none
Active Directory querying with ActiveADAPTER RRS feed

  • Question

  • I'm developing an application with the ActiveADAPTER Active Directory adapters. Have a couple of questions:

    1. Can I get a message in from AD whenever a user is added to a certain group using the receive adapter?

    2. I'm creating new accounts from an orchestration with a message to the send adapter. When the account is created it is disabled by default. This is ok, but later in my orch I need to enable it (after approval process has run). I've tried creating the account in one message to the send adapter, then using a second message to enable it but no luck. The error I get is "The server is unwilling to process the request." I think this error comes back from AD.

    jh

     

     

    Tuesday, June 14, 2011 9:21 AM

Answers

  • I was looking in the ActiveAdapter send and receive guides, and question 1 does seem possible, it polls for changes to the AD query. Here is the link to the receive guide for question 1: http://www.activeadapter.com/resources/pdf/ActiveADAPTER%20Receive%20Adapter%20User%20Guide.pdf. The send guide is helpful too: http://www.activeadapter.com/resources/pdf/ActiveADAPTER%20Send%20Adapter%20User%20Guide.pdf.

    For question 2, it looks like you need to set the userAccessControl property on the user object to a value of 512 (see http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html). You might try setting this value on the new user message.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    • Marked as answer by janhaagen Thursday, June 16, 2011 9:27 AM
    Tuesday, June 14, 2011 5:45 PM
    Moderator
  • Hi JH.

    Some possible answers to your questions:

    1. New user in group notification.

    Yes, you can use the AD receive adapter to trigger a message to BizTalk whenever a user is added to a group.

    Set "Container" to the container your group is in (e.g. LDAP://OU=Test,DC=test,DC=com). Set the query to target the group you are interested in, e.g. "(&(objectCategory=group)(cn=My Group))".

    Then in "Properties to return" make sure you include "member".

    Lastly set the "On Change Only" option to True - this will make sure you only get a message into BizTalk when a change occurs (as opposed to every query interval).

    When a new object is added to the group the message into BizTalk will look something like:

    <ActiveDirectoryChange>
      <PROPERTY_CHANGED>
        <FilterMatch ObjectPath="LDAP://CN=My Group,OU=Test,DC=test,DC=com">
          <NEW_VALUE>
            <Property Name="member" Value="CN=NewToGroup,CN=Users,DC=test,DC=com"/>
          </NEW_VALUE>
        </FilterMatch>
      </PROPERTY_CHANGED>
    </ActiveDirectoryChange>  

     The CN of the new group member (or members) is returned in the member property.

    2. Enabling newly created accounts.

    The new user account needs a valid password that meets your domain password policy before Active Directory will let you enable the account. Try this approach:

    1. Use an initial message to create the account, setting all the props you need like email, description etc
    2. Use a second message to set a valid password (there's a sample provided in the ActiveADAPTER evaluation)
    3. Use a third message to enable the account (there's a sample for that too)

    This should get you an enabled account.

    More information available in the ActiveADAPTER documention installed as part of the evaluation or available from the web site. Hope this helps.

    Cameron Shackell, ActiveADAPTER Employee

    http://www.activeadapter.com

    Wednesday, June 15, 2011 12:29 AM

All replies

  • I was looking in the ActiveAdapter send and receive guides, and question 1 does seem possible, it polls for changes to the AD query. Here is the link to the receive guide for question 1: http://www.activeadapter.com/resources/pdf/ActiveADAPTER%20Receive%20Adapter%20User%20Guide.pdf. The send guide is helpful too: http://www.activeadapter.com/resources/pdf/ActiveADAPTER%20Send%20Adapter%20User%20Guide.pdf.

    For question 2, it looks like you need to set the userAccessControl property on the user object to a value of 512 (see http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html). You might try setting this value on the new user message.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    • Marked as answer by janhaagen Thursday, June 16, 2011 9:27 AM
    Tuesday, June 14, 2011 5:45 PM
    Moderator
  • Hi JH.

    Some possible answers to your questions:

    1. New user in group notification.

    Yes, you can use the AD receive adapter to trigger a message to BizTalk whenever a user is added to a group.

    Set "Container" to the container your group is in (e.g. LDAP://OU=Test,DC=test,DC=com). Set the query to target the group you are interested in, e.g. "(&(objectCategory=group)(cn=My Group))".

    Then in "Properties to return" make sure you include "member".

    Lastly set the "On Change Only" option to True - this will make sure you only get a message into BizTalk when a change occurs (as opposed to every query interval).

    When a new object is added to the group the message into BizTalk will look something like:

    <ActiveDirectoryChange>
      <PROPERTY_CHANGED>
        <FilterMatch ObjectPath="LDAP://CN=My Group,OU=Test,DC=test,DC=com">
          <NEW_VALUE>
            <Property Name="member" Value="CN=NewToGroup,CN=Users,DC=test,DC=com"/>
          </NEW_VALUE>
        </FilterMatch>
      </PROPERTY_CHANGED>
    </ActiveDirectoryChange>  

     The CN of the new group member (or members) is returned in the member property.

    2. Enabling newly created accounts.

    The new user account needs a valid password that meets your domain password policy before Active Directory will let you enable the account. Try this approach:

    1. Use an initial message to create the account, setting all the props you need like email, description etc
    2. Use a second message to set a valid password (there's a sample provided in the ActiveADAPTER evaluation)
    3. Use a third message to enable the account (there's a sample for that too)

    This should get you an enabled account.

    More information available in the ActiveADAPTER documention installed as part of the evaluation or available from the web site. Hope this helps.

    Cameron Shackell, ActiveADAPTER Employee

    http://www.activeadapter.com

    Wednesday, June 15, 2011 12:29 AM
  • Thanks. Got both parts working now.
    Thursday, June 16, 2011 9:28 AM
  • This is close to what I'm trying to do - but I also want to get a message into BTS if a user/computer is taken OUT of an AD group? Can the activeadapter adapters do this for me?


    G
    Thursday, July 21, 2011 8:57 PM
  • Yes, this should also work. The documentation says it fires a message when the query results change, so in the example when a user is added or removed from a group.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Friday, July 22, 2011 5:12 AM
    Moderator
  • Hi Graham.

    Ben is correct. If an object (a user, for example) is removed from a group the Active Directory Receive Adapter will submit a message to BizTalk. Messages contain both the old and new values for changed properties. So if a user is removed from the group you will get a message into BTS something like:

    <ActiveDirectoryChange>
        <PROPERTY_CHANGED>
            <FilterMatch ObjectPath="LDAP://CN=MyGroup,OU=RunTest,DC=test,DC=com">
                <NEW_VALUES>
                     <Property Name="member" Value=""/>
                </NEW_VALUES>
                <OLD_VALUES>
                     <Property Name="member" Value="CN=SomeoneJustRemoved,OU=RunTest,DC=test,DC=com"/>
                </OLD_VALUES>
                </FilterMatch>
            </PROPERTY_CHANGED>
    </ActiveDirectoryChange>

    Monitoring the comings and goings from the Enterprise Admins group is a simple but useful AD auditing application that uses this kind of thing :)

    It can also be done on the memberOf property of the user object if you want to know when users' group memberships change.

    For more information please download our free evaluation which includes samples and documentation or see our Resource Center (http://www.activeadapter.com/resources.html)

    Regards,

    Cameron

    Wednesday, July 27, 2011 5:58 AM