Rule description
This rule queries Active Directory user accounts according to query criteria, tries to find linked AD LDS accounts and if a linked AD LDS account was found for an Active Directory user account, performs Undo Suspend operation.
For more information, please see Working with AD LDS Accounts article.
Rule Settings
Query Section
Setting name | Description |
---|---|
Limit the scope to this domain or OU
|
This setting defines the search query scope. To improve query performance, limit the scope to a specific OU. Important: To test rule configuration, limit the rule scope to a container that contains test accounts or objects.
|
Query criteria |
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
AD LDS anchor attribute
|
Defines the attribute in the AD LDS to which the Active Directory anchor attribute is to be compared. When a new AD LDS account is created this value also specifies the Active Directory attribute into which the AD LDS anchor is written for comparison the next time the rule is executed. |
AD anchor attribute
|
Defines the attribute in Active Directory that will be used to determine if the AD LDS account already exists. This value is compared to the AD LDS Anchor Attribute. |
Other Query Settings |
|
Properties to display |
To display additional properties for each object found by the query, add those properties to the list. |
System properties |
List of properties required to this rule to be executed correctly. |
Filter |
To hide unwanted data set the filtering conditions here. Example: filter by the found object Distinguished Name. Tip: For optimal performance, use Query criteria above to filter objects whenever possible.
|
Sort by |
Sort result object list. |
Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Get AD LDS accounts, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Connection Settings |
|
AD LDS server connection credentials AD LDS server name AD LDS server port |
The default settings are specified in AD LDS extension settings. |
Action Section
Setting name | Description |
---|---|
Undo Suspend operation |
Select operation:
|
Move to container |
Specify AD LDS container if you need to move AD LDS account after Suspend operation. |
Settings for User Object Class |
|
Enable account |
Specify whether to enable AD LDS account or not. |
Other Properties |
|
Other properties |
Use this setting for a custom modification of AD LDS account attribute values. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
6.3.0 | The rule is introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.