Idea Details

Enhancement Request: Post-Modify Exit for ADS Connector

Last activity 21 days ago
Alan Baugher's profile image
10-21-2019 10:38 AM

Background:  The existing IM r14.x ADS Connector has a pre-create/post-create process, that allows clients to add in additional business logic as needed during new user creation.    


This process is a valuable feature when the IME is running on a Linux host, and the existing Policy Xpress business logic does NOT have the ability to run Powershell or other scripts natively for MS Windows OS.   

These pre/post create exits can be executed on the remote IAMCS(JCS w/ embedded CCS), which allows this process to be used with the Virtual Appliance and/or remote cloud installations with a local deployment of the IAMCS(JCS w/ embedded CCS) services.

Examples of use: 

1) MS O365 APIs (to convert a MS ADS User Account for preperation to be used with MS AD Azure Sync), 

2) Distributions Lists (using Powershell to simplify 1000 of possible ADS Account Templates to a single powershell query)

3) Update of the remote home folder ACLs for ADS Account.

Challenge: While the pre/post-create process exists for active directory, the associated pre/post modify process does not.

To address the above challenge when using the IM solution with a Linux OS, it is necessary to install a remote SSH Service on a MS Windows Host.   There is no current production ready process documented in the CA IM r14.x wiki.

The data flow for any Active Directory updates (via Powershell scripts) from an Linux OS (IME), is a PX CLI to SSH client service to a remote SSH server hosted on a MS Windows Server in the same domain as the managed endpoint and/or managed Exchange/O365 processes.

To avoid this cumbersome process, the follow enhancement request is:


Add in a similar pre/post modify action/process to the MS Active Directory Connector.


Note:  The dynamic connectors already have this pre/post abilities within the operation bindings to call Javascript or via Javascript other scripts.    The older CAM/CAFT processes had this as well.


21 days ago

2nd Request:   Provide a REST webservice in the IAMCS to allow a remote call for scripts including PowerShell.

21 days ago

Challenge:   Since the IM CCS service (im_ccs.exe) is still 32 bit code, the associated post-exits processes must also use the 32 bit powershell process, instead of the default x64 bit MS Powershell.

Example:   {Update path used to 32bit MS Powershell}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0>powershell [Environment]::Is64BitProcess

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe remote-mailbox-o365.ps1 %userPrincipalName% %sAMAccountName% | Out-File -append -FilePath c:\logs\o365.log

Additional Note:

Any script that require authentication, may require the script to be executed in the same context as the primary IM AD service ID.  In that case, the im_ccs.exe NT service should be modified from local service, to the IM AD service ID.    
-  Any MS Powershell password hashes that are updated, should be pre-executed as a test script to capture the correct hash to be stored as a file.