Deleting an Active Directory OU

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hello everyone,
I am currently trying to delete an OU in Active Directory in a rule using a “provisioning plan” with the “Active Directory” connector in an IIQ 8.4 environment, but I can’t seem to do it.
Does anyone happen to have a code snippet that I could use in a rule? Creating an AD group works fine, but when I try to delete it, I can’t seem to get it right.

Thank you very much!
Best regards,
Michael

2

@mlangerdz

Can you please let me know the exact requirement you have?

Thanks

3

Hi @mlangerdz ,

please refer belwo link.

deleteSubTree

4

Could you please share the code here, if possible?

5

I want to scan different OUs in Active Directory in a task. If they are empty (i.e., there are no objects in them), the OU should be deleted.

That is the requirement. Simple cleanup task…

6

Found solution:

Add new schema to application:

 <Schema displayAttribute="name" featuresString="PROVISIONING" identityAttribute="distinguishedName" nativeObjectType="organizationalUnit" objectType="organizationalUnit">
      <AttributeDefinition name="distinguishedName" type="string">
        <Description>Distinguished Name of the OU</Description>
      </AttributeDefinition>
      <AttributeDefinition name="name" type="string">
        <Description>Name of the OU</Description>
      </AttributeDefinition>
      <AttributeDefinition name="description" type="string">
        <Description>Description of the OU</Description>
      </AttributeDefinition>
      <AttributeDefinition name="objectguid" type="string">
        <Description>Object globally unique identifier</Description>
      </AttributeDefinition>
</Schema>

The Rule:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Temp - Active Directory OU Delete">
  <Description>
    Temp rule to delete an Organizational Unit (OU) in Active Directory.
    CONFIGURATION: Set OU_DN. Execute via Debug Page.
  </Description>
  <Signature returnType="string">
    <Inputs>
      <Argument name="context" type="sailpoint.api.SailPointContext"/>
      <Argument name="log" type="org.apache.logging.log4j.Logger"/>
    </Inputs>
  </Signature>
  <Source>
  <![CDATA[
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.object.ProvisioningPlan.ObjectRequest;
  import sailpoint.object.ProvisioningResult;
  import sailpoint.api.Provisioner;

  // CONFIGURATION
  String OU_DN = "OU=test1234,OU=Projekte,DC=SOMTEST,DC=LAN";
  String APPLICATION_NAME = "Active Directory";

  if (OU_DN == null || OU_DN.trim().isEmpty()) {
    return "ERROR: OU_DN is not configured!";
  }

  try {
    ProvisioningPlan plan = new ProvisioningPlan();
    ObjectRequest objReq = new ProvisioningPlan.ObjectRequest();
    objReq.setApplication(APPLICATION_NAME);
    objReq.setNativeIdentity(OU_DN);
    objReq.setOp(ProvisioningPlan.ObjectOperation.Delete);
    objReq.setType("organizationalUnit");
    plan.add(objReq);

    Provisioner provisioner = new Provisioner(context);
    provisioner.execute(plan);

    ProvisioningResult result = plan.getResult();
    String status = (result != null) ? result.getStatus() : "executed";

    context.decache();

    if ("committed".equalsIgnoreCase(status)) {
      return "OK: OU deleted - " + OU_DN;
    } else {
      return "Status: " + status + " - " + OU_DN;
    }

  } catch (Exception e) {
    return "ERROR: " + e.getMessage();
  }
  ]]>
  </Source>
</Rule>
7

Thanks ! I also have a similar usecase. It helped a lot.