AfterModifyRule + AD OU moves

Morning,
I have a working ‘Update Account’ Function that moves a User to a new OU upon change of a identity attribute. This works fine

I also have a AfterModify Rule that adds/removes a user from groups based upon identity attributes changing. This works fine too.

The problem is that when they combine I’m getting the following error message:

Error processing user : Directory object not found

Basically, the account move is working, but the afterModify is picking up the old DN, and not the new one for the value:
$nativeIdentity = $requestObject.NativeIdentity

Has anyone come this before, and have a solution?
Thanks

Yes, @phil_awlings we have seen this happening in our implementation also. We generally add a delay in script after catching that error.

Recommendation: When using Get-ADUser during movement scenario, use ObjectID of AD user instead of DN.

How long of a delay are you using to ensure that the afterModify Rule picks up the new/correct DN?
Thanks

We have added 20 sec delay only when we get “object not found error”.

I’ve tried adding a 20s wait + loop when I got the error message ‘Directory object not found’
but the following code still doesn’t bring the new native identity: (doesn’t bring anything in, nor run any error messages)

  function Get-ProcessedUser($nativeIdentity, $logFile) {
    $maxRetries = 3
    $retryCount = 0

    while ($retryCount -lt $maxRetries) {
      $nativeIdentity      = $requestObject.NativeIdentity
      try {
        $user = Get-ADUser -Identity $nativeIdentity -Properties sAMAccountName, employeeType, extensionAttribute15, MemberOf
        Add-Content $logFile "`n:allActiveUsers      : $allSchoolsActive"
        if ($user) {
          return $user
        }
      }
      catch {
        if ($_.Exception.Message -like "*Directory object not found*") {
          Add-Content $logFile "`n Error processing user $nativeIdentity : $($_.Exception.Message). Retrying in 20 seconds..."
          Start-Sleep -Seconds 20
          $retryCount++
        }
        else {
          Add-Content $logFile "`n Error processing user $nativeIdentity : $($_.Exception.Message)"
          break
        }
      }
      $nativeIdentity      = $null
    }
    return $null
  }

Do you mind sharing where you put the wait in your code?

$nativeIdentity = $requestObject.NativeIdentity

Phil, above nativeidentity object is coming from provisioning plan object and it will not change with updated value even after delay as plan object is constant.

By any chance you have sAMAccountName in provisioning plan?

If not, I would recommend to add sAMAccountName or any other unique identifier/employee number (since this value will not change based on identity attribute change) as an argument via before provisioning and then get this value in after modify script to be used for Get-ADUser command.

Thanks

Hi Anshu,
I like your thinking, however, there are many articles about why DN has to be the nativeIdentity (regardless how stupid it seems to have a variable rather than a static field as that attribute.

I think I’ve coded my way round it using this:

  $nativeIdentity      = $requestObject.NativeIdentity
  $extensionAttribute1 = Get-AttributeValueFromAccountRequest $requestObject "extensionAttribute1"
  if ($null -eq $extensionAttribute1) {
    $NativeIdentityNew = $NativeIdentity
  } 
  else {
    # Regular expression to match OU='number'
    $regex = "OU=\d+"
    
    # Replace the matched part with the new value
    $NativeIdentityNew = $NativeIdentity -replace $regex, "OU=$extensionAttribute1"
  }

Just a bit more unit testing to do.

EDIT: This works. However, with 4 variables defining the DN, it is going to get ‘clunky’. On my return from AL, I’m going to look at moving all the afterModify changes to a beforeModify as these are group membership only, and then let the OU move happen afterwards. I feel like this should work.

EDIT: beforeModify doesn’t work.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.