Question - ARS 6.9 Workflow How to Filter out a specific sub OU

I have a compliance requirement.  All new server objects must be added to X policy filtering group in 3 of our AD's

I have workflow setup - to detect a computer created under domain\Xservers  (for which there are sub OU's for IIS/SQL/FILE/SharePoint ... etc

I want to filter out further processing on any new computer creation executed in the SharePoint OU.

Everything fires off fine - except the filter.    Unless I'm misunderstanding filters ... the workflow checks for new creation under the XServers OU and only begins the if/then policy blocks defined in the GUI - if it's under XServers AND not in a sub OU named SharePoint ...

Regardless of which path property of the target object I evaluate, SharePoint servers end up in the group like the other WinServers do.

Ideas on how to prevent the workflow from continuing past the initiate 'create' trigger - based on a word in the directory path to the object?

  • You can't do a wildcard search against a DN. It's a constructed value, and it doesn't really exist. Any "Contains" or "Does Not Contain" which is run against an object with a DN syntax will always resolve to false. This is an Active Directory limitation.

    Instead, create a Virtual Attribute with a Directory String syntax. Link it to your computer objects. Set up Workflows so that this Virtual Attribute gets updated when an object is created or moved. Also run an automation Workflow to populate this Virtual Attribute on existing objects. Then, run your filter against this new Virtual Attribute.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Terrance's idea is a good one. You could also evaluate the canonical name of the object - i.e. mydomain.com/parentou/childou/objectname
  • Ok, I created a directoryString VA stored on Computer - and built a workflow to update with the content from canonicalName.  I now get a string poplated similar to this: "domainX/XServers/W2012/IIS/SharePoint/ServerX"

    I set the advanced property "Workflow Priority" to 499 so that it will run prior to the post-create-add-to-group Workflow.

    I evaluate 'does not contain' against the new string value - and still get added to the group.

    opinion?

  • What was mentioned here - should have worked for me ...  The Computer object continued to be added to the policy filtering group  despite being filtered for an OU named W2K3 or SharePoint...  If I had a longer attention span -or more time to play before I had to implement. - I'd stay with it.    I fell back to script policy.   I had 3 domains to link this to - so I linked the policy to the windows server OU in each domain.   This is the last change I have to make in ARS 6.9 - as we are working to deploy ARS 7 in the coming weeks.

    ... and this is working.   Which - is like a plus, or something.

    function onPostCreate($Request)
    {
        $strObjClass = $Request.Class
        if ($strObjClass -eq "computer")
    {
    [string]$strPath = $request.DN
    
    if($strPath -notmatch "(SHAREPOINT|W2K3)"){
        $strGroup = "POLICYX Group"
        $strDOM = (($strPath -split "DC=",0)[1].split(",")).split()[0]
        add-qadgroupmember -identity "$strDOM\$strGroup" -Member $strPath -erroraction silentlycontinue -proxy
                }
            }
        }

    Edited to reduce footprint of the PS script