• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 61 subscribers
  • Views 5075 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues setting attributes via PowerSHell

bezibaerchen
over 5 years ago

Hi all,

we are about to roll-out self-service for group management.

For that reason, I need to bulk-set primary and secondary owners.

While trying to get started I am experiencing issues in settings neccessary attributes.

I can set ManagedBy flag and that's all.

Trying to set "edsamanagercanupdatemembershiplist" or "edsvaSecondaryOwners" or "edsvaSecondaryOwnersCanUpdateMembershipList" the command seems to execute but a get still reveals unset or wrong attributes:

Set-QADGroup -Proxy <groupname> -ObjectAttributes @{edsaManagerCanUpdateMembershipList = $True }

When then querying it still remains as "False":

Get-QADGroup -Proxy jimprimary -DontUseDefaultIncludedProperties -IncludeAllProperties | select managedBy,edsaManagerCanUpdateMembershipList,edsvaSecondaryOwners,edsvaSecondaryOwnersCanUpdateMembershipList

ManagedBy edsamanagercanupdatemembershiplist edsvaSecondaryOwners edsvaSecondaryOwnersCanUpdateMembershipList
--------- ---------------------------------- -------------------- -------------------------------------------
                                       False

Any hint what I'm doing wrong?

Thanks,


Ben

  • 0 over 5 years ago in reply to bezibaerchen

    "Include all properties" switch doesn't actually include all properties.  I find that you often need to call out your VAs explicitly in an include.

    As far as setting the VAs goes, have you re-started your AR admin service lately?  I find that every so often, VAs refuse to be set and a service re-start makes the problem go away.

    There is also a bug around setting secondary owners.  You cannot edit the list - you have to reset it in full each time.  It's a defect with the Set-QADGroup cmdlet that I noticed somewhere around v 7.2 but may have been present earlier.

  • 0 over 5 years ago in reply to JohnnyQuest

    No restart and I have some sort of movement, however, not all changes seem to come through.

    When it comes to secondary owners: If i have multiple lines, all setting a secondary owner the list *seems* to add up, no reset.

    Can you detail?

  • 0 over 5 years ago 

    # Regarding the SecondaryOwnersCanUpdateMembershipList Attribute
# Running this specific Command which actually has a parameter designed to handle it simply doesn't work reliably or at all, i've never gotten the $false to work in ARS v7.3.1 it does produce and error which is logged in ds.log as well.
Set-QADGroup -Proxy 'GroupName' -SecondaryOwnersCanUpdateMembershipList $true or $false

# Regarding Setting edsvaSecondaryOwners its simply not working through the ADSI or PS provider like its supposed to. 
This has been noted a few times on the forums, but how it is supposed to work 

https://www.quest.com/community/one-identity/active-roles/f/active-roles-forum/28224/set-qadgroup-possible-bug

How it is supposed to work.

$ADS_PROPERTY_CLEAR =  1 #This deletes the entire attribute, no additional values have to be passed to the PutEx call as the third parameter (in fact, you have to pass an EMPTY array as an parameter....)
$ADS_PROPERTY_UPDATE = 2 #This replaces the entire attribute with the array passed to the PutEx call as a parameter. The old values or the regarding attribute are lost!
$ADS_PROPERTY_APPEND = 3 #This adds one or several attribute values, which have to be passed to the PutEx function in an array. 
$ADS_PROPERTY_DELETE = 4 #This deletes one or several attribute values, which have to be passed to the PutEx function in an array.

How it works in Practice

$ADS_PROPERTY_CLEAR =  1 # Does Nothing
$ADS_PROPERTY_UPDATE = 2 # This adds one or several attribute values, which have to be passed to the PutEx function in an array. 
$ADS_PROPERTY_APPEND = 3 # This adds one or several attribute values, which have to be passed to the PutEx function in an array. 
$ADS_PROPERTY_DELETE = 4 # No Matter what you pass into the array it clears the attribute in ARS.

So in order to properly manage it without them fixing how the attribute value functions in ARS:


1) To Clear the Attribute
$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(4,'edsvaSecondaryOwners',@())
$objGroup.SetInfo()

2) To Append the Attribute
$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(3,'edsvaSecondaryOwners',@($SecondaryOwners))
$objGroup.SetInfo()

3) Test Delete value(s) from the attribute

# Get the current attribute value and store it in an array.

$objGroup = [adsi]'EDMS://[ObjectDN]'
$objGroup.RefreshCache(@('edsvaSecondaryOwners','edsvaSecondaryOwnerGuids'))
$currentListOfSecondaryOwners = $objGroup.'edsvaSecondaryOwners'

# Then use logic to remove your values from the Array

# Example Function
function Remove-ArrayValues([array]$value1,[array]$value2)
{
    if($value1){
        foreach($value in $value2)
        {
            if($value1 -contains $value)
            {
                $value1 = $value1 | Where-Object {$_ -ne $value}
            }
        }
    }
    return $value1
}
$newListofSecondaryOwners = Remove-ArrayValues -value1 $currentListofSecondaryOwners -value2 $valuesToRemoveFromSecondaryOwners

# Then Clear Secondary Owners.

$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(4,'edsvaSecondaryOwners',@())
$objGroup.SetInfo()

# Then append secondary Owners
$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(3,'edsvaSecondaryOwners',@($newListofSecondaryOwners))
$objGroup.SetInfo()

4) To update the Attribute

# First Clear the Attribute Value
$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(4,'edsvaSecondaryOwners',@())
$objGroup.SetInfo()

# Then append secondary Owners
$objGroup = [adsi]"EDMS://$DNofGroup"
$objGroup.PutEx(3,'edsvaSecondaryOwners',@($newListofSecondaryOwners))
$objGroup.SetInfo()

I hope this helps, I hope they can fix this with the next version of ARS or maybe a hotfix,