Group Member Remove and Add not visible via DirSync onPostModify()?

http://wiki.activeroles.inside.quest.com/index.php/Script_Policy_to_check_group_members_when_they_are_added_to_or_removed_form_a_group
it seems to me that this solution works but has some issue in certains scenario when listening DirSync.

1) ADS_PROPERTY_DELETE or ADS_PROPERTY_APPEND executed in separate calls via ARS or ADUC (bypasses ARS) - both visible in onPostModify(). SUCCESS.
2) ADS_PROPERTY_DELETE and ADS_PROPERTY_APPEND executed together in the same call via ARS - both visible in onPostModify(). SUCCESS.
2) ADS_PROPERTY_DELETE and ADS_PROPERTY_APPEND executed together in the same call via ADUC (bypasses ARS) - ADS_PROPERTY_DELETE is visible but ADS_PROPERTY_APPEND is not visible in onPostModify(). ISSUE. trace of this call is below.
is it expected behavior or an issue?

onPostModify() is used to listen DirSync.

POLICY SCRIPT

function onPostModify($Request)
{
 if ($request.Class -ne "group") {return}
 
# $RequestSource = $Request.Parameter("RequestSource")
# Log "onPostModify() RequestSource  = $RequestSource"

 if ($Request.Parameter("RequestSource") -ne $EDST_MOD_SOURCE_AD) {
#  Log "onPostModify() BREAK. NOT The request was sent by the directory synchronization (DirSync) control"
#  return
 }
 
 Log "onPostModify() Request"
 $sAMAccountName  = GetAttribute "sAMAccountName" $Request
 $description  = GetAttribute "description" $Request
 $member    = GetAttributeEx "member" $Request
 Log "sAMAccountName = $sAMAccountName"
 Log "description = $description"
  
 If ($member -ne $null) {
  Log "Request.Item(s)"
  $PropertyCount = $Request.PropertyCount
  Log "Request.PropertyCount = $PropertyCount"
  for ($i = 0; $i -lt $Request.PropertyCount; $i++) {
   trap {
    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE, "[1A]ERROR/TRAP/CONTINUE `n" + (([string] $error) -replace "`n",".") + "`t$attr")
    continue;
   }
   $item = $Request.Item($i)
   $Name = $item.Name
   Log "$Name"
   if ($Name -eq "member") {
    if($item.ControlCode -eq $ADS_PROPERTY_APPEND ){
     log "   ADS_PROPERTY_APPEND = $ADS_PROPERTY_APPEND"
     foreach ($v in $item.Values) {
      log "   $v"
     }
    }
    if($item.ControlCode -eq $ADS_PROPERTY_DELETE ){
     log "   ADS_PROPERTY_DELETE = $ADS_PROPERTY_DELETE"
     foreach ($v in $item.Values) {
      log "   $v"
     }
    }
   }
  }
 } 
}

LOG OUTPUT
10/20/10 12:39:10 onPostModify() Request

10/20/10 12:39:10 sAMAccountName =

10/20/10 12:39:10 description =

10/20/10 12:39:10 Request.Item(s)

10/20/10 12:39:10 Request.PropertyCount = 2

10/20/10 12:39:10 member

10/20/10 12:39:10    ADS_PROPERTY_APPEND = 3 (VISIBLE via ARS!)

10/20/10 12:39:10    CN=Orange\, Fri,OU=Accounts,OU=EKC,DC=ad,DC=quest

10/20/10 12:39:10 member

10/20/10 12:39:10    ADS_PROPERTY_DELETE = 4 (VISIBLE via ARS!)

10/20/10 12:39:10    CN=Orange\, Thu,OU=Accounts,OU=EKC,DC=ad,DC=quest

10/20/10 12:39:11 onPostModify() Request

10/20/10 12:39:11 sAMAccountName =

10/20/10 12:39:11 description =

10/20/10 12:39:11 Request.Item(s)

10/20/10 12:39:11 Request.PropertyCount = 2

10/20/10 12:39:11 ADsPath

10/20/10 12:39:11 member

10/20/10 12:39:11    ADS_PROPERTY_DELETE = 4 (VISIBLE via DirSync)

10/20/10 12:39:11    CN=Orange\, Thu,OU=Accounts,OU=EKC,DC=ad,DC=quest
where is ADS_PROPERTY_APPEND = 3? => NOT VISIBLE via DirSync!

thanks,
Aidar

Parents
No Data
Reply Children
No Data