Back to User management: Disable, Delete, Deprovision
DESCRIPTION
Allows you to selectively define who can disable users while allowing free access to enable. The group defining who should be denied access to disable is stored as a parameter of the policy entry called 'Disable User Group', and should be stored in distinguishedName format.
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' (C) 2007 Quest Software, Inc.
'' This script is a part of custom solution for Quest ActiveRoles Server
'' delivered by Quest according to applicable Statement of Work. For
'' support policy please refer to Exhibit 2 of SOW.
''
'' PLEASE DO NOT MODIFY THIS FILE. It is protected by cryptographic
'' digital signature to ensure original contents.
''
'' $ QARS Version: 6.0.2
''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub onPreModify(Request)
' Shawn Ferrier, Quest Software shawn.ferrier@quest.com
' May 17, 2007
If Request.Class <> "user" Then Exit Sub
' If the user disabled state is not one of the attributes being modified, exit the function
If IsEmpty(Request.Get("edsaAccountIsDisabled")) Then Exit Sub
' If the user is being enabled, exit the function
If Request.Get("edsaAccountIsDisabled") = False Then Exit Sub
Dim strDeniedGrp
Dim objDeniedGrp
Dim strInteractiveUsrSAN
Dim strInteractiveUsrDN
Dim blnDenied
Dim objGroupList
' The group defining who is permitted to disable users is defined by the policy entry parameter called
' "Disable User Group". It should be specified in distinguishedName syntax.
strDeniedGrp = PolicyEntry.Parameter("Disable User Group")
'Set objDeniedGrp = GetObject("EDMS://" & strDeniedGrp)
' Retrieve the name of the user making the request, and find out if they are a member of the allowed
' users group.
Request.WhoAmI strInteractiveUsrSAN, strInteractiveUsrDN
' This dictionary object is used by the IsMember function to prevent checking membership of the
' same group twice. Otherwise you run the risk of entering an infinite loop if there is any circular
' group memberships.
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare
blnDenied = IsMember(strDeniedGrp, strInteractiveUsrDN, objGroupList)
' If they requesting user is not in the allowed list, record an event to the EDM event log and
' display an error message to the user. The Err.Raise method will abort execution before any change to
' the user is made. If they are permitted, then execution continues normally, allowing any and all
' changes.
If blnDenied Then
EventLog.ReportEvent EDS_EVENTLOG_AUDIT_FAILURE, strMeSAN & " attempted to enable '" & Request.Name & "'."
Err.Raise -1, "Access Denied", vbCRLF & vbCRLF & "You are not permitted to disable this user object. Please contact your network administrator."
End If
End Sub
Private Function IsMember(strGroupDN, strUserDN, ByRef objGroupList)
' This recursive group membership check function needs to exist since the IsMember method is, by
' itself, not recursive. Moreover, please be aware that this function does NOT work on your primary
' group (i.e., Domain Users in most cases).
Dim objGroup
Dim objMember
Dim strMemberDN
Set objGroup = GetObject("EDMS://" & strGroupDN)
IsMember = objGroup.IsMember("EDMS://" & strUserDN)
If IsMember Then Exit Function
For Each objMember In objGroup.Members
If objMember.Class = "group" Then
strMemberDN = objMember.Get("distinguishedName")
If Not objGroupList.Exists(strMemberDN) Then
objGroupList.Add strMemberDN, strMemberDN
IsMember = IsMember(strMemberDN, strUserDN, objGroupList)
If IsMember Then Exit Function
End If
End If
Next
End Function
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): ARS 6.0 or later