FIM CAL for disabled users?
Hi,
According to the FIM licensing guide:
"For each user for whom the Forefront Identity Manager software issues or manages identity information, a CAL is required."
So is a CAL required for a user who has left the organisation, but for legal reasons, the account will remain in FIM/AD/etc for 5 years (as a disabled account).
Thanks,
SK
On Mon, 26 Jan 2015 11:03:34 +0000, Mann.Cool wrote:
I had the same confusion.
Am I correct in assuming that no CAL is required for disabled users?
No, that's not the deal here. The reason that no CAL is required in Shim's
case is that the disabled accounts are for users who are no longer employed
by the company in question.
If a disabled user account was associated with someone who is still
employed by the company then a CAL would be required.
The no CAL requirement is not tied to the fact that we're dealing with
disabled accounts, it is tied to the fact that the person with whom the
account is associated is no longer with the company. If the person to whom
the account is associated is no longer an employee, the account could be
active and no CAL would be required.
Paul Adare - FIM CM MVP
Programming is like sex: One mistake and you're providing support for
a lifetime. -- ?
Similar Messages
-
Disable Inbox Rules for Disable Users
I have found that when our helpdesk disables an AD user account (terminated employee) that has an Outlook inbox rule to forward the email to an email address outside the organization, emails sent to the former employee are still forwarded to that outside
email address. I would like to run a script each day that queries AD for all disabled accounts, removes any forwarding SMTP adresses, then removes all mailbox inbox rules. I have been trying to use get-aduser against a DC and export the list of
disabled users, this works fine. I then take that csv, import it and use -foreach-object to set the forwarding smtp address to null. I would then like to use the same csv file to run the -removeinbox rule command against the list. I am having
a hard time time combining the commands I need into a PS script that works against both AD and Exchange.
Anyone have some powershell kung fu to assist me? Thank you!
~EricHi Eric,
According to your description, I understand that you want a script to get a list of disabled AD user, then removes any forwarding SMTP addresses, then removes all mailbox inbox rules.
We can run following command to get a list of disabled AD user in PowerShell:
Get-ADUser -Filter 'Enabled -eq "false"' | select name,userprincipalname
More details about “How Can I Get a List of All the Disabled User Accounts in Active Directory? “, for your reference:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/12/how-can-i-get-a-list-of-all-the-disabled-user-accounts-in-active-directory.aspx
Also, run below command to disable forwarding SMTP address and inbox rule:
Get-Mailbox -Identity xxxx | Set-Mailbox -DeliverToMailboxAndForward $false
Get-InboxRule –Mailbox xxxx | remove-InboxRule
However, we recommend use this disable AD user to disable mailbox.
By the way, this question will related to the script of Exchange server, please contact relevant team so that you can get more professional suggestions. For your convenience:
http://technet.microsoft.com/en-us/scriptcenter/dd742246.aspx
Best Regards,
Allen Wang -
OIM 11g - Approval workflows for disabled user accounts
Hi,
We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
As submission of New Hire Form is not a straightforward process, we came up with the following design.
A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
Any kind of help/guidance is greatly appreciated.
Thanks and Regards
Deepa911709 wrote:
If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
>
Thank you.-Bikash
Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM -
OIM 9.1.0.2 Group Membership Removal for Disabled Users
Hello
In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
Thanks
NickToday, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
Thanks
Nick -
Sun IdM 7.1 - 'Is Disabled' shows 'No' for disabled user in configurator UI
Hi All,
I have user1 in SIM who has been disabled on RACF through SIM.
But, when I open this user obejct in SIM, logged in as configurator, the 'Is Disabled' column for the RACF resource shows 'No', when it should be showing 'Yes'.
I've checked user1 on RACF and user1 has been disabled there.
Below is the code which I've used to disable the user on RACF:
<set>
<concat>
<s>view.update.accounts[</s>
<ref>appname</ref>
<s>].selected</s>
</concat>
<s>true</s>
</set>
<set>
<concat>
<s>view.waveset.accounts[</s>
<ref>appname</ref>
<s>].disabled</s>
</concat>
<s>true</s>
</set>
<set>
<concat>
<s>view.accounts[</s>
<ref>appname</ref>
<s>].disabled</s>
</concat>
<s>true</s>
</set>
<set>
<concat>
<s>view.accounts[</s>
<ref>appname</ref>
<s>].disable</s>
</concat>
<s>true</s>
</set>(In the above code, the 'appname' variable will contain the value as 'RACF' at run-time).
I've tried various other things, but still the 'Is Disabled' column shows 'No' only.
Also, apart from the above code, I'm also using resource action which actually runs the RACF command to disable the user on RACF.
FYI - I'm using Sun Identity Manager 7.1
Any help on this would be greatly appreciated.
Thanks in advance!Check if you have customized
'Default RACF ListUser AttrParse', if so it should have the attribute
*<multiLine>*
*<t> ATTRIBUTES=</t>*
*<str name='ATTRIBUTES' multi='true' delim=' ' noval='NONE'/>*
*<skipToEol/>*
Reason:
Since this is the attribute reference in the method isDisabled() in your com.waveset.adapter.RACFResourceAdapter.
Thanks -
CUSTOM FIM PORTAL for a user(test123)
I have one user (test123)
i want him to see (User & My Profile) from Navigation bar + (All users) from Search Scope.
I created 2 sets for Usage keyword and @ MPRs for both.
I can see these options in Navigation Bar and of Search scope as well.
But in All users its showing only curtrent User...
why its happening.I found the answer.
Enable the Below mentioned MPR-
User Management: Users can read selected attributes of other users -
SharePoint 2013 CAL and External users
Hi,
We are setting up an extranet site(SharePoint 2013 standard version) on Rackspace, Both employee and non-employee will use this site. Employee will use company existing SAML 2.0 based authentication and non-employee will use FBA to login to
the portal.
I would like to know if we need to buy CAL for external users(non-employee)? What is the definition of external users?
Thanks,
PatCheck out this post and this should answer all you questions.
http://social.technet.microsoft.com/forums/sharepoint/en-US/0756aaa7-b307-4793-b019-bc58d4ace8b2/sharepoint-foundation-fba-on-internet-licensing
Thanks, Danny Hickman IT Support Specialist -
CALS for Windows 7 Professional and windows server
I have Windows 2008 Server and i have windows 7 professional workstation.
Do I need WIN CAL for both the machine for file transfer ?Does windows 2008 and
windows 7 professional has any minimum WIN CAL which comes along with Windows
license?
Kindly please clarify.Hello,
for Windows Server 2008, you need CALs for each user or device have Access to Windows Server.
If you are using Windows 7 as a separte Workstation and users have Access to Windows 7 than you do not eeed CALs*
*You may allow up to 20 other devices to access Windows 7 software installed on the licensed computer to use only File Services, Print Services, Internet Information Services and Internet Connection Sharing and Telephony Services.
If you mean to install Windows 7 on Windows Server 2008 and users have Access to both than you Need CALs for Windows Server + VDA license for each device accessing to Windows 7 as a virtual machine on the Server.
I hope that my Answer clear ist
thanks
diramoh -
Moving disabled user to another OU
Hi,
I am using Oracle Identity Manager 9.1.9.1 with AD connector 9.1.1.
When a user is disabled in oim (when the Disable check box in OIM is checked), I would like the user to be automatically moved to an another OU for disabled users.
I have created a myMoveUserToDisabledUsersOUTask with an adapter task with a xl.integration.ActiveDirectorytc.UtilADTasks.moveUser method. I have mapped the variables:
Output: String: Adapter Variables: Return variable
Input: String: Literal: String: ou=DisabledUsersOU etc....
Input: String: Adapter Variables: objectGUI
?Anyone knows which constructor I should use?
In the AD User process definition, myMoveUserToDisabledUsersOUTask, I have mapped Variable Name: objectGUI to Process Data: objectGUI.
In Process Definition - AD User, Disable User task, I have
-assigned a myMoveUserToDisabledUsersOUTask in Tasks to Generate for the AD.USER_DISABLED_SUCCESSFUL response.
-assigned myMoveUserToDisabledUsersOUTask as a Dependant task for the Disable User task.
?Is this sufficient for making the Disable User task trigger the myMoveUserToDisabledUsersOUTask?
When I test it by disabling an OIM user, I get the error messages:
Invalid Duplicate in ScheduleItem. There are other instances of this milestone in this ORC.
Error while disabling process
Unable to disable the object instance
Triggering processes related to User. has encountered an error.
Anyone knows what I should do to accomplish this?
Thanks in advance!!Hi Saggu,
thanks for your reply.
I added a Move User task to the Disable User Adapter. I map the user parameter to objectGUID and the org name parameter to the literal ou=<disabled users>, ou=<users>, dc=x, dc=y, dc=z.
However, when I disable a user that resides in 'ou=<usersou>, ou=<users>, dc=x, dc=y, dc=y I get a NamingException error: problem 5012 (DIR_ERROR)remaining name 'cn=<user>, ou=<userou>, ou=<users>' .
Seems like the Move User task does not get the correct dn for the user. I think it's strange since the Move User task has the same objectGUID variable as its input parameter as the Disable AD User task has. And the Disable AD User task finds the user successfully.
I also get the error "destination object not exists (DIR_ERROR)". So it seems like the task finds neither the user nor the destination OU path?
Thanks! -
Change CAL to per user from per unit
Hello!
I bought per user CALS (has been verified) but I have been using per unit because the per user cal didn't update the license for the users. I don't understand why it works perfectly with per unit (group policy edited) but not per user? The system has been
online for one and half year now so it wasnt until know I noticed the problem because to many computers had been assigned a license and even when I revoke one of them I wont be able to connect another computer until december 10 so thats a big problem. I did
change to per user but it wont connect with the computer due to many licenses in use. Do I need to restart the server when I change to per user in group policy? And why is the cals working with per unit fine when I bought per user cal?
RegardsHi,
>>don't understand why it works perfectly with per unit (group policy edited) but not per user?
Based on the description, I assume we are using group policy to manage Remote Desktop license mode. Here, please make sure that we have a sufficient number of RDS Per User CALs installed on the license server to provide an RDS Per
User CAL for each user that needs to connect to the RD Session Host server.
Besides, for this question is more related to RDS, in order to get professional help, it's recommended that we ask for suggestions in the following RDS forum.
Remote Desktop Services
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS
In addition, regarding issuing RDS CALs, the following article can be referred to for more information.
Install and issue RDS CALs or TS CALs
http://technet.microsoft.com/en-us/library/hh553159(v=ws.10).aspx
Best regards,
Frank Shen -
AD Identity Service: Delete or Disable users that aren't found?
We currently set users to be "disabled" but then we have to periodically remember to go in there and delete them manually. It also creates issues with duplicate login names. Do you delete your users automatically? I've always been concerned that if something goes wrong with a sync then all my users would be deleted.
We had the same issue here, so I wrote an external operation that piggybacks on the user sync job and deletes any disabled users older than X amount of days. For instance, in our case users are deleted after 180 days of being disabled (this is a bit extreme). This way you can give yourself a few days before the users are actually deleted, but keep the process automated. There are a couple of options built in, which should be discernible from the source code. Here is the source:
package com.oracle.services.jobs;
import com.oracle.services.utility.SessionManager;
import com.plumtree.openfoundation.util.XPCalendar;
import com.plumtree.openfoundation.util.XPDateTime;
import com.plumtree.portaluiinfrastructure.resultwrapper.ASQueryResultWrapper;
import com.plumtree.server.IPTObjectManager;
import com.plumtree.server.IPTQueryResult;
import com.plumtree.server.IPTSession;
import com.plumtree.server.IPTUser;
import com.plumtree.server.IPTUserManager;
import com.plumtree.server.PT_LOCKSTATES;
import com.plumtree.server.PT_PROPIDS;
* This class takes care of the automation server job for deleting user accounts
* which have been disabled for some number of days.
* @author hross
public class DeleteDisabledAccountsJob {
// filter for only deleting agent disabled accounts
private static String FILTER_AGENT = "This user has been locked by a User Synchronization Job.";
// filter for deleting all disabled accounts (including those disabled by an
// admin)
private static String FILTER_ALL = "";
public static void main(String[] args) {
// check arguments
if ((args.length < 2) || (args.length > 4)) {
System.err.println("usage: ");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days>");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days> all");
return;
// get a session from the login token
IPTSession session = SessionManager.createSession(args[0]);
// get a number of days
int numDays = 0;
try {
numDays = Integer.parseInt(args[1]);
} catch (Exception ex) {
System.err.println("Number of days not a valid integer.");
return;
// filter all or just the agent?
boolean filterAll = ((args.length > 2) && (args[2].equals("all")))
|| ((args.length > 3) && (args[3].equals("all")));
boolean test = ((args.length > 2) && (args[2].equals("test")))
|| ((args.length > 3) && (args[3].equals("test")));
if (test) {
System.err.println("This is a just a test. Nothing will be deleted.");
if (filterAll) {
System.err
.println("This job will delete all disabled accounts (even those disabled by an admin).");
} else {
System.err
.println("This job will delete only users disabled by an authentication source.");
// calculate 180 days in the past based on today's date
XPDateTime cutOff = new XPDateTime();
XPCalendar xpCalendar = XPCalendar.GetInstance();
xpCalendar.Add(XPCalendar.HOUR, -(24 * numDays));
cutOff = xpCalendar.GetTime(); // subtract 180 days from current time
System.err
.println("This job will delete any user accounts disabled before: "
+ cutOff.toString());
// query for disabled user accounts
IPTUserManager userManager = (IPTUserManager) session.GetUsers();
IPTQueryResult result = userManager.GetLockedAccounts(filterAll ? FILTER_ALL
: FILTER_AGENT, 0, -1);
//ASQueryResultWrapper ptqrUserLock = new ASQueryResultWrapper(result);
for (int i = 0; i < result.RowCount(); i++) {
// get some basic user info
int userId = result.ItemAsInt(i, PT_PROPIDS.PT_PROPID_OBJECTID);
String name = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_NAME);
String login = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_USER_LOGINNAME);
XPDateTime dt = result.ItemAsXPDateTime(i, PT_PROPIDS.PT_PROPID_CREATED);
// System.err.println("Found account: (" + userId + ") " + login
// + ", " + name);
// check to see if we need to delete the user
if (dt.Before(cutOff)) {
if (!test) { // if test, we just want to see who we would have delted
// we have to try to unlock the user b/c of a bug in
// automation
// server
IPTUser user = (IPTUser) ((IPTObjectManager) userManager)
.Open(userId, false);
try {
user.SetLockedStatus(false);
user.Store();
} catch (Exception ex) {
// we expect this will fail b/c of a bug
// make sure the account gets unlocked
if (user.GetLockState() == PT_LOCKSTATES.PT_LOCKED)
user.UnlockObject();
// okay, now we can delete the user
((IPTObjectManager) userManager).Delete(userId);
System.err.println("Removed user account: " + userId + " - " + login + " - " + name);
} -
FIM CALs on multiple instance of FIM Portal, for the same users
Hi,
We have FIM Sync, FIM Service/Portal & SSPR deployed (Server #1). We have licensed the server components of FIM, as well as the user CALs (2000 users).
Due to business requirements, if we now deploy another FIM Sync and FIM Service/Portal (Server #2) - I understand we will require server licenses.
However, since we already have the 2000 FIM CALs (being used on Server #1), my understanding is that we do not need to purchase another 2000 CALs, as we will be managing the same 2000 users on the new FIM Service/Portal server.
Is this understanding correct?
Thanks,
SKOn Wed, 18 Mar 2015 03:28:53 +0000, Shim Kwan wrote:
So in addition to the FIM Server licenses, we will require yet another 2000 FIM CALs?
My educated guess is yes, but you should really be checking with your
Microsoft account rep.
Paul Adare - FIM CM MVP
All that blue light from Orthanc at night? That was
Saruman, trying to moderate
-- news.admin.palantir-abuse.sightings. -
Hide/Disable Print button on the Adobe form for my user
Hi
How do I Hide/Disable my print option for the user viewing my Adobe form shown using WD for Java application.
Regards,
Murali.Hello Raja Sekhar,
This object is not available anymore in Designer 7.1. This setting can now be achieved through a web dynpro (Java) API (interface <a href="https://media.sdn.sap.com/javadocs/NW04s/SPS7/wd/com/sap/tc/webdynpro/clientserver/adobe/pdfdocument/api/IWDPDFDocumentAppearance.html">IWDPDFDocumentAppearance</a>). In web dynpro ABAP you would need to use the method handler of the <b>InteractiveForm</b> UI element (IF_WD_IACTIVE_FORM_METHOD_HNDL, SET_HIDE_TOOLBARS).
Regards,
Philipp -
How to disable tabs in titlebar for all users?
I want to disable tabs in title bar for all users, because looks ugly http://i57.tinypic.com/33nkm77.png
I type to C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
pref("browser.tabs.drawInTitlebar", false);
It doesn't work, but any other options in this file works fine.
Setting with about:config works fine, but only for currrent user.I think that preference refers to what happens when you have Firefox maximized and you do not display either the classic menu bar or the title of the page in that area: the tabs slide up to the top.
I agree the double-high blue area is irritating. To modify that, I think you need to do one of these:
* Change the Windows XP color theme (I always preferred Silver)
* Create a custom style rule to modify the appearance of the tab bar (so the blue does not show through it)
* Find a Firefox theme that fixes that area (e.g., [https://addons.mozilla.org/firefox/themes/])
I haven't researched the second and third options in detail. -
How can I disable javascript in Firefox 30 for all users on my Solaris 10 x86 box?
I have a Solaris 10 box in a secure environment (no Internet) with Firefox 30 installed. I need to lock javascript in a disabled state for all users. I realize each individual user can toggle javascript with about:config, but that is only a per/user activity. I want to set the value of javascript.enabled to false for all users. Additionally, no user should be able to modify this setting.
Is there a location with a config or prefs file that will affect all users?Try: http://kb.mozillazine.org/Locking_preferences
Maybe you are looking for
-
[SOLVED] Slow DNS lookup, I think
Hi I have a really annoying problem. My DNS lookup in Arch is painfully slow. I know it's not a network problem, as I don't have any problems in my Ubuntu installation. I have tried to run two simple tests to show you what I mean. The first is a simp
-
Last few weeks, FF has been intermittently hanging. Now after continual crasheds, finally uninstalled and resintalled and it either immediately crashes or hangs with most (but not all) URLs. Google/Yahoo OK, CNN comes up, then usually hangs (sometime
-
Hi All I have used the Case statement in my select query which is as: SELECT LOTNO,CHIPTYPE,QUANTITY,CASE WHEN (LOTSIZE-QUANTITY)>=0 THEN to_char(LOTSIZE-QUANTITY) ELSE 'Error in Lot Size Entry' END AS REMAINING FROM TEMP_QTYCHIPWISE ORDER BY LOTNO T
-
Redeterminate strategy to release purchase requisition
I need redeterminate strategy to release purcharse requisition in user-exit, because in standar, when i change the purchase requisition and the strategy is general the sistem don't redeterminate. regards,
-
How to update an iPhone on someone else's computer?
My phone when u go to general there's no software update And I don't have a computer And the home button stops working sometimes And the volume messes up What do I do???