This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Directory Business Adapter not importing Enabled field

Jump to solution
EHacking
By
Level 8

I have a Business Adapter that I use to pull in additional information from our AD, and I want to pull in the field Enabled so that I can deactivate users that are no longer working for the company (since for some reason the AD import doesn't pull this information in). When I add the field to the Business Adapter and run the Staging batch file, it pulls the information into the Staging Table, but it doesn't pull in anything for this field. The field is either True or False according to our AD administrator. When I look in the Staging Table, the field says Null in every single record. I checked, and there should be many that say False. How do I get this data into the Staging Table? I'm attaching the XML file for the Business Adapter.

 

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.

‎Apr 23, 2019 10:00 AM

Preview file
1 KB
(2) Solutions

Jump to solution
rclark0
By
Level 6

We used 'useraccountcontrol' field to accomplish this; it returns a number and that number corresponds to the account either being active or inactive. A simple case statement in the business adapter sets the account in Flexnet as active or inactive. 

 

,case
when u.[useraccountcontrol] = '514' then 'Inactive'
when u.[useraccountcontrol] = '546' then 'Inactive'
when u.[useraccountcontrol] = '66050' then 'Inactive'
when u.[useraccountcontrol] = '66082' then 'Inactive'
when u.[useraccountcontrol] = '512' then 'Active'

View solution in original post

‎Apr 24, 2019 10:29 AM

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager
In response to EHacking

@EHacking - userAccountControl is a bit field, so you need to check if bit #2 ("ACCOUNTDISABLE") is on, not check that the entire field value is 2.

The following filter expression in the LDAP query filters out disabled accounts from the results by only returning objects where bit #2 is not set:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Information on the following pages may give you some insight into the LDAP query:

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

‎Apr 25, 2019 08:53 PM

(7) Replies

Jump to solution
rclark0
By
Level 6

We used 'useraccountcontrol' field to accomplish this; it returns a number and that number corresponds to the account either being active or inactive. A simple case statement in the business adapter sets the account in Flexnet as active or inactive. 

 

,case
when u.[useraccountcontrol] = '514' then 'Inactive'
when u.[useraccountcontrol] = '546' then 'Inactive'
when u.[useraccountcontrol] = '66050' then 'Inactive'
when u.[useraccountcontrol] = '66082' then 'Inactive'
when u.[useraccountcontrol] = '512' then 'Active'

‎Apr 24, 2019 10:29 AM

Jump to solution
mfranz
By Level 17 Champion
Level 17 Champion
In response to rclark0

Bit #2 in useraccountcontrol marks disabled accounts (https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties). There might be a few more decimal numbers where #2 is potentially set. So directly looking for that bit might be easier and safer. In TSQL this can be done using "&". This example should list inactive accounts.

userAccountControl & 2 <> 0

 

‎Apr 24, 2019 03:07 PM

Jump to solution
BradAkers
By Level 5 Flexeran
Level 5 Flexeran
In response to mfranz

Looking at the XML it looks like the field you tried to use is "Enabled" and you need "UserAccessControl"

‎Apr 24, 2019 03:28 PM

Jump to solution
BradAkers
By Level 5 Flexeran
Level 5 Flexeran

I would verify you have the field header correct. Unfortunately with AD if the field doesn't match the AD schema it will just bring in NULLs and not error out. So for example, if you said LastName instead of SN you woudl get lots of NULLS. 

‎Apr 24, 2019 02:48 PM

Jump to solution
EHacking
By
Level 8

Here is my Properties to load:

displayname,Surname,Givenname,OfficePhone,samaccountname,employeeID,Title,Mail,telephonenumber,sn,userAccountControl

Here's the line from the filter:

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

When I run this as-is, it almost doubled the number of records that it pulls into the Staging Table, but none of them have a 2 in the userAccountControl field.

I'm not a query expert, but I think that last part says to not include any record with a userAccountControl=2.

When I remove that part from the filter it give me an error. What am I doing wrong?

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.

‎Apr 25, 2019 09:43 AM

0 Kudos

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager
In response to EHacking

@EHacking - userAccountControl is a bit field, so you need to check if bit #2 ("ACCOUNTDISABLE") is on, not check that the entire field value is 2.

The following filter expression in the LDAP query filters out disabled accounts from the results by only returning objects where bit #2 is not set:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Information on the following pages may give you some insight into the LDAP query:

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

‎Apr 25, 2019 08:53 PM

Jump to solution
Steffen
By
Level 6

Hi, I ran into the same problem. I did solve it as following:

- using powershell, create a script to export the AD-Data required as csv file

- I did change all the filednames in powershell, just to be shure (ran into poroblem in the past here)

- you might have to convert the csv file to different CharSet I use: Get-Content ./imput_UTF-8-BOM.csv | Out-String | % { [Text.Encoding]::UTF8.GetBytes($_) } | Set-Content -Encoding Byte -Path "./output_UTF-8.csv"

- I have to use UTF-8 but export-csv only creats UTF-8-BOM so I can get my "Äs, Ös" etc.

- after creating the BusninessAdapter (on the beacon-application) I had to manually edit the XML-file to specify the characterset: simply enter into the connection string: ...;Characterset=65001;...

- Please dont forget to simply Replace in the BusinessAdpater the filed "Enabled": Find: True,False Replace: Active,Inactive

- unfortunatly the connection string gets reset each time you use the Beacon-BusinessAdapter for changes - so you have to manually add the Charset-value each time after you made changes

I am sure the other solutions will work as well, but this did solve the issue for me 😉

for AD-filers I can recommend: https://blogs.msdn.microsoft.com/adpowershell/2009/04/14/active-directory-powershell-advanced-filter-part-ii/

greetings Steffen

‎May 10, 2019 05:08 AM - edited ‎May 10, 2019 05:16 AM

Top Kudoed Authors
View all