Symantec Access Management

Hello,

We have  a requirement wherein at a particular date , all the provisioning roles and accounts should be removed from the user.

Can this be achieved using the etautil script?

We actually with following script :-

etautil -d domain -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=domain,dc=eta' eTGlobalUser eTGlobalUserName="%UID%" to eTRoleDN='' eTSyncUsers=1 >> eTdelete.log

It removes the role but the accounts are still not removed? Can anyone assist where we are wrong in here ?

Thanks,

Shashank

The eTSyncUsers=1 means to create any accounts that should be there based on templates and/or assign account templates to those accounts as needed.

The eTSyncDelete=1 means to delete any accounts that are not prescribed by a Provisioning Role/Template and to delete those accounts.

You can try the following:

etautil -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTRoleDN='';

etautil -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTSyncDelete='1';

If you want to perform a single etautil bind and then feed in the file of commands it would be:

etautil -u user -p pwd -f input.txt

where input.txt would have one command per line such as:

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTRoleDN='';

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTSyncDelete='1';

Hello Kenny,

Yes this helped

Thanks a lot for quick response !

Shashank