Hi I need to remove AD group memberships when an account is disabled in
the ID Vault.

My current Rule Looks like this but doesnt seem to work.

<rule>
<description>NOT-WORKING Remove Users from their default Exchange
Distribution List PTA</description>
<comment xml:space="preserve">Remove PTA users to default groups based
on their placement context in AD.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
<if-op-attr mode="nocase" name="Login Disabled"
op="equal">true</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value class-name="Group" name="Member"
when="after">
<arg-value type="string">
<token-text xml:space="preserve">CN=</token-text>
<token-src-attr name="Full Name"/>
<token-text xml:space="preserve">,OU=User,OU=</token-text>
<token-src-attr name="OU"/>
<token-text xml:space="preserve">,OU=</token-text>
<token-src-attr name="city"/>
<token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-break disabled="true"/>
</actions>
</rule>

I havce also tested this rule but also doesnt work.

<rule disabled="false">
<description>TEST Remove Users to their default Exchange Distribution
List PTA</description>
<comment xml:space="preserve">Remove PTA users to default groups based
on their placement context in AD.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-src-attr mode="nocase" name="city" op="equal">PTA</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">FMDP</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">CSD</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">LSD</if-src-attr>
<if-src-attr mode="nocase" name="OU"
op="not-equal">HRD</if-src-attr>
<if-op-attr mode="nocase" name="Login Disabled"
op="equal">true</if-op-attr>
</and>
</conditions>
<actions>
<do-set-op-dest-dn disabled="true">
<arg-dn>
<token-text xml:space="preserve">"CN="+"All-"+Source
Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
</arg-dn>
</do-set-op-dest-dn>
<do-remove-dest-attr-value class-name="Group" name="Member"
when="after">
<arg-dn>
<token-text xml:space="preserve">"CN="+"All-"+Source
Attribute("OU")+",OU=Dist List,DC=ORG,DC=co,DC=za"</token-text>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">CN=</token-text>
<token-src-attr name="Full Name"/>
<token-text xml:space="preserve">,OU=User,OU=</token-text>
<token-src-attr name="OU"/>
<token-text xml:space="preserve">,OU=</token-text>
<token-src-attr name="city"/>
<token-text xml:space="preserve">,DC=ORG,DC=co,DC=za</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-break disabled="true"/>
</actions>
</rule>
<rule>


Thanks in advance


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=49261