• State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 64 subscribers
  • Views 6500 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Linking "Normal" accounts to "Admin" Accounts

sander.martijn
over 7 years ago

Hi,

I'd like to know if it is possible to link "Normal" user accounts to their equivalent "Admin" accounts, so when the "Normal" account is deprovisioned  that the "Admin" account associated with that user is also automatically deprovisioned.

If possible also when the manager of the "Normal" account changes that also the manager of the "Admin" account is updated.

 

Thanks.

 

Sander.

  • 0 over 7 years ago

    I would start by establishing a new virtual attribute on your users - perhaps call it edsvaLinkedAdminAccount

    First decision is whether to make it single or multi-valued. This depends on how you name your admin accounts and whether the names change if a user has accounts in multiple domains.

    Let's take the simple case where you use the same name regardless of domain. Let's assume your samaccountname naming convention is something like this: smithj_admin.  Populate the virtual attribute of each user with their "linked" admin account name.
     
    Then, setup an ActiveRoles workflow that detects an account deprovision. It should check to see if the edsvaLinkedAdminAccount is populated and the proceed to search for the account named in the VA in all ActiveRoles managed domains. Then, deprovision each account returned by the search.

    For this, you should be able to use a built-in Search activity followed by a Deprovision activity.

    To support this, I would create a Search Activity named something like "Found Admin Accounts".

    The results of the Search activity are passed to your Deprovision activity.

    Principle is the same for the Manager change - instead of deprovisioning, you just apply the new Manager name in a workflow triggered by a Manager update.

    Here, just because I am used to doing it this way, I would use a script fired by the results of the Search Activity to update the Manager.

    The only "trick" here is how to get the list of found users to your script activity.

    The list of users found by the search would be presented in $workflow.FoundObject("Found Admin Accounts") so:

    $MyFoundAdminAccounts = $workflow.FoundObject("Found Admin Accounts")

    The new Manager name would be retrieved from the update transaciton using some PoSh like this:

    $NewManager = $Request.Get("ManagedBy")

    You then just iterate through $MyFoundAdminAccounts and stamp each one with the new Manager name.

  • 0 over 6 years ago
    Hi,
    we've implemented such.
    Its basically a multivalue DN attribute in the User itself and a BackLink Attribute in the Admin.
    Means multiple Admin Accounts could be referenced to one "OfficeUser" Account
    When Searching the user you get all of its linked Accounts back to disable or deprovision those accounts once it happens to the Office User.
    The BackLink (BL) natur of the attribute will "follow" the OfficeUser if its DN changes due to rename or move actions.

    Do youself a favour and check the manager/managedBy attributes. As you mentioned - its the same story.
  • 0 over 5 years ago in reply to JohnnyQuest

    Hi,

    Thanks for your answer. For what ever reason I do not see the admin accoung being decomissioned. Can you perhaps be a bit more specific what needs to be configured to get this working?

    Thanks.