Reviewing http://tinyurl.com/n3r4rx2 it appears that it is possible to
undelete/restore an object in Active Directory by modifying some
variables. What I am looking to do is to automate this process with IDM.
My first pass at this is:

Code:
--------------------

<rule>
<description>Determine class of object being deleted</description>
<comment xml:space="preserve">AD has this really bad habit of not including the class of the deleted objects. This creates a local variable to store this information.</comment>
<conditions>
<and>
<if-operation mode="nocase" op="equal">delete</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="OLHDeleteClass" scope="policy">
<arg-string>
<token-dest-attr name="Object Class"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>Determine action on group delete events</description>
<comment xml:space="preserve">Group Delete events are more complex. We want to glean what to do with the events from a mapping object (OLH_AD-GroupMap).</comment>
<conditions>
<and>
<if-local-variable mode="nocase" name="OLHDeleteClass" op="equal">Group</if-local-variable>
<if-operation mode="nocase" op="equal">delete</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="OLHGroupAction" scope="policy">
<arg-string>
<token-map dest="Delete" src="OU" table="..\OLH_AD-GroupMap">
<token-parse-dn dest-dn-format="slash" length="1" src-dn-format="slash" start="-1">
<token-parse-dn dest-dn-format="slash" length="3" src-dn-format="ldap" start="0">
<token-dest-attr name="OLHDestLoc"/>
</token-parse-dn>
</token-parse-dn>
</token-map>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="case" name="OLHGroupAction" op="equal"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="OLHGroupAction" scope="policy">
<arg-string>
<token-text xml:space="preserve">recreate</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="OLHGroupAction" op="equal">recreate</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-clear-src-attr-value name="isDeleted"/>
<do-set-src-attr-value name="distinguishedName">
<arg-value type="string">
<token-parse-dn dest-dn-format="ldap" src-dn-format="ldap" start="2">
<token-dest-attr name="OLHDestLoc"/>
</token-parse-dn>
<token-text xml:space="preserve">,</token-text>
<token-global-variable name="drv.group.container"/>
</arg-value>
</do-set-src-attr-value>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="OLHGroupAction" op="equal">veto</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-remove-association direct="true">
<arg-association>
<token-association/>
</arg-association>
</do-remove-association>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
<do-veto/>
</actions>
</rule>

--------------------


This rule results in what I would expect as the output:

Code:
--------------------

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify dest-dn="CN=test1\0ADEL:83958f38-0a90-495d-8ede-7e509dafc010,CN=Deleted Objects,DC=oaklawn-idm,DC=local" event-id="OAKLAWN_AD##14c133a1b50##0">
<association>388f9583900a5d498ede7e509dafc010</association>
<modify-attr attr-name="isDeleted">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="distinguishedName">
<remove-all-values/>
<add-value>
<value type="string">CN=test1,OU=OLHGroups,DC=oaklawn-idm,DC=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

--------------------


There is even a success message being sent. The end result, however, is
not what I would expect--nothing happens. The group can still be found
in the deleted objects OU in AD and the isDeleted attribute is still
true. Has anyone been able to setup an undelete process like this?

Thanks!


--
suratom
------------------------------------------------------------------------
suratom's Profile: https://forums.netiq.com/member.php?userid=2816
View this thread: https://forums.netiq.com/showthread.php?t=53099