Rule description
This rule queries the specified Active Directory scope and for each returned user sets or clears the specified Active Directory attribute.
When to use this rule
Use this rule when you need:
-
To update an attribute for a set of users.
- To clear one or several attributes at once for a set of users.
-
To set attribute value during new users' creation. For details, see the KB20181029-1 article.
Rule Settings
Query Section
Setting name | Description |
---|---|
Limit scope to this domain or OU
|
This setting defines the search query scope. To improve query performance, limit the scope to specific OU.
Important: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
|
Query criteria |
Query criteria are sent with the query and may improve query performance.
Tip: For different samples on the criteria builder, see KB20180410-1.
|
More options | |
Filter |
To hide unwanted data based on criteria set the filtering conditions here.
Tip: For optimal performance, use Query criteria above to filter objects whenever possible.
|
Returned properties
|
To display additional properties for each object found by the query, add those properties to the list.
|
Sort by | Sort result objects list. |
Initialization Script | |
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.
Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
Attribute(s)
|
Select an attribute from the list. You can select multiple attributes. In this case, all these attributes would be cleared or set to the value specified in the Value setting. |
Value
|
Set attribute(s) value. Example 1: Append some text to AD Users DisplayName attribute. $($FoundObject.DisplayName + "teststring") Note: You must add DisplayName attribute to Returned properties list. Example 2: Change all phone numbers from this format 111.222.3333 to this format 111-222-3333. {[String]::Format('{0:###-###-####}',[Int64]($FoundObject.telephoneNumber -replace '\D+(\d+)','$1'))} Note: You must add telephoneNumber attribute to Returned properties list. Example 3: Disable Active Directory user:$($FoundObject.userAccountControl -bor 0x2) Note: You must add userAccountControl attribute to Returned properties list. Example 4: Set accountExpires attribute to expire in 90 days from now. ([DateTime]::Now.Date.AddDays(90)) Example 5: Update multi-valued virtual attribute. ["val1","val2","val3"] |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
7.3.1 | Initialization Script section is added. |
5.4.0 | The rule can be linked to web actions in Rules to run after this rule section. |
Comments
0 comments
Please sign in to leave a comment.