This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Capture Delete Account events in Active Directory -Terminate User

Capture Delete Account events in Active Directory -Terminate User

I want to terminate (LOGIN_DISABLED = TRUE) a user who was DELETED in Active Directory. I am able to make user terminated (LOGIN_DISABLED = TRUE) when an account in AD was disabled. I want to have the same capability on the DELETE event as well. 

Can you please guide me on how to accomplish this?

Parents
  • 0  

    You only get one shot at this... When the Pub channel sends you a delete, you have to catch that event.  (if operation equals delete) then set dest attr Login Disabled to true.

    I cannot recall, but the class name may not be there in a delete of a user, so you have to ignore the class when you do this.

Reply
  • 0  

    You only get one shot at this... When the Pub channel sends you a delete, you have to catch that event.  (if operation equals delete) then set dest attr Login Disabled to true.

    I cannot recall, but the class name may not be there in a delete of a user, so you have to ignore the class when you do this.

Children
  • 0   in reply to   

    Yes, you can.

    I used "custom" logic in one of the AD drivers that 

    1. Capture AD delete operation

    2. "Convert" deleted object name to "human-friendly" format for future use.

    You can use "similar" techniques.

    Geoffrey absolutely right: ObjectClass information already "disappear" during delete operation.

    But we still have a number of methods for users identifications: object association (GUID) and "reconstructed" SAMAccountname.

    Example of the Delete operation event (some business sensitive information in the trace masked) 

    [08/12/21 09:08:22.821]:AD-XXX2LS :Remote Interface Driver: Received.
    [08/12/21 09:08:22.822]:AD-XXX2LS :
    <nds dtdversion="2.2">
    <source>
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="4.0.0.4">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">
    <association>2ab868b193aef64cb134bf3989aa8d8a</association>
    </delete>
    </input>
    </nds> 

     <nds dtdversion="2.2">
    <source>
    <product build="20140409_120000" instance="\XXX-TREE\XXX\Services\Dr-DriverSet\AD-XXX2LS" version="4.0.0.4">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <delete event-id="AD-XXX2LS##17b3a7a5cb0##0" src-dn="CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net">
    <association>2ab868b193aef64cb134bf3989aa8d8a</association>
    </delete>
    </input>
    </nds>
    [08/12/21 09:08:23.073]:AD-XXX2LS PT:Applying policy: %+C%14C15 msDS-PrincipalName%-C.
    [08/12/21 09:08:23.115]:AD-XXX2LS PT: Evaluating selection criteria for rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.120]:AD-XXX2LS PT: (if-operation equal "delete") = TRUE.
    [08/12/21 09:08:23.124]:AD-XXX2LS PT: (if-op-property 'op-msDS-PrincipalName' not-available) = TRUE.
    [08/12/21 09:08:23.127]:AD-XXX2LS PT: (if-src-dn available) = TRUE.
    [08/12/21 09:08:23.133]:AD-XXX2LS PT: Rule selected.
    [08/12/21 09:08:23.135]:AD-XXX2LS PT: Applying rule '62 itp-generate msDS-PrincipalName during Delete operation'.
    [08/12/21 09:08:23.140]:AD-XXX2LS PT: Action: do-set-local-variable("lvSrcDN",scope="policy",token-src-dn()).
    [08/12/21 09:08:23.145]:AD-XXX2LS PT: arg-string(token-src-dn())
    [08/12/21 09:08:23.148]:AD-XXX2LS PT: token-src-dn()
    [08/12/21 09:08:23.150]:AD-XXX2LS PT: Token Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.154]:AD-XXX2LS PT: Arg Value: "CN=skumawa\0ADEL:b168b82a-ae93-4cf6-b134-bf3989aa8d8a,CN=Deleted Objects,DC=XXX,DC=net".
    [08/12/21 09:08:23.158]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-before($lvSrcDN,'\0ADEL:')")).
    [08/12/21 09:08:23.164]:AD-XXX2LS PT: arg-string(token-xpath("substring-before($lvSrcDN,'\0ADEL:')"))
    [08/12/21 09:08:23.167]:AD-XXX2LS PT: token-xpath("substring-before($lvSrcDN,'\0ADEL:')")
    [08/12/21 09:08:23.170]:AD-XXX2LS PT: Token Value: "CN=skumawa".
    [08/12/21 09:08:23.174]:AD-XXX2LS PT: Arg Value: "CN=skumawa".
    [08/12/21 09:08:23.175]:AD-XXX2LS PT: Action: do-if().
    [08/12/21 09:08:23.177]:AD-XXX2LS PT: Evaluating conditions.
    [08/12/21 09:08:23.180]:AD-XXX2LS PT: (if-xpath true "starts-with($lvmsDS-PrincipalName,"CN=")") = TRUE.
    [08/12/21 09:08:23.185]:AD-XXX2LS PT: Performing if actions.
    [08/12/21 09:08:23.187]:AD-XXX2LS PT: Action: do-set-local-variable("lvmsDS-PrincipalName",scope="policy",token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")).
    [08/12/21 09:08:23.194]:AD-XXX2LS PT: arg-string(token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')"))
    [08/12/21 09:08:23.198]:AD-XXX2LS PT: token-xpath("substring-after($lvmsDS-PrincipalName,'CN=')")
    [08/12/21 09:08:23.202]:AD-XXX2LS PT: Token Value: "skumawa".
    [08/12/21 09:08:23.204]:AD-XXX2LS PT: Arg Value: "skumawa".

  • 0   in reply to   

    And my colleague also grabbed the GUID, stored it somewhere (on an object) so that if they chose to recover the AD account from the AD Trash can, he modified the Match policy to check for that GUID so it can relink to the proper IDV object.

    Very clever.