you may receive the following error message:
  “The user <Domain or Computer Name>\<username> is currently logged on to this computer. Only the current user or an administrator can
  log on to this computer.”
  In Windows 7, if the Fast User Switching is turned off, the Administrator cannot attempt to login locally. Administrator can do a Remote Desktop Session
  to the Windows 7 machine and put his credentials. Once he attempts to login, he gets a prompt that looks like below.
  “Once Administrator clicks on Yes, the User1’s session is disconnected.”
  After logging in, Administrator can launch the Task Manager, click on “Users” tab and logoff User1. The prerequisite for the Administrator
  to be able to do a Remote desktop session to the Windows 7 machine is to enable Remote Desktop services on the Windows7 machine.
  In the interim, when the Administrator is logged in and has not attempted to logoff User1 yet, if User2 tries to login, the Administrator will get a
  prompt that looks like below.
  “If the Administrator clicks OK, User2 will be allowed to login and the Administrator’s session will be disconnected.”
  This is a known issue.
  Regards,
  Sabrina
  This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
  This can be beneficial to other community members reading the thread.

• Disable Inbox Rules for Disable Users

  I have found that when our helpdesk disables an AD user account (terminated employee) that has an Outlook inbox rule to forward the email to an email address outside the organization, emails sent to the former employee are still forwarded to that outside
  email address.  I would like to run a script each day that queries AD for all disabled accounts, removes any forwarding SMTP adresses, then removes all mailbox inbox rules.  I have been trying to use get-aduser against a DC and export the list of
  disabled users, this works fine.  I then take that csv, import it and use -foreach-object to set the forwarding smtp address to null.  I would then like to use the same csv file to run the -removeinbox rule command against the list.  I am having
  a hard time time combining the commands I need into a PS script that works against both AD and Exchange.
  Anyone have some powershell kung fu to assist me?  Thank you!
  ~Eric

  Hi Eric,
  According to your description, I understand that you want a script to get a list of disabled AD user, then removes any forwarding SMTP addresses, then removes all mailbox inbox rules.
  We can run following command to get a list of disabled AD user in PowerShell:
  Get-ADUser -Filter 'Enabled -eq "false"' | select name,userprincipalname
  More details about “How Can I Get a List of All the Disabled User Accounts in Active Directory? “, for your reference:
  http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/12/how-can-i-get-a-list-of-all-the-disabled-user-accounts-in-active-directory.aspx
  Also, run below command to disable forwarding SMTP address and inbox rule:
  Get-Mailbox  -Identity xxxx | Set-Mailbox -DeliverToMailboxAndForward $false
  Get-InboxRule –Mailbox xxxx | remove-InboxRule
  However, we recommend use this disable AD user to disable mailbox.
  By the way, this question will related to the script of Exchange server, please contact relevant team so that you can get more professional suggestions. For your convenience:
  http://technet.microsoft.com/en-us/scriptcenter/dd742246.aspx
  Best Regards,
  Allen Wang

• How do I disable iTunes for a single user?

  I recently purchased an iPhone and installed iTunes on my Windows Vista computer. It looks like iTunes was installed for all users. I typically have 2 windows user accounts active during the day. When I plug in my iPhone (with the included usb cable) iTunes tries to start for both users. One will succeed and I will constantly get error messages from the other until I unplug my iPhone. I always want my primary user account to start iTunes and connect to my iPhone when I plug it in and never want my secondary user to start iTunes or connect to my iPhone. Is there a way that I can just disable iTunes for my secondary user?

  Chris,
  Thanks for your reply. Where is this option available? I have checked all the tabs that show up when I select iPhone. I have checked all the menu items (including edit-preferences) and I have also right clicked on iPhone. I don't see an item anywhere that will let me control this.
  I am using iPhone 2.2.1 and iTunes 8.1, there are no updates available.
  thanks again,
  Jason

• Can it be possible to disable outlook anywhere for some few users who are working from home ?

  One of my customer wants to disable outlook anywhere for some of the users who are working from home.They have exchange server 2013 in their premises and also have outlook 2010/2013 on their clients machine.Please advice?

  Hi,
  In Exchange 2013, all Outlook connectivity (Internal and External) are using Outlook Anywhere anyways. It is not recommended to use the following command to disable Outlook Anywhere for a specific user:
  Set-CASMailbox UserA -MAPIBlockOutlookRpcHttp $True
  If you disable it, the UserA would not be able to access the mailbox from both Internal Outlook client (Office) and external Outlook client (Home).
  For your requirement about disable Outlook anywhere for some few users instead of all external users, there seems to be no method to achieve it directly in Exchange server. Sorry for any inconvenience.
  Regards,
  Winnie Liang
  TechNet Community Support

• How to disable end user personalisation for all webdynpro application.

  Dear Experts,
  I have a requirement where I have to disable the end user personalization of each and every
  webdynpro application in my server.
  I know how to disable the personalization of a single application or a single component, but my requirement is to disable the personalization of all applications.
  Request you to please suggest.
  Warm Regards,
  Upendra Agrawal

  Hi,
  As per SAP help,
  Customizing: User-Independent, Client-Wide Modifications
  While a single user u2013 during a personalization process u2013 can manipulate his or her own settings, an administrator has the option of executing Customizing settings for all users. Technically, this procedure is not different from personalization; both take place at runtime of an application. The difference lies in the range of the settings. In addition, for these global settings an application must run in a special administration session. This is always automatically the case if an application was started in the portal in the preview session. Independently of the portal, you can start an application in the following manner from within the workbench in administration mode:
  Double-click the name of the application in the object list.
  In the Web Dynpro Applications menu in the upper, left-hand corner of the Workbench window, choose  Test  Execute in Admin Mode .
  The configuration mode is passed to an application as the sap-config-mode=X URL parameter.
  Note
  All the adjustments made by the administrator in admin mode are stored as client-specific. Presently no option is available for structuring smaller user groups on an administrative basis. Since cross-client adjustment applies to the respective configuration, the structuring of smaller groups can be implemented currently through the maintenance of different configurations.
  End of the note.
  You start personalization by calling up the context menu for the respective UI element in your application. In the corresponding context menu for an administrator (that is, with URL parameter sap-config-mode=X), in addition to the standard settings administrators have the option within a UI element container to sort either single lines (Grid, Matrix aund RowLayout) or single elements (FlowLayout).
  Note
  Administrators require special authorization for client-wide modifications. This can be a developer authorization or the special authorization S_WDR_P13N. You cannot create configurations at design time with this authorization, but you can make modifications at runtime.
  End of the note.
  These modifications are valid for all users but take place in the current client only.
  Thanks,
  Chandra

• How to disable filevault for a different user

  Hello all,
  I have a user who has emnabled FileVault on his account, running 10.6.8.
  When he logs in, he sees the spinning beach ball, nothing else.
  No desktop, nothing.
  How can I dsiable FileVault and get his account back to normal?
  Thanks in advance.
  ITTG.

  Jeremy Flagg wrote:
  I have created a user account for her so she doesn't mess with our settings, and I would like to disable printing privileges for her account.
  Is this possible?
  Denying printing for a user is possible but you need to modify the CUPS configuration file. It is far easier to deny use of a specific printer for a user. Use the web interface to CUPS http://127.0.0.1:631/printers Find the printer you want to disable for a specific user. Click on the button "Set Allowed Users". You will then be able to list the users you want to have access or to deny access to that printer. If you deny access to the printer, it will not appear in the list of printers when they try to print.
  Matt

• Sun IdM 7.1 - 'Is Disabled' shows 'No' for disabled user in configurator UI

  Hi All,
  I have user1 in SIM who has been disabled on RACF through SIM.
  But, when I open this user obejct in SIM, logged in as configurator, the 'Is Disabled' column for the RACF resource shows 'No', when it should be showing 'Yes'.
  I've checked user1 on RACF and user1 has been disabled there.
  Below is the code which I've used to disable the user on RACF:
               <set>
                  <concat>
                    <s>view.update.accounts[</s>
                    <ref>appname</ref>
                    <s>].selected</s>
                  </concat>
                 <s>true</s>
              </set>
            <set>
              <concat>
                <s>view.waveset.accounts[</s>
                <ref>appname</ref>
                <s>].disabled</s>
              </concat>
              <s>true</s>
            </set>
            <set>
              <concat>
                <s>view.accounts[</s>
                <ref>appname</ref>
                <s>].disabled</s>
              </concat>
              <s>true</s>
            </set>
              <set>
              <concat>
                <s>view.accounts[</s>
                <ref>appname</ref>
                <s>].disable</s>
              </concat>
              <s>true</s>
            </set>(In the above code, the 'appname' variable will contain the value as 'RACF' at run-time).
  I've tried various other things, but still the 'Is Disabled' column shows 'No' only.
  Also, apart from the above code, I'm also using resource action which actually runs the RACF command to disable the user on RACF.
  FYI - I'm using Sun Identity Manager 7.1
  Any help on this would be greatly appreciated.
  Thanks in advance!

  Check if you have customized
  'Default RACF ListUser AttrParse', if so it should have the attribute
  *<multiLine>*
  *<t> ATTRIBUTES=</t>*
  *<str name='ATTRIBUTES' multi='true' delim=' ' noval='NONE'/>*
  *<skipToEol/>*
  Reason:
  Since this is the attribute reference in the method isDisabled() in your com.waveset.adapter.RACFResourceAdapter.
  Thanks

• FIM CAL for disabled users?

  Hi,
  According to the FIM licensing guide:
  "For each user for whom the Forefront Identity Manager software issues or manages identity information, a CAL is required."
  So is a CAL required for a user who has left the organisation, but for legal reasons, the account will remain in FIM/AD/etc for 5 years (as a disabled account).
  Thanks,
  SK

  On Mon, 26 Jan 2015 11:03:34 +0000, Mann.Cool wrote:
  I had the same confusion.
  Am I correct in assuming that no CAL is required for disabled users?
  No, that's not the deal here. The reason that no CAL is required in Shim's
  case is that the disabled accounts are for users who are no longer employed
  by the company in question.
  If a disabled user account was associated with someone who is still
  employed by the company then a CAL would be required.
  The no CAL requirement is not tied to the fact that we're dealing with
  disabled accounts, it is tied to the fact that the person with whom the
  account is associated is no longer with the company. If the person to whom
  the account is associated is no longer an employee, the account could be
  active and no CAL would be required.
  Paul Adare - FIM CM MVP
  Programming is like sex: One mistake and you're providing support for
  a lifetime. -- ?

• Tried to reset an error that my Id is disabled.  Have.seen this to be a problem for other iPhone users.  Any advice on correcting or contacting Apple direct?  Thanks

  Tried to reset an error that my Id is disabled.  Have.seen this to be a problem for other iPhone users.  Any advice on correcting or contacting Apple direct?  Thanks

  Try contacting iTunes store support here: http://www.apple.com/emea/support/itunes/contact.html.

• Disable Imap ,pop , sync ,owa for all new users

  Hi
  Based on the below
  https://social.technet.microsoft.com/Forums/en-US/879f1efd-c9ca-40ef-a698-4d7fa106f1be/disable-imap-pop-sync-owa-for-new-users?forum=exchangesvrgeneral
  I apply all the steps but some times it working and sometime not
  shall I apply all steps on all Mailbox servers and CAS server ?
  I applied only on CAS servers .
  Please need help on this matter .
  MCP MCSA MCSE MCT MCTS CCNA

  Hi,
  We don’t need to run this script on all the server. Just once is enough. For the problematic users, you can use Set-CASMailbox –id user |FL to check if the restrictions are applied
  successfully:
  https://technet.microsoft.com/en-us/library/bb124754(v=exchg.150).aspx
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• How do I get the Manged bean and Taskflow logic for Disable button in User details Modify page

  Hi,
  I have a requirement where I have to add to custom buttons like "Terminate" and "Reinstate" in the users detail page. Terminate is closely modeled with "Disable" button of user details page. Before I develop the custom beans and register the task flow for the custom button, I just want to understand the logic written in the managed bean for "Disable" button and understand what is there in its associated task flow. Am trying to get these details from OIM. Not sure where exactly I can get the code for this and customize as per my requirement.
  Please suggest the exact location?
  Raghu

  Thanks for the information - I still was hoping that the article Mario mentioned above was accessible (perhaps just moved)?  Somewhere on the BC system?  Just so I can add it to my BC help folder - as well as even share it with clients who want to try things on their own (best to give them some help in that direction so they don't fumble through things).
  I have the checkout form populating information, if they have purchased in the past it will populate their address - but I am also trying to get their "account page" to do the same  (basically show them what their current information in the system is - then allow them to update whatever might be wrong or need changes).  We have a login page, for people to sign up without having "bought" something - so the CRM won't have their billing/shipping info in the system yet.  Trying to capture that without a purchasing being made.

• Disabling Related Content for groups of users

  I only want certain members of my user community to have access to the related content I am providing, and want to exclude all other users from any related content.
  Does anyone know of a way to disable related content in PeopleTools 8.50 for groups of users (i.e. I want to hide the Related Information pagebar link based on security settings)?
  Also, I have found that the Related Information link is only displayed if the Customize Page link is also available on the pagebar. Is there any logical reason for this, or is it a bug?

  my solution here:
  Re: 3-state authorization function - {DENY | VIEW | EDIT}?