Novell Home

Controlling Account-Enabled Status on Microsoft Exchange

Novell Cool Solutions: Tip
By William C Schneider

Digg This - Slashdot This

Posted: 17 Feb 2005
 

Taking Actions on Disabled Accounts for Exchange Functionality

by Will Schneider

Problem

In our directory service, the status of the user in the primary data sources determines whether the account should be enabled or disabled. We use a custom multi-valued attribute to indicate which data sources the user originates from. When the user is no longer found in those data sources, the account changes to inactive, and the account should become disabled. There are also several other values that indicate the account should be disabled.

Additionally, when an Exchange-enabled account is set to inactive in Active Directory, then it needs to be removed from all distribution groups and hidden from Exchange Address Lists. When a user sends an e-mail to a distribution list with a disabled user, an "undeliverable" message is returned for each disabled user. Removing the user from these groups reduces confusion for your users and avoids annoying, extra messages.

Solution

  1. Create two rules (Enable and Disable) to change the Login Disabled attribute, based on the data source values.
  2. In the Disable rule, determine which users are members of any Active Directory groups and remove the users from those groups.
  3. In the Disable rule, hide the user from the Exchange Address Lists.

Enable rule example

Conditions: 
if operation equal "add" 
OR if operation equal "modify" 
OR if operation equal "sync" 
AND 
if attribute 'sasdatasource' equal "hold" 
if attribute 'sasdatasource' equal "inactive" 
if attribute 'sasdatasource' equal "decay" 
Actions: 
set source attribute value("Login Disabled","true") 
strip operation attribute("Login Disabled") 
set destination attribute value("Login Disabled","true") 
set local variable("group-membership",nodeset(Destination Attribute("Group Membership"))) 
set local variable("group-member",Source DN()) 
for each(nodeset(Local Variable("group-membership")),
actions(remove destination attribute value("member",class name="group",
dn(Local Variable("current-node")),Local Variable("group-member")))) 
set destination attribute value("msExchHideFromAddressLists","TRUE")

In Active Directory, group Membership must be modified on the actual group object, as opposed to the user object. In order to do that, we grab the values of the memberOf attribute (Group Membership prior to the schema map) and place them into a node set for use with the 'for each' command. Then on the 'for each' command we remove the user from the member attribute of each of the groups. If you are not synchronizing groups, you will also need to add the following rule to the publisher Input Transform. This takes the DN values that the memberOf attribute returns and converts them to string values. If you do not add this code, the operation will produce an unassociated object error.

Conditions: 
if operation attribute 'memberOf' available 
Actions: 
reformat operation attribute("memberOf",Lower Case(Local Variable("current-value")))

Disable rule example

Conditions: 
if operation equal "add"        
And if operation attribute 'sasdatasource' not equal "hold"      
And if operation attribute 'sasdatasource' not equal "inactive"        
And if operation attribute 'sasdatasource' not equal "decay"  
OR 
if operation equal "modify"       
And if operation attribute 'sasdatasource' not equal "hold"       
And if operation attribute 'sasdatasource' not equal "inactive"         
And if operation attribute 'sasdatasource' not equal "decay" 
Actions: 
set source attribute value("Login Disabled","false")      
strip operation attribute("Login Disabled")       
set destination attribute value("Login Disabled","false")


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell