Symantec IGA

Hello All,

Users in provisioning store are assigned roles associated with multiple endpoints. Is it possible by etautil to achieve following scenarios: -

1. Remove all the AD roles and delete AD account and leave all other roles untouched.

2. Remove all the roles assigned to user which start with some particular syntax say "F_App"

Is is possible to achieve the above scenarios? Any help here would be highly appreciated.

Thanks,
Shashank

The second command listed with trying to use a wildcard in the Role name is not valid.

Be careful when using etautil command as you need to be case-sensitive and not include extra white-spaces in the Role DN value. Also "IDENTITY_MANAGER" may not be the proper value in the Role DN to use.

If you want accounts to be deleted you need to also include eTSyncDelete='1' in the command.

You would want to include the eTSyncDelete='1' in the original command as that would be the equivalent of choosing to Sync during the role modification had it been done via the Provisioning Manager such as:

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<globalusername> to -eTRoleDN='<rolename>,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncDelete='1';

Running a separate secondary command would be the equivalent of of right-clicking on a global user in the Provisioning Manager and doing a Sync User With Roles to Delete Extra Accounts and would cause any accounts not prescribed by a role/template to be deleted.

Hi KennyV

  Can we remove the account from user but not from endpoint through "etautil".

  Please help me on these

The etautil command to add an inclusion would have the format of:

etautil -u USER -p PWD -DYN add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='MY_GU_1' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

The etautil command to remove an inclusion would have the format of:

etautil -u USER -p PWD -DYN delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='MY_GU_1' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

Things to note:

1) Running the add inclusion command against an account that is already associated would associate the account to the new user which would automatically remove the old association so no need to do a delete and an add in this case

2) You can feed etautil with an input file so that there is a single bind to the Provisioning Server followed by the commands

So you would run the command:

etautil.exe -u USER -p PWD -f input.txt

where input.txt could have one command per line such as:

delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_2' relationship=USERACCOUNT;

delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_3' relationship=USERACCOUNT;

Thank You KennyV