Enable/Disable a ldap account programatically

Similar Messages

• Server2003, enable / disable user login via powershell

  Hi all,
  Newbie, in Africa for short time only and probably haven't done all the homework I should have.
  Unix and OO background but just learning powershell.
  I need to be able to enable / disable local user accounts on a local server in a school; no clusters, pretty much stand-alone.  I presume if I can get the user object it has a member / method for enabling / disabling, but I don't understand how to get
  the user object.  In particular, I don't understand the two-character abbreviations used in front of params to queries.
  If I bring up active directory users and computers, what I see is:
  techna-school
    Tech/na school
        Students
  The users I want to enable/disable are members of the "Students" group above, and for RDP / security purposes are members of the "Learners" group.  The server is not in any "official" (i.e. DNS recognized) domain, just gets
  net access as a normal user via dialup and DHCP.
  I'm guessing I need something kinda like the following to get at the user objects, but I haven't a clue what the "ou", "dc", or anything else needed are supposed to be as I don't have an MS server background.
  $learners = [ADSI] "LDAP://ou=Learners,dc=techna-school"
  Any help would be much appreciated.
  Thanks,
  Gary

  From the sounds of it, you have domain accounts not local accounts. The difference is domain accounts can log onto any machine within your domain, whereas local accounts can only log onto the local machine they where created on. Since your users are using
  thin clients, it is most liekly a domain account they are using.
  For using AD cmdlets on Server 2003, you need some things in place, this article might help you
  Thanks for the info and pointer.
  I'm a little leery of going through that process as I don't have a test system to work on, but I appreciate the pointer; may delve into that later.
  In the meantime, I've managed to get the user objects using Get-WmiObject, but an attempt to modify them via Set-WmiInstance fails:
      $learners = Get-WmiObject -query "Select Name,Disabled From Win32_UserAccount"
      foreach ($learner in $learners) {
        Set-WmiInstance -InputObject $learner -Argument @{Disabled=$True} -PutType UpdateOnly
  Set-WmiInstance : Invalid Object
  Seems pretty straight-forward so I suspect it is a simple error but I'm not seeing it.

• Disabling Keyboard Shortcuts for LDAP Accounts -Workgroup Manager...

  I work in a school and all our students are on LDAP accounts. Recently some of the kids realized that hitting Ctrl-Opt-CMD-8 inverts the screen display. You wouldn't believe the amount of havoc this has created at school, especially when they do it to a kid’s account that doesn't know how to fix it.
  Keyboard and Mouse are NOT one of the items under preferences for either groups or accounts in Workgroup Manager. Does anyone know if there is a way around this, or an alternate way of getting rid of the keyboard shortcuts for Universal Access, for either groups or accounts?
  Thanks
    Mac OS X (10.4.6)  

  Within the Workgroup Manager pane for Preferences, there is an option to manage Universal access. Within that section, there is a tab for 'Options'. You will want to change that management to 'Always' and leave the box for 'Allow Universal Access Shortcuts' UNchecked. This will, in effect, disable the usage of the shortcuts for a User or a selected Group account.
  Hope this helps out!!
  www.Admin660.com

• Is it possible to programatically enable/disable a schedule?

  Hi,
  I'm looking for a way to start and stop an existing schedule based on certain criteria.
  Is it possible to enable/disable a schedule programatically, from within an Action block?  Calling an HTTP URL for example?
  Thanks.

  Hi,
  One solution would be using the Illuminator service for this:
  First execute the Scheduler service with list mode (using XML query or HTTP Post action) as :
  /XMII/Illuminator?service=Scheduler&mode=List
  This will give you the list of the available scheduler configurations in the system along with the corresponding Job ID. Use XPath in BLS to retrieve the JobID from the list by the Scheduler Config name.
  Next execute the Scheduler service with Disable mode passing the JobID retrieved from :
  /XMII/Illuminator?service=Scheduler&mode=Enable&ID=<JobID>
  This will disable that particular scheduled job. To enable it use the same service with Enable mode:
  /XMII/Illuminator?service=Scheduler&mode=Disable&ID=<JobID>
  Hope this helps.
  Thanks,
  Dipankar

• OIM Java API silently ignores accounts operations such as enable/disable/revoke

  Hi
  I am facing a strange situation here.
  My Java app (standalone) was able to set provisioned accounts to "enabled" and then disabled these enabled ones.
  Now, provisioned accounts can't be enabled anymore.
  Commands issued from Java API using ProvisioningService such as "enable", "disable" and "revoke" are being simply ignored. No exception raised, no changes.
  Am I missing some step? Do I need to run any scheduled job in order to "commit" these changes performed from the OIM Java API?
  How do I debug this?
  TIA

  Sorry for my ignorance, but where's this "resource history" thing in OIM?
  Here's what I am doing.
  First, I use the Self Service UI to provision an account. This account belongs to an application instance backed by the OIM Webservice connector.
  I suppose it works because after requesting the account, the connector creates it and returns back a unique ID (which is assigned to the account uid) and the account shows up in "my accounts" tab as "provisioned".
  So far, so good.
  THEN
  I run my standalone java app from outside OIM, which uses OIM Java API. This app connects to OIM as xelsysadm, and I search for the account and do something like this
  public void enableAccount(String uid) throws AccessDeniedException, NumberFormatException, AccountNotFoundException, ImproperAccountStateException,
      GenericProvisioningException, InvalidUidException {
    Account a = findAccountIdByUID(uid);
    if (a != null) {
      System.out.println("enabling "+a.getAccountID()+":"+a.getAccountStatus()+":"+a.getAccountData().getData().get("UD_AVNC_USR_LOGIN")); <<< here I confirm I am changing the right account, it is
      ProvisioningService provService = oimClient.getService(oracle.iam.provisioning.api.ProvisioningService.class);
      provService.enable(Long.parseLong(a.getAccountID()));
    }else {
      throw new InvalidUidException(uid);
  then I expect to refresh "my accounts" tab and see my account status changed from "Provisioned" to "Enabled".
  I don't know if these screenshots may help, but anyway
  These are the tasks for the provisioning process. I believe the one we're interested here is the #22
  these are the status definitions for the process. They're also created by default during the OIM webservice connector module import process I guess
  these are the task to object status mapping for the task #22 below, also created automatically I guess.
  I am a little bit confused because the OIM manual -- http://docs.oracle.com/cd/E27559_01/user.1112/e27151/myaccess.htm#OMUSG3166 -- says the user can just perform the operations on the accounts, but says nothing about any kind of restriction. I mean, what are exactly the state transition for accounts (the default one)?
  TIA

• Updating date while enabling/Disabling user in AD

  Hi All,
  We are using FIM 2010 R2 SP1 and integrated with AD.
  All integration is done through synch rule and no coding.
  Now we have a new requirement to update date in AD while enabling and disabling user.
  Kindly suggest, how it can be achieved through synch rule.
  Thanks,
  Mann

  Hi Mann.Cool,
  You can't set a date dynamically thought sync rule. Instead, I suggest you parse useraccountcontrol and set an custom attribute with value enabled/disabled.
  See
  http://idmgnt.wordpress.com/xpath-custom-expression/ (Check if an account is enable or not)
  Once is done:
  Create two new sets "Enabled users" and "Disabled users"
  Create a WF with T4F Function Evaluator, to set your date attribute (http://oxfordcomputergroup.com/technology/software-tools-components )
  Create the mpr
  Let me know if you want more details
  Regards,
  Sylvain

• MDT - Can I disable the Administrator account

  I found threads on how to turn it on and maybe some on how to turn it off. I already see how to have my task sequence *NOT* enable the administrator account. I just remove the corresponding line in the unattend.xml file. However, are there any repercussions
  to this? I already changed what account it automatically logs into.

  Ultimately what I did was setup Final Configuration 2013,
  http://www.deploymentresearch.com/Research/tabid/62/EntryId/122/Final-Configuration-for-MDT-2013-Lite-Touch-now-with-Autologon-support.aspx. I edited it to stop the autologon stuff and added sections to undo what MDT does.
  ' Disable local administrator account
  strComputer = "."
  Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
  objUser.AccountDisabled = True
  objUser.SetInfo
  StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Local Administrator Disabled"
  'Delete Administrator Filter Change
  Set objShell = CreateObject("Wscript.Shell")
  objShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken"
  StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Administrator Filter Change removed"

• User disabled in LDAP triggers disable identity in IDM?

  IDM 7.0 on Sun JES Stack
  Authoritative Source is LDAP, Sun Directory Server 5.2
  This pertains to Termination e.g. Employee/Contractor gets terminated.
  1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
  2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
  Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
  I've been exploring the LDAP Activation Method/Parameter?
  com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
  But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.

  Given the below scenarios:
  1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
  2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
  We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
  LDAP Activation Method: nsaccountlock
  LDAP Activation Parameter: accountLockAttr
  (where this is your IDM system attrib specified in resource schema)
  In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
  In MetaView > Identity Events, we set the Disable event,
  Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)?

• Windows 8 Network Connection Enable/Disable

  In Windows Network Adapter Settings, a shortcut can be created to Desktop by rightclick on the icon and then dragged to Taskbar or a Toolbar that you have created - useful item in Windows 8.
  I enable/disable the adapter based on my need to be internet connected.
  In Mac Pro 3.1, since the first Windows 8 versions (DP,CP,RP) were made avialable, this shortcut does not work as it has in all earlier Windows versions. I've complained about it in corresponding Windows forums but never gotten an answer.
  Included pictures are proof:
  1) When Network is active as seen by clear icon to the left of taskbar's Speaker icon, rightclick of my flipflop network shortcut icon does not allow Status. I can only Open File Location and get Adapter status there.
  2) When Network is inactive as seen by red xed icon to the left of taskbar's Speaker icon, rightclick of my flipflop network shortcut icon does not allow Enable. I can only Open File Location and enable it from there.
  Wondering If other Mac Pro users have encountered this; if it is somehow a Bootcamp driver, or a Windows 8 lessened  Admin account capability thing.

  Hi,
  I suggest to connect Server Forum for further help:
  http://social.technet.microsoft.com/Forums/en-US/winservergen/threads
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and
  other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.
  Leo Huang
  TechNet Community Support

• WLAN automatic enable/disable?

  Hello:
  I have a WCS 4400 system and run 3 seperate WLANs: 2 WPA secured networks and 1 open, using LDAP authentication.
  Is it possible to schedule, or script, one of these WLANs to automatically disable at 8am and enable at 2pm each day?
  I'm sorry if this has been asked and answered before, I tried searching the KB and google for quite some time, but to no avail. Thanks VERY much to anyone who is able to help in this!

  Thank you for your reply, I appreciate it! Unfortunately I'm not sure how to implement this.
  I see an option in WCS for Scheduling a start time for a WLAN, but no option for a stop time. Or is there a correcsponding CLI command that does this?
  As far as using active directory to implement the scheduled enable/disable I know WCS is linked to my AD through LDAP to allow user control, but I don't know how to use AD to control login times. Can you give me any pointers on how to do this, or point me in the direction of the appropriate manual.
  Thanks again for the help so far!

• Programmatically enable/disable application scrollbars

  Hi,
  At present I need to modify some of our custom tools in LabVIEW 2010 to work on lower resolution screens. The automatic rescaling functionality is not really an option as it distorts most UI features. I have looked at adding a vertical/horizontal scrollbar to the application and this appears to do what I need reasonably well. Unfortunately for those who do have the high resolution screens, I don't really wish for the scrollbars to be enabled. Is there a way of programatically enabling/disabling the vertical or horizontal scrollbar of an application? I can see this being possible on the controls, but haven't found the option for the actual application.
  Thanks in advance for any help you can offer.
  Regards,
  Shane 
  Solved!
  Go to Solution.

  Hi!
  I'm glad you sorted it out 
  Regards,
  Even
  Certified LabVIEW Associate Developer
  Automated Test Developer
  Topro AS
  Norway

• Disable OID User account after 90 days of inactivity - OIM

  Hello there,
  I have a requirement where I have to disable a users account if he/she has not logged in since last 90 days into our environment(OID). The users are authenticated via OAM when they are logging in. Does anybody has any idea which attribute in which object class in OID needs to be checked for the last login attempt made by the user and what is the datatype of the same? Is it a date that I can compare after making a initial LDAP context to OID and pointing to each single user?
  Really need a solution for this. Please respond.
  Many Thanks,
  - oidm.

  Check the schema description at:
  http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25348/schema.htm#CFHCGFCC
  You create a code that runs daily, check for the last login dates and, if is older than 90 days, you disable the OID user.

• Enable/Disable buttons in Portal.

  How are buttons in EP 2004s enabled/disabled?  Not in the toolbar but in the iViews.  Such as Account Sales Area, we had a button "Additional Sales Areas" enabled, but now it has become grayed out.
  Is the enabling/disabling of buttons a PCUI issue that needs to be handled through DynPro or SPRO, or an authorizations issue that needs to be handled in the CRM backend system? 
  In this particular scenario the "Additional Sales Areas" button is also disabled in the GUI, but there are others such as a "print" button where it is only disabled in the PCUI.
  Any help with this or documentation on how to enable buttons would be much appreciated.
  Thanks!

  Buttons are coming from the PCUI applications, check out the following weblog
  People-Centric User Interface (PCUI) - Getting Started...
  'The Book' contains all the details. For enabling/disabling the buttons either you can change in the blueprint tables or use the blueprint application builder.
  Check out the CRM forum you will get all the details

• Active Directory User which can Create a User but not Allowed to Enable Disabled Users

  Hi Guys, we have a requirement to create a User Group in Active Directory which will grant its members permission to 'Create Users' but not be allowed to 'Enable' 'Disabled Users'.
  We have tried delegating control and assigning permissions by going to 'Security Tab>Advanced'.
  It seems like when a group is granted permission to create users, it will also be allowed to enable, disabled users.
  Kindly advise if it is possible to create a user group with permissions to 'Create Users' but not be allowed to 'Enable', 'Disabled Users'.

  Hi,
  According to my experience, you can assign permission with create/delete user objects. If you want to disable/enbale
  a user, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
  In general, if you just give a user group the permission to create user objects, it cannot disable or enable user accounts. Please make sure that the permission you assigned is correct and the
  user group are not the member of Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory.
  Best regards,
  Susie

• Jython or wlst script to enable/disable result set cache at BusinessService

  Hi,
  I am new to creating Jython or wlst script. Can anybody help me out and send me the wlst script to enable/disable businsess service cache in OSB. The script should be called by Proxy Service.
  Thanks

  You cannot change the role name. If you want to use the same account activation scheme as used by the console and the perl script command lines, you must use the exact same names for roles, etc.
  If you don't care about using the console or the command lines to manage roles, you can use any scheme you like, but you cannot mix and match the two schemes.