In my previous blog post I wrote about creating an RES Automation Job to make sure that when a user is leaving the company his account is disabled, it is moved to a isolated OU and the membership for a certain AD group is deleted.
This last step is important because every user in this group consumes a very expensive license. In this article I will describe how this module is created an what the different components achieve.
I am using module parameters, that makes it reusable. This module contains three tasks.
In the screenshot above you see the three tasks that I have created for this module.
I start with the ‘Manage Active Directory User’. Let’s open the settings tab of the first task. You need to enter your domain name, and the security context under which the task will be performed. The Domain Controller that I enter here will consume 32 RES AM licenses. I want to create a single user, when this Module is scheduled the admin will be prompted to enter the username of the account that he/she wants to alter. The value that I enter here ($[Username]), will cause the aforementioned prompt for the username.
The next thing I need to specify is what I want to manage for this AD user account. On the tab ‘User Properties’ I specify that I want to disable this account.
The next task in the module is ‘Move Active Directory Object’. Just like the previous tasks we need to enter, Domain, Security Context and Domain Controller. Next up I specify that I want to move an single object, the type of object I want to move is an user. In the field for the username I enter the name for the parameter that will be resolved when the module is scheduled.
As target folder I enter the location in the AD where I want to place users that have left the company.
For the last task of this module I want to remove the user from a application group in the AD that consumes licenses.
On the tab ‘Members’ I specify which user I want to remove from the aforementioned AD Group.
Within the module I go to the tab ‘Job Parameters’, there I will define the parameter ‘Username’ that I use in the aforementioned tasks.
When you schedule this task you should notice the orange exclamation mark, indicating that an action is required.
When you go to the ‘Job Parameter’ tab you are presented with the above window, asking you to supply a username.
This module can now be handed over to the Service Desk department. They only have to enter the username of the user that is leaving the company and RES AM does his thing. It causes that every users that are is leaving the company is deleted from the license consuming AD group.
Was once an enthusiastic PepperByte employee but is now working at Ivanti. His blogs are still valuable to us and we hope to you too.