Archive for April 2012

Courion Tip – Restricting Access to Workflows

The business case is this: Only people who’s active directory accounts are in “users” or are in “no mail users” should be able to reset their passwords using Courion. All other accounts are (probably) service accounts or privileged accounts. Courion already has documentation to restrict access to a workflow based on a single group membership, but what about restricting access to 2 different organizational units?
Step 1 – custom macro to return the user’s distinguished name

distinguishedName(sAMAccountName=%Auth Step 1.UserName%)

Step 2 – custom macro to parse the distinguished name.
Dim strDN, strFound
strDN = “%Custom Macro.AD.Provisionee.distinguishedName%”
strFound = (InStr(strDN, “OU=User,OU=CH,DC=ad-ech,DC=net”) + InStr(strDN, “OU=No Mail User Accounts,OU=CH,DC=ad-ech,DC=net”))
NativeScript = strFound
Step 3 – modify Auth Step 2, Limit Authentication Criteria :

‘%Custom Macro.SQL.GlobalConfigValues.ConfigValue.PasswordReset_Restriction%’>1

SQL Global ConfigValues.ConfigValue.Password_Reset_Restriction = SELECT ConfigValue FROM GlobalConfigValues WHERE ConfigName = ‘PasswordReset_Restriction’
Step 4 – modify the code that displays messages to the end user – so they know why they can’t use the workflow.

Posted April 29, 2012 by mmdmurphy in Courion Tip

Tagged with

Courion Tip – User Home Drive Permissions

The situation – user home drives get created with Courion pretty much ‘straight out of the box’. Permissions can be set, drive letter set. However, the home drive does not inherit permissions from it’s parent folder. How to resolve this?

Start by reading “Configuring Workflows.pdf” that came with your version. For version 8.00, the pages of interest are 446 thru 454. This covers “Configuring Triggers”.

Next, make a copy of “TriggerUtils.vbs”, I called my copy “TriggerICACLS.vbs” since I will be using the icacls.exe program to re-enable inheritance.

And now make a short and sweet vbscript to make sure this actually does what you want. This is the vbscript I wrote:

Dim strHomeFolder, strHome, strUser, objShell, objFSO
strHomeFolder = “{\\path to server or DFS Share}\Home\{username}”
Set objShell = CreateObject(“Wscript.Shell”)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
objShell.Run(“icacls ” & strHomeFolder & ” /inheritance:e”)

For me, (please test for your use case) I can recreate the issue by using “/inheritance:r” and resolve it by using “/inheritance:e”. In other words, make sure this fixes your issue.

Now for the tough part – editing of the TriggerICACLS.vbs file itself. And, sorry, but the line numbers shown below are only approximate.

Line 20. Change Const RDK_DEBUG = 0 to RDK_DEBUG = 1
Line 29. Change the DEBUG_LOG file name to “TriggerICACLS_debug.log”
Insert a line 68, which says DIM objShell, objFSO
Line 71. Change the name for TRIGGER_ONE_PARAM1. I set mine to “Directory to reset inheritance on”
Line 87. Change the help text for TRIGGER_ONE_PARAM1_ARRAY(ATTRIBUTE_HELP_TEXT). I set mine to “folder you wish to inherit permissions from parent”
Comment out lines 672 thru line 709 – and, note that the line numbers probably don’t align 100% with yours. So, its basically all the code that does the copying of the files/folders. The first line I commented out was ‘Open the file system object & the first line I left alone was ‘Call RevertToYourself to go back to who you were before the impersonation!

Insert the following code:

‘Set the strHomeFolder to inherit permissions from it’s parent
on error resume next
Dim objShell, objFSO
Set objShell = CreateObject(“Wscript.Shell”)
Set objFSO = CreateObject(“Scripting.FileSystemObject”) ‘FileSysObj
objShell.Run(“icacls ” & strSourceDir & ” /inheritance:e”)

Now, log into the Courion server, and launch the Connector Configuration Manager. You will be adding a target to the Microsoft ActiveScript Cnctr.
I called mine “AD” since it’s Active Directory. I wasn’t positive which Operations I wanted, so I cheated and selected all of them.
The Script File Name should be the path and name to the vbscript you just created.
Next, enter the

Administrator User
Administrator Password

Click on Finish. For the record, I couldn’t get mine to confirm, and so the rest of this is actually un- tested. It should prompt you to restart the Courion services, and you will need it to do so.

Now, go into the Courion admin and edit your workflow. In my case, I chose the Add action, Trigger, and the event of Microsoft ADS 5.x User Resource Success

Posted April 27, 2012 by mmdmurphy in Courion Tip

Tagged with