I have been asked to automate our process for off boarding. I have a workflow that is doing each our manual steps. I have a requirement to update the description on the users AD account. When I get to this point I am getting a error that make 0 since. We looked at the connection logs on the server and it appears that the VA’s are not even reaching out to the server. I am able to ping the host name of the server from each VA in the PTA cluster. For testing I have disabled SSL and Cert Verify to keep things simple.
I know the Credential Provider information is correct as it is the exact same as how I have it set up for the AD source. We have this set up to use Kerberos. The script that is being called is rather simple and the parameter is just the samaccountname. HttpRequest3 pulls the AD Account using the accounts api endpoint. Confirmed this step is working as expected.
Script Args:
SamAccountName
“$.hTTPRequest3.body[0].attributes.sAMAccountName”
PARAM(
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string] $SamAccountName
)
function Escape-LdapFilterValue {
param([Parameter(Mandatory)][string]$Value)
# RFC 4515 escaping for LDAP filter assertion values
$Value `
-replace '\\', '\5c' `
-replace '\*', '\2a' `
-replace '\(', '\28' `
-replace '\)', '\29' `
-replace "`0", '\00'
}
# Step 1: Get AD User object make user AD Object exist.
$escaped = Escape-LdapFilterValue -Value $SamAccountName
$UserInfo = Get-ADUser -LDAPFilter "(samaccountname=$($escaped))" -Properties description
if ($null -ne $UserInfo) {
#Update description for AD account if user exist.
try{
Get-ADUser -Identity $SamAccountName -Properties description | Set-AdUser -Description "Do Not enable unless approved by IAM" -ErrorAction Stop
}
catch{
Write-Error "Failed to update description for AD account $SamAccountName. Error: $_"
}
}
else{
Write-Error "AD account for $SamAccountName does not exist."
}
