Disabling User instead of deleting
I'm using OIM 9031.
I've created a custom access policy which grants user a resource (OEBS) based on his group membership.
When user is no longer a member of group, his account is deleted from assigned resource. How do I change the behavior of OIM so that user account in OEBS would be blocked instead of completely deleted?
Yes, I want the account to be reanabled after the user is a member of a group again. No idea how to change the provisioning workflow...
Maybe, I should add two new tasks, for enabling/disabling user, but then I must somehow incorporate 'enable user' task into my workflow. It may require 3rd task which checks if user account already exists (e.g. is user already provisioned the resource) and depending on response code, it may launch either create or enable task...
Similar Messages
-
Disable users from adding-deleting row/columns
we are running sharepoint 2010 and I would like to setup some type of persmission that will disable certain users from adding-deleting rows/columns.
any suggestions will be appreciated
thank youEach list in sharepoint can be assigned certain roles.YOu can break the inheritance for that list and assign a group as a new role to the list.The users belonging to that group will only have access to that list depending to what permissions you give that
group.The code goes something like this:
SPWeb web = (SPWeb)properties.Feature.Parent;
string ListName = "C";
SPList list = web.Lists[ListName];
list.BreakRoleInheritance(true);
string GroupName = "Owners";
SPGroup group = web.SiteGroups[GroupName];
SPGroupCollection removeGroups = web.SiteGroups;
foreach (SPGroup removeGroup
in removeGroups)
if(removeGroup.Name != GroupName)
SPPrincipal principal = (SPPrincipal)removeGroup;
list.RoleAssignments.Remove(principal);
SPRoleDefinition rDefination = web.RoleDefinitions.GetByType(SPRoleType.Administrator);
SPRoleAssignment rAssignment =
new SPRoleAssignment(group);
rAssignment.RoleDefinitionBindings.Add(rDefination);
list.RoleAssignments.Add(rAssignment);
list.Update(); -
How to delete disabled users in SCCM 2012
Currently we disable user accounts in AD and then move them to a different OU which they stay for 6 - 12 months.
How can I identify those disabled users accounts and delete them form the SCCM console?
Thank youThanks for the response but there wasn't a process in place so was tasked with a one time cleanup and we don't have Orchestrator in place.
I ended up doing the following:
1.Use a powershell script to output all disabled user ID's
Get-ADUser
-Filter 'Enabled -eq $false'
|Select-Object
samaccountname
2. Setup a Query on a collection to gather all these users ID's
select * from SMS_R_User where SMS_R_User.UserName in ("User1", "user2")
3. Delete the users in the collection -
How to do Archiving of deleted & disabled users in OIM11g
Hi All,
As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
Regards,
user7609Just to recap:
Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users. -
AD Identity Service: Delete or Disable users that aren't found?
We currently set users to be "disabled" but then we have to periodically remember to go in there and delete them manually. It also creates issues with duplicate login names. Do you delete your users automatically? I've always been concerned that if something goes wrong with a sync then all my users would be deleted.
We had the same issue here, so I wrote an external operation that piggybacks on the user sync job and deletes any disabled users older than X amount of days. For instance, in our case users are deleted after 180 days of being disabled (this is a bit extreme). This way you can give yourself a few days before the users are actually deleted, but keep the process automated. There are a couple of options built in, which should be discernible from the source code. Here is the source:
package com.oracle.services.jobs;
import com.oracle.services.utility.SessionManager;
import com.plumtree.openfoundation.util.XPCalendar;
import com.plumtree.openfoundation.util.XPDateTime;
import com.plumtree.portaluiinfrastructure.resultwrapper.ASQueryResultWrapper;
import com.plumtree.server.IPTObjectManager;
import com.plumtree.server.IPTQueryResult;
import com.plumtree.server.IPTSession;
import com.plumtree.server.IPTUser;
import com.plumtree.server.IPTUserManager;
import com.plumtree.server.PT_LOCKSTATES;
import com.plumtree.server.PT_PROPIDS;
* This class takes care of the automation server job for deleting user accounts
* which have been disabled for some number of days.
* @author hross
public class DeleteDisabledAccountsJob {
// filter for only deleting agent disabled accounts
private static String FILTER_AGENT = "This user has been locked by a User Synchronization Job.";
// filter for deleting all disabled accounts (including those disabled by an
// admin)
private static String FILTER_ALL = "";
public static void main(String[] args) {
// check arguments
if ((args.length < 2) || (args.length > 4)) {
System.err.println("usage: ");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days>");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days> all");
return;
// get a session from the login token
IPTSession session = SessionManager.createSession(args[0]);
// get a number of days
int numDays = 0;
try {
numDays = Integer.parseInt(args[1]);
} catch (Exception ex) {
System.err.println("Number of days not a valid integer.");
return;
// filter all or just the agent?
boolean filterAll = ((args.length > 2) && (args[2].equals("all")))
|| ((args.length > 3) && (args[3].equals("all")));
boolean test = ((args.length > 2) && (args[2].equals("test")))
|| ((args.length > 3) && (args[3].equals("test")));
if (test) {
System.err.println("This is a just a test. Nothing will be deleted.");
if (filterAll) {
System.err
.println("This job will delete all disabled accounts (even those disabled by an admin).");
} else {
System.err
.println("This job will delete only users disabled by an authentication source.");
// calculate 180 days in the past based on today's date
XPDateTime cutOff = new XPDateTime();
XPCalendar xpCalendar = XPCalendar.GetInstance();
xpCalendar.Add(XPCalendar.HOUR, -(24 * numDays));
cutOff = xpCalendar.GetTime(); // subtract 180 days from current time
System.err
.println("This job will delete any user accounts disabled before: "
+ cutOff.toString());
// query for disabled user accounts
IPTUserManager userManager = (IPTUserManager) session.GetUsers();
IPTQueryResult result = userManager.GetLockedAccounts(filterAll ? FILTER_ALL
: FILTER_AGENT, 0, -1);
//ASQueryResultWrapper ptqrUserLock = new ASQueryResultWrapper(result);
for (int i = 0; i < result.RowCount(); i++) {
// get some basic user info
int userId = result.ItemAsInt(i, PT_PROPIDS.PT_PROPID_OBJECTID);
String name = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_NAME);
String login = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_USER_LOGINNAME);
XPDateTime dt = result.ItemAsXPDateTime(i, PT_PROPIDS.PT_PROPID_CREATED);
// System.err.println("Found account: (" + userId + ") " + login
// + ", " + name);
// check to see if we need to delete the user
if (dt.Before(cutOff)) {
if (!test) { // if test, we just want to see who we would have delted
// we have to try to unlock the user b/c of a bug in
// automation
// server
IPTUser user = (IPTUser) ((IPTObjectManager) userManager)
.Open(userId, false);
try {
user.SetLockedStatus(false);
user.Store();
} catch (Exception ex) {
// we expect this will fail b/c of a bug
// make sure the account gets unlocked
if (user.GetLockState() == PT_LOCKSTATES.PT_LOCKED)
user.UnlockObject();
// okay, now we can delete the user
((IPTObjectManager) userManager).Delete(userId);
System.err.println("Removed user account: " + userId + " - " + login + " - " + name);
} -
AD Trusted Recon - Disabling user deletes him in OIM
Hello,
I'm having trouble changing a user state to 'Disabled' in OIM when I disable him in the Active Directory.
Has anyone ever encountered this problem and know how to solve it?
Thanks in advanceThe problem with disabled users in AD has been discussed numerous times over the years and there has been a number of different "solutions" to the problem.
Our standard solution to this has been to have our own AD connector so that we could change the behavior to what the specific customer wanted.
The 9.1 AD connectors have been delayed and is now ETA between "July and December 2008".
Best regards
-M -
Disable a User Account WITHOUT Deleting It???
Is there a way to disable an account without deleting it?
Yep. When you choose to delete an account you will be prompted whether to delete it immediately or save it to disc image file.
-
ADAM disable user setADAMAttributesInLDAP(): null=testadamuser001
Hi All,
I get the following problem when running disable user
ADAM disable user setADAMAttributesInLDAP(): null=testadamuser001
instead of CN = testadamuser001
I am faced with null=testadamuser001
Any Ideas/Comments why this happens.
Thanks in advance.
Find the full stack trace available
Regards,
Vinod
Running Disable ADAM User
tcUtilADTasks::disableADAMUser() Enter
tcUtilADTasks::getObjectByObjectGUID() Enter
tcADUtilLDAPController::search() Enter
tcADUtilLDAPController::getPath() Enter
tcADUtilLDAPController::getPath() Exit
tcADUtilLDAPController::connectToAvailableAD() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Exit
tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
tcADUtilLDAPController::validateCertificates() Enter
tcADUtilLDAPController::validateCertificates() Exit
Critical Extensions Supported
tcADUtilLDAPController::invalidateSSLSession() Enter
tcADUtilLDAPController::invalidateSSLSession() Exit
tcADUtilLDAPController::connectToAvailableAD() Exit
tcADUtilLDAPController::disconnect() Enter
tcADUtilLDAPController::disconnect() Exit
tcADUtilLDAPController::search() Exit
tcUtilADTasks::getObjectByObjectGUID() Exit
tcADUtilLDAPController::getCanonicalName() Enter
tcADUtilLDAPController::removeOrgFromRootContext() Enter
tcADUtilLDAPController::removeOrgFromRootContext() Exit
tcADUtilLDAPController::getCanonicalName() Exit
tcUtilADTasks::checkHierarchy() Enter
tcUtilADTasks::checkHierarchy() Exit
tcADUtilLDAPController::getAttributeValues() Enter
tcADUtilLDAPController::getPath() Enter
tcADUtilLDAPController::getPath() Exit
tcADUtilLDAPController::connectToAvailableAD() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Exit
tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
tcADUtilLDAPController::validateCertificates() Enter
tcADUtilLDAPController::validateCertificates() Exit
Critical Extensions Supported
tcADUtilLDAPController::invalidateSSLSession() Enter
tcADUtilLDAPController::invalidateSSLSession() Exit
tcADUtilLDAPController::connectToAvailableAD() Exit
tcADUtilLDAPController::getAttributeValues() Exit
tcADUtilLDAPController::setADAMAttributesInLDAP() Enter
tcADUtilLDAPController::getPath() Enter
tcADUtilLDAPController::getPath() Exit
tcADUtilLDAPController::connectToAvailableAD() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Enter
tcADUtilLDAPController::hashTableEnvForDirContext() Exit
tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
tcADUtilLDAPController::validateCertificates() Enter
tcADUtilLDAPController::validateCertificates() Exit
Critical Extensions Supported
tcADUtilLDAPController::invalidateSSLSession() Enter
tcADUtilLDAPController::invalidateSSLSession() Exit
tcADUtilLDAPController::connectToAvailableAD() Exit
tcADUtilLDAPController::modifyAttributes() Enter
The error occured in tcADUtilLDAPController::modifyAttributes():[LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=OU-XXXXX,OU=YY,DC=XXXXXXX,DC=PP,DC=MM'
ERROR,27 aug 2009 07:43:15,231,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::setADAMAttributesInLDAP():
null=testadamuser001
doesn't exists:[LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=OU-XXXXX,OU=YY,DC=XXXXXXX,DC=PP,DC=MM'
tcADUtilLDAPController::disconnect() Enter
tcADUtilLDAPController::disconnect() Exit
AD User disable operation failed:Connection Error
tcUtilADTasks::disableADAMUser() ExitHi Saggu,
I checked all the look ups and they seem to be fine.
I am using 9101 connector of AD.
Lookup definition for AD.Parameter is as follows
MultiValueAttributes memberOf
MultiValueAttributesConfiguration ,
UserObjectConfiguration |
LdapUserObjectClass user
LdapGroupMember member
LdapUserDNPrefix cn
Pagesize 100
I am clueless as to why or where from null comes in. Create Delete and other operations are working fine.
Ive even checked AtMAP.ADAM and it looks ok.
Regards,
Vinod -
How can I take the files that were migrated from my PC to my Mac and add all those files to my current user instead of having 2 users? Having to log out just to sign in on a different user to access the files is absurd.
Do I make all the files sharable to all the NOW users on the mac then just delete the files? Or can i erase my account that I made when starting up my new mac and then just use the one with the transferred files?
I just dont want to have to og in and out of 2 different accounts .. Help please.
-NinaSorry. /Users is a folder path. It would be similar to C:\Users (if that exists on Windows).
So, in the Finder, select Computer from the Go menu.
You'll see Macintosh HD, double-click that to open it.
In there you'll see several folders. One is Users. That is where all the user Home folders exist. Select the other account's home folder and go to step 3.
If you have any more confusion, please stop and ask. We'll get there.
If you feel more comfortable, you can just log into that other account and move the files into /Users/Shared.
Then, log into the account you wish to use and copy the files from the Shared folder and paste them into your Home folder, wherever they belong, Documents, Music, Pictures, etc. That just takes a little more work. Transferring them into Shared, and then copying into your home sets the permissions on the files so that you won't have a problem accessing them later. The steps I provided just prevent you from having to do the double move, since you are not going to use the old account once you are done.
Quick unix shorthand. If someone gives you a file path that begins with a /, that means the root of the hard drive, ie Macintosh HD (if you haven't renamed it). The path separator in unix is /, not \.
A path that starts with ~/ means your Home folder, the one inside /Users named with your account name. -
Outlook Contact Card - Organization Tab disabled users
In Outlook there is a Contact Card showing detailed information about that person. the Organization tab shows the contact's "Manager", "Shares Same Manager" (other contacts with the same manager), and "Direct Reports" (people
that report to that contact).
The problem i am seeing is that Users disabled in Active Directory (people that have left the company) are showing up in the Organization Tab.
How can i filter out disabled users from this list for anyone using Outlook?
I cannot permanently delete users from Active Directory until after a disabled account reaches a certain age. Also i would prefer not modifying the disabled Active Directory user accounts.
We mostly run Outlook 2010 with a few people running Outlook 2013Hi,
Outlook has no control over this, it just displays what it got from the server end. And to my knowledge, there is no such a feature to filter out those users from that list, at least on Outlook client.
Regards,
Ethan Hua
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting
Hello. Can anyone help please
In our exchange 2010 environment we have users who are granted send on behalf to access. Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
option using the EMC. Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line. This wrks because it is doing what Exchange EMC does which is rewrites
the -GrantSendOnBehalfTo option in it new entirety.
The problem occurs because I need to remove these en-mass from approx 700 plus accounts.
I have tried to modify one user in order to get the script to work but it doesn't.
This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
13-08/Gaynor Collins-Punter isn't the expected type.
+ CategoryInfo : NotSpecified: (:) [], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : F6498844
+ PSComputerName : ex02-0029.xx.xxxxxxx.xxx.xx
Am running the script from my local PC
This is the script I have used.
# Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
Foreach($mailbox in $mailboxes)
for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
$address=$mailbox.GrantSendOnBehalfTo[$i]
$addressString=$address.addressString
If($addressString -like "*disabled*")
$mailbox.GrantSendOnBehalfTo.removeat($i)
$info >> "C:\Scripts\grantsendonbehalfto.csv"
$mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
}If you requiere any more info please let me know.#1 - I recommend posting in xchange forum fo rhow to do this
#2 - Wen an account is disabled most on the information in the object is hidden. YOu would need to undelete to use the object.
#3 - Get list as text and validaye al values are not deleted accounts. Remove deleted and save back.
¯\_(ツ)_/¯ -
How to catch rollback in Disable user process task in Xellerat User Process
hi ...
I want to send an email to manager group of the user, once the user is disabled from the OIM (when end date is reached). I created an adapter and attached it to the ‘Changed User Disabled’ process task in the ‘xellerate user provisioning’ process and add a new row in the “Lookup.USR_PROCESS_TRIGGERS” Lookup definition. (code key: USR_DISABLED and Decode: Change User Disabled ). This adapter executes only when the user status is equal to “disabled”.
This works correctly when the OIM user disabling process execute without any errors. But sometimes while disabling the user it gives an error (“resource is not configured properly”) and rolls back everything and make the user active. But at the same time my adapter runs and sends the mail informing user is disabled but yet user is active.
My problem is how can I find or catch rolls back transaction in the “Disable User” process task (which is in “Xellerate User” process”) ??? If I can get to know that a roll back is occurred then I can send a mail to OIM administrator, informing that user disable process is failed.
Can someone please help me to find this..
Thanks in advance :)
Regards,
i.k.Hi Rajiv,
Error occurs while disabling the user due to resource configuration problems. ( error message is : DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY -- One or more provisioned resource is not configured properly) In this case i know the problem and how to solve it. But what I want to know is in any case if disable process get fail and if things get roll back again, then how can I track that situation and send a mail to OIM Admin(informing the failure) instead of sending a mail to user managers saying that user account has been disabled.
I think now my problem is clear…. Can u please help me to find this.
Regards,
i.k. -
Updating date while enabling/Disabling user in AD
Hi All,
We are using FIM 2010 R2 SP1 and integrated with AD.
All integration is done through synch rule and no coding.
Now we have a new requirement to update date in AD while enabling and disabling user.
Kindly suggest, how it can be achieved through synch rule.
Thanks,
MannHi Mann.Cool,
You can't set a date dynamically thought sync rule. Instead, I suggest you parse useraccountcontrol and set an custom attribute with value enabled/disabled.
See
http://idmgnt.wordpress.com/xpath-custom-expression/ (Check if an account is enable or not)
Once is done:
Create two new sets "Enabled users" and "Disabled users"
Create a WF with T4F Function Evaluator, to set your date attribute (http://oxfordcomputergroup.com/technology/software-tools-components )
Create the mpr
Let me know if you want more details
Regards,
Sylvain -
Disabled users still in address book
We are running Exchange 2000 on a Windows 2003 / AD platform. Disabled users are still appearing in the Outlook 2003 address book. Shouldn't they be automatically hidden? Users are accessing these addresses and creating emails, but of course can't get to the users.
Firstly, how do I make a list of all users that were disable but are still in the address list. Secondly, what's the best method to hide them (without having to access each one separately) ?
Thanks.Well, just disabling user account doesn't remove the user name from address book. You need select an option "Hide from Exchange address lists" available in Exchange Advance tab of user properties.
I used to get the list of disabled users which are not hidden in GAL with below custom LDAP query in Exchange 2003.
Open ADU&C, Right click on Domain & click on Find, in Find select "custom search", select Advance tab and in "Enter LDAP Query" paste below ldap query and click on Fiind Now.
(mailNickname=*)(userAccountControl=66050)(!msExchHideFromAddressLists=True)
You may need to verify the value of an attribute "userAccountControl" of any disabled user with ADSIEdit.msc and give that value instead of 66050 because that one I used in Exchange 2003 and Windows 2003 environment.
Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com -
How to disable user iteraction in listview in ADF mobile
Hi,
I want to disable user iteraction in listview. When user is click on listview, it will not be selected or highlighted.
Thanks.Hi,
Always mention your JDev version. Why not using an iterator instead of a list view? AFAIK, you cannot disable list items.
-Arun
Maybe you are looking for
-
I am using a verizon email address and microsoft office for mac outlook program to manage my emails. Does any one know if the apple outlook version offers the ability to save emails as a pdf so that I can save it to my hard drive and how to access
-
I am trying to import the Warehouses via the DTW, but I am getting the following error. Update Failed Transaction Created by document was not found, 'Revenue Account'Application defined or object defined error 65171 Ive got the Revenue account number
-
How to send an event to external system?
Hi I am facing problem in sending the event to an external system. Initially I created 2 workflows with different itemtypes. One has send event and other has receive event. This works perfectly when I use the WF_OUT and WF_IN agents of the same syste
-
ORA-12203 :TNS :Unable to connect to the destination.
Hi, All I installed Oracle 8i and oracle form 6i. The installation was successful. It is installed in separate drive. I can't connect to the forms the error is ORA-12203 :TNS :Unable to connect to the destination please help me..
-
Dear all : the database cannot connect and find the error in the alert_fmprd.log and find the error as follow: Errors in file /u01/ora920/fmprd/product/9.2.0/admin/fmprd_csslxa06/udump/fmprd_ora_3490.trc: ORA-07445: exception encountered: core dump [