I am probably going to break the hearts of the purist, the text book IDM pundits who are firm believers in the state based change. Make the change via the IDM tool only! Well in a sense I am doing that…I will initiate tasks in AD via the FIM portal but I will make the change directly in AD via the PowerShell workflow engine. The Eventbroker tool made by Unify is a good real time tool that will monitor the request queues and initiate sync run jobs as needed. But I want to be able to immediately say Enable or disable an AD account or unlock an account or do a password reset instantly.
This post is a foundation for my other post on Creating a Bulk update tool in the FIM Portal. First you want to establish these workflows which will do several jobs in AD and the Bulk tool will trigger off these workflows.
Lets look at an example of where I want to enable or disable an account in AD. I will be using the PowerShell tool from Codeplex
- Enable or Disable an account using PowerShell WF. Do it directly in AD.
- In Portal create a user attribute called “ChangeAccountStatus”. Create a new tab/form called “Admin” in the User Edit RCDC form. Add to the Admin form. Add to Admin can Update User MPR. Add to Admin Filter Permission.
- Create a PowerShell script to get the target object from the request and connect to AD to enable and disable.
- Create a Workflow to run the PowerShell script.
- Create a new Add a question to the Admin form “Account Status”. Make it a drop down, Enable or Disable.
- Create a Set with membership criteria user matches all, ChangeAccountstatus = “Enable”. Create a Transition-in MPR that fires the PowerShell WF to Enable in AD. Clear the ChangeAccountStatus field in the script after running.
- Create a Set with membership criteria user matches all, ChangeAccountstatus = “Disable”. Create a Transition-in MPR that fires the PowerShell WF to Disable in AD. Clear the ChangeAccountStatus field in the script after running.
The Workflow should run the following command
powershell -version 3.0 D:\Portal\DisableADAccount.ps1 $fimwf.TargetId.Guid
The PowerShell script to Disable
param($arg1)
# Load Microsoft FIMAutomation SnapIn and PowerShell Modules
Write-Verbose “Loading SnapIns and Modules”
Add-PSSnapin FIMAutomation
#Load ActiveDirectory PowerShell Modules
Import-Module ActiveDirectory#Load the FIM Powershell Module
import-module c:\FIMPowershellModule\FimPowerShellModule.psm1 -Verbose:$false
$TargetID=$arg1$DefaultUri = “http://localhost:5725”
function GetFIMObjects
{
PARAM($filter)
END
{
$exportObjects = export-fimconfig -uri “http://localhost:5725/resourcemanagementservice” –onlyBaseResources -customconfig(“$filter”) -ErrorVariable Err -ErrorAction SilentlyContinue
if($Err){throw $Err}
return $exportObjects
}
}[string]$GroupObjectID=””
#Get the objectID
GetFIMObjects -filter “/Person[ObjectID=’$TargetID’]”| where-object {$_.ResourceManagementObject.ResourceManagementAttributes} |
foreach {
$Samaccountname = ($_.ResourceManagementObject.ResourceManagementAttributes |
Where-Object {$_.AttributeName -eq “AccountName”}).Value}
Disable-ADAccount $Samaccountname
#write-host “Clear” ChangeAccountStatus
$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation = 1
$importChange.AttributeName = “ChangeAccountStatus”
$importChange.AttributeValue = “”
$importChange.FullyResolved = 1
$importChange.Locale = “Invariant”
$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = “Person”
$importObject.TargetObjectIdentifier = $TargetID
$importObject.SourceObjectIdentifier = $TargetID
$importObject.State = 1
if ($ImportObject.Changes -eq $null)
{
$ImportObject.Changes = (,$ImportChange)
}
else
{
$ImportObject.Changes += $ImportChange
}
$importObject | Import-FIMConfig -Uri “http://localhost:5725”
tlktechidentitythoughts 