I wrote a policy in our AD driver which checks to see if a user account is changing to disabled or if an account is already disabled, and then it sets the msExchHideFromAddressLists attribute to true. It also checks whether the account is changing from disabled to enabled, and then unsets the msExchHideFromAddressLists attribute.
The policy seems to works normally, except that if there's an account which is enabled, but the attribute msExchHideFromAddressLists is True, it will remove the msExchHideFromAddressLists attribute. Can anyone give me some guidance? I feel like its something small that I'm missing...
|
Code:
|
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\Program Files\Novell\Designer\plugins\com.novell.idm.policybuilder_3.5.0.200909160331\DTD\dirxmlscript3.5.1.dtd"><policy>
<rule>
<description>User changes from enabled to disabled - Hide from GAL</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<or>
<if-op-attr mode="case" name="Login Disabled" op="changing-to">TRUE</if-op-attr>
<if-src-attr mode="nocase" name="Login Disabled" op="equal">TRUE</if-src-attr>
</or>
</arg-conditions>
<arg-actions>
<do-set-dest-attr-value name="msExchHideFromAddressLists">
<arg-value>
<token-text xml:space="preserve">TRUE</token-text>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="nocase" name="Login Disabled" op="changing-to">false</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-remove-dest-attr-value name="msExchHideFromAddressLists">
<arg-value>
<token-text xml:space="preserve">TRUE</token-text>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
</policy> |
Migrating users from edir to ad, attribute gets reset
Threaded Mode
