User Management Resource Administrator 7.2
Table Of Contents What is User Management Resource Administrator... 1 UMRA Scripts... 1 UMRA Projects... 1 UMRA Software... 1 Quickstart - Sample project wizard... 3 Step 1: Prerequisites... 3 Step 2: Install User Management Resource Administrator... 3 Step 3: Start User Management Resource Administrator wizard... 3 Help on help... 5 New users... 5 All users... 5 Script actions... 5 Reference topics... 5 Release notes... 7 User Management Resource Administrator version 7.2... 7 Build 1164, July 1st, 2005... 7 1. Action - Create directory: When the directory name is changed to make it unique, the new unique name is now exported. In previous versions, the incorrect already existing directory name was exported.... 7 Build 1141, April 29, 2005... 8 Build 1065, September 17, 2004... 10 Build 1030, July 1, 2004... 11 Notes on User Management version 5... 12 Features... 13 Application type... 13 Script features... 13 Other product features... 13 Reference... 15 iii
User Management Resource Administrator 7.2 Installation... 15 Installation... 15 Projects... 17 Different project types... 17 Scripts... 19 Mass project... 244 Form project... 258 Delegation... 325 UMRA Delegation - General... 325 UMRA Delegation - Access and security... 326 UMRA Console... 327 Installation... 327 UMRA console - Command line options... 329 Window types... 330 Log... 336 Wizard... 338 UMRA Service... 343 UMRA service - Introduction... 343 UMRA service - Service Access... 344 UMRA service - license... 345 UMRA service - Advanced options... 346 UMRA service - logging... 347 UMRA service - Installation... 348 UMRA Forms... 354 UMRA forms - Introduction... 354 UMRA forms - installation... 355 UMRA forms - service connection... 356 UMRA Automation... 357 iv
Table Of Contents UMRA Automation - Introduction... 357 UMRA Automation - Principle... 358 UMRA Automation - COM object... 359 UMRA Automation - COM interface... 360 UMRA Automation - COM interface... 362 UMRA Automation - Executing a project script... 379 UMRA Automation - Command Line Interface... 382 Licensing... 383 Introduction... 383 Interface modules... 384 Function modules... 385 License matrix... 387 License code... 388 Index... 391 v
What is User Management Resource Administrator Welcome to User Management Resource Administrator (UMRA). User Management Resource Administrator (UMRA) is a comprehensive User Account Management solution that can help you to control and manage Active Directory. While extremely powerful and flexible, Active Directory can be a complex environment to manage. UMRA is an enterprise solution focused on Active Directory user account management and it provides a central point of control to manage, control and report on Active Directory user accounts. Besides Active Directory, UMRA also manages all user account resources like home- and profile directories, Exchange mailboxes, Terminal Services settings, group memberships and NTFS permissions. UMRA supports a wide variety of functions and a number of different interfaces. Features include the creation, deletion and configuration of user accounts, mailboxes, (home) directories, groups, group memberships, permission settings and many more. With the different UMRA interfaces, you can create and manage user accounts in bulk, one-by-one, in a delegated manner, by a command-line interface and through a web interface. UMRA Scripts UMRA uses scripts to perform its tasks. A script is a collection of statements or actions (examples: Create user, Setup mailbox) that each perform a specifc task. The different actions available in UMRA to compose a script, focus on the management of user accounts, resources, mailboxes and so on. A script with multiple actions for instance create a user account, sets up the home and profile directories and permissions, adds the new user account to a number of groups and creates an Exchange mailbox for the user account. UMRA supports a graphical interface to setup a new script or edit existing scripts. The interface is designed to make it very easy to setup a new script or edit an existing script. UMRA Projects Different types of UMRA projects exist. Each project contains an UMRA script and a specification how the script is executed. The two main project types are: 1. Mass create-update-delete projects: The project contains a table with input data. The input data is for instance read from a csv file. For each line of the input file, the script is executed. A mass project is typically used to create, update or delete user accounts and resources. See Principle of operation for more information. 2. Form project: The project contains the definition of a form. The form typically contains a number of fields like tables, text, input fields. The form is presented in a separate interface (UMRA forms) or a web-interface (browser). When the form fields are specified by the end-user and the form is submitted, the script of the form project is executed. See Form project - Principle of operation for more information. UMRA Software UMRA consists of a number of software applications: 1. UMRA Console: The main application that is primarily used to manage all UMRA projects and manage the UMRA service. To use UMRA, you always start with the UMRA Console application. 2. UMRA Service: The UMRA service is used to execute delegated tasks. The UMRA Service is accessed through the UMRA Console, UMRA Forms and UMRA Automation software. You only need to install the UMRA Service application if you want to execute forms projects. See UMRA Delegation - General or more information. 3. UMRA Forms: The Windows interface to show and submit delegated forms. The UMRA Forms application is most often used by helpdesk employees. The UMRA Forms application interfaces with the UMRA Service application directly. See UMRA forms - Introduction for more information. 4. UMRA Automation: UMRA can be integrated with other employee management systems to automate Active Directory user account management tasks. For instance: When an employee leaves an organization and is excluded from an employee information system, Active Directory needs to be updated, by disabling or removal of the associated user account and network resources. With UMRA, the UMRA service can execute these tasks automatically when the employee information system is updated. See UMRA Automation - Introduction for more information. 1
User Management Resource Administrator 7.2 2
Quickstart - Sample project wizard The main goals of UMRA are to: 1. Create, edit and delete user accounts in bulk and setup all resources for each user account, including homeand profile directories, group memberships, Exchange mailbox and so on. 2. Delegate control to the helpdesk, for instance by providing the helpdesk employees with a form to reset passwords. This quickstart guide shows you how to setup UMRA and start working with the UMRA sample projects. Step 1: Prerequisites 1. To run this quickstart, you need to be an administrator of the Active Directory domain in which you want to manage. If you do not have sufficient access rights, User Management Resource Administrator will not be able (have access) to setup the accounts and resources. 2. You can run User Management Resource Administrator on any computer that runs Windows XP/2003/2000. From this computer, you must have access to the domain(s) in which you want to setup the accounts. Although you can create accounts in Windows NT 4 domains with User Management Resource Administrator, you cannot run User Management Resource Administrator on a computer that runs Windows NT4. Step 2: Install User Management Resource Administrator To start, download the most recent version of the User Management Resource Administrator software from www.tools4ever.com. All of the User Management Resource Administrator software is contained in a single executable file: SETUPUSERMANAGEMENT.EXE. Run the file. Select the options to install UMRA Console, UMRA Forms and UMRA Automation.This will setup the User Management Resource Administrator software on the local computer. The User Management Resource Administrator setup procedure is straightforward and takes less then 1 minute. If User Management Resource Administrator is already installed on the computer, you can upgrade to the latest version by running the same file. Step 3: Start User Management Resource Administrator wizard When User Management Resource Administrator is installed, start User Management Resource Administrator from the desktop menu: Start, Programs, User Management Resource Administrator, UMRA Console. If you are running the demo version, a demo version introduction dialog window is shown. Wait until you can close this window and press Close. By default, the application will automatically start the User Management Resource Administrator wizard. When this option is disabled, select Tools, Wizard to start the User Management Resource Administrator wizard. With the wizard you can install and configure 4 sample projects. These projects are specifically desgined to show you the concept of User Management Resource Administrator. To run the wizard sample projects, follow the instructions shown in the wizard. More information: Mass project - Principle of operation Form project - Principle of operation 3
Help on help This section shows a number of links to help topics and is presented to help you to find what you are looking for. New users To get a basic understanding of User Management Resource Administrator, read the following topics. These topics cover most of the concepts used and show how to use the product. What is User Management Resource Administrator Different project types Principle of operation Form project - Principle of operation License model All users The links below show the topics that might be of interest once you have a basic understanding of the product Project operations - Input data Project operations - Manage script actions Project operations - Manage script action properties Project operations - Variables Script actions The list below shows all of the available script actions User actions Other actions Variable actions Script Action: Create User (AD) Script Action: Create Directory Script Action: Set Variable Script Action: Create User (no AD) Script Action: Execute Command Line Script Action: Split Variable Script Action: Create Exchange Mailbox (2000/2003) Script Action: Format Variable Value Script Action: Set User Group Memberships (AD) Script_Action: Map variable Script Action: Create User (no AD) Script Action: Export Variables Script Action: Go to Label Script Action: Log Variables Reference topics The links below show the first topic of series of topics on a particular subject. Each topic contains links to the next topic of the subject. Name Generation Algorithms Security - Overview Password generation 5
Release notes User Management Resource Administrator version 7.2 Build 1164, July 1st, 2005 New features 1. Form project - Generic table: A new form field has been introduced. Using the generic table, data resulting from an LDAP or MS Access query can be shown in a form project. This allows you to access data from both the Active Directory and user information stored in other information systems. For more detailed information see Generic table - Introduction. 2. New action - For-Each function: The For-Each function evaluates the rows of a table and executes a script for each row which is defined in another project form. This script action is created in <Project form1> whereas the action which needs to be executed as a result of the For-Each action is created in <Project form2>. This way, you can reuse complex For-Each constructions in other projects. For more information, see Script Action: For- Each. 3. New action - Generate generic table: The generic table has also been made available as a script action. This makes it possible to use this functionality in scripts and MASS projects as well (1163). 4. New action - Get primary group: This script action retrieves the primary group of the user. For more information, see Script action: Get primary group. 5. New action - If-Then-Else function: The introduction of a conditional construction opens up a wide spectrum of possible applications. This new script action makes it possible for instance, to verify the last logon time of a user and to execute a certain action if the last logon time was more than an X number of months ago. For more information, see Script Action: If-Then-Else. 6. New action - Manage table data: Allows you to manipulate data in an existing table or to create a new table. For more details, see Script Action: Manage table data. 7. New action - Merge multi-text variable values: Merges Variable1 and Variable2. For more details, see Script Action: Merge multi-text variable values. 8. New action - Rename file or directory: With this action you can rename files and directories and move files to another volume. In previous versions this was only feasible by using the Copy directory, Delete directory and Execute command line script actions. For more information see Script Action: Rename file or directory. 9. New action - Remove group member: This action has been added to remove the group member from a specific group. For more details, see Script Action: Remove group member. 10. New action - Remove specific group memberships (AD): This script action allows you to remove specific group memberships. So far it was only possible to remove all group memberships using the action Remove user group memberships (AD). For more information, see Script Action: Remove specific group memberships (AD). 11. New action - Send mail message: This script action allows you to send an e-mail message as a result of a previous script action. For more information, see Script Action: Send mail message. 12. New action - Set primary group (AD): This script action is only of interest for those customers who need to change the primary group. This is the case when there are any users who log on to the network from a Macintosh client or who run POSIX-compliant applications. For more details, see Script Action: Set primary group (AD). 13. New action - Update numeric variable: With this new function you can increment the value of a variable. For more details, see Script Action: Update numeric variable. 14. Action - Delete directory: An property is added to ignore errors from being generated when the action is executed. Critical fixes 1. Name generation algorithm: When a name generation algorithm contains an endless loop or when no unique names are generated by the algorithm, the UMRA software will now end the execution of the algorithm after a number of iterations. Major fixes 1. Action - Create directory: When the directory name is changed to make it unique, the new unique name is now exported. In previous versions, the incorrect already existing directory name was exported. 2. UMRA Forms: When the Control key is pressed while working with a table, the vertical scroll position of the table is no longer changed. In previous versions, the table was scrolled to the first entry of the list. 7
User Management Resource Administrator 7.2 3. Action - Get attribute (AD): If the property is specified to get a multi-value attribute, the output Attribute value will always contain a multi text list, even if there are no values or just a single attribute value found. Minor fixes 1. Action - Search object: In the properties pane of a project window the properties values shown for properties Error if nothing found and Error if multiple found are now correct. 2. UMRA Service: When the UMRA Console or UMRA Automation software build number do not correspond with the build number of the UMRA Service, you are now forced to up- or downgrade the UMRA Service. In previous versions, you could continue to open a project. Cosmetic fixes 1. Action - Manage Exchange recipient mail addresses (2000/2003): The default variable input name is changed from %AdObject% to %ActiveDirectoryObject%. Build 1141, April 29, 2005 New features 1. UMRA Automation: A new module is introduced. The module supports the integration of the functions of User Management Resource Administrator with other products that are used to manage employee and user accounts. See UMRA Automation - Introduction for more information. (1141) 2. Delegation: With UMRA, you can delegate control to helpdesk employees. See UMRA Delegation - General for more information (1117). 3. Command line startup: Run a project automatically with UMRA console when the application is started. See UMRA console - Command line options for more information.(1141) 4. Network tree: For all Active Directory objects, all properties can be shown and managed from the UMRA console application.(1117) 5. Action - Set attribute (AD): A property is added to prevent the action from updating the user attribute if the new attribute value is empty. See Script Action: Set user attribute (AD) for more information.(1117) 6. Action - Get attribute (AD): The action now supports multi-values and all Active Directory objects, not only users. See Script Action: Get attribute (AD) for more information.(1141) 7. Action - Modify Exchange mailbox permissions (2000/2003): With this action you can add and remove permission for Exchange mailboxes. See Script Action: Modify Exchange mailbox permissions (2000/2003) for more information.(1117) 8. Action - Set Variable: An option is added to specify when (other) variable names specified as part of the variable value must be resolved. See Script Action: Set Variable for more information.(1141) 9. New action - Create contact (AD): Create contact accounts in Active Directory. See Script Action: Create contact (AD) for more information.(1117) 10. New action - Edit user logon: Reset passwords and manage logon properties of user accounts. See Script Action: Edit user logon (AD) for more information.(1117) 11. New action - Modify Exchange mailbox permissions: Setup the permissions for new or existing Exchange 2003/2000 mailboxes. See Script Action: Modify Exchange mailbox permissions (2000/2003) for more information.(1117) 12. New action - Manage Exchange recipient mail addresses: Setup mail addresses for Exchange 2003/2000 mail recipients. See Script Action: Manage Exchange recipient mail addresses (2003/2000) for more information.(1117) 13. New action - Dial-in user settings: Specify dial-in and VPN settings for user accounts. See Script Action: Dial-in user settings for more information.(1117) 14. New action - Set group membership (AD): Set the Active Directory group memberships for user accounts and other Active Directory objects. See Script Action: Set group membership (AD) for more information.(1117) 15. New action - Create group (AD): Create a group in Active Directory. See Script Action: Create group (AD) for more information.(1117) 16. New action - Get object (AD): Access any Active Directory object to set and read properties. See Script Action: Get object (AD) for more information.(1117) 17. New action - Create share: Create a share on a directory and setup the share properties including security settings. See Script Action: Create share for more information.(1117) 18. New action - Delete share: Deletes a share from a directory. See Script Action: Delete share for more information.(1141) 19. New action - Convert to multi-value variable: Manage values of variables to be converted to multi-value values. See Script Action: Convert to multi-value variable for more information.(1117) 8
Release notes 20. New action - Manage multi-text value variable: Manage values of multi-value variables. See Script Action: Manage multi-text value variable for more information.(1117) 21. New action - Generate random number: Generate a random number and assign the value to a variable. See Script Action: Generate random number for more information.(1141) 22. New action - Generate name(s): The name generation algoritms can now be used as a separate action. See Script Action: Generate name(s) for more information.(1141) 23. New action - Convert text to date/time: Convert a text value to a date/time value. Both values are stored in a variable. The method used to convert the text to a date/time value can be specified. See Script Action: Convert text to date/time for more information.(1141) 24. New form action - Return other form: When a submit button is pressed in a form, another form can be returned. This allows the configuration of wizards with UMRA Forms. See Form action - Return other form for more information.(1141) 25. New form action - Iteratively execute project script: Execute the project script for each item selected in a table. See Form action - Iteratively execute project script for more information.(1141) 26. Name generation algorithm: The configuration of the name generation algorithm is now always stored in the action that uses the algorithm, e.g. the actions Script Action: Create User (AD) and Script Action: Create User (no AD). In previous versions, the algorithm could be reloaded from configuration files each time a project was executed. See Name Generation: Embedded algorithms for more information.(1117) 27. Action - Export Variables The name of the export file can contains date related variables. See Script Action: Export Variables for more information.(1117) 28. Action - Export Variables: For multi-value variables, a value separator character can be specified. See Script Action: Export Variables for more information.(1141) 29. Action - Create directory: When creating a share for the new directory, the maximum number of connections for the share can now be specified.(1117) 30. Name generation algorithm: Methods can now be copied to make it more easy to create similar name generation methods.(1141) 31. Form project: The type of popup messages that must be shown when a form is submitted can now be configured. See Form properties - Options for more information.(1141) 32. Logon hours: The action to create and edit user accounts, both in Active Directory and NT support user account logon hours. See Script Action: Create User (AD), Script Action: Edit user (AD), Script Action: Create User (no AD) and Script Action: Edit user (no AD) for more information.(1141) 33. Formatting functions: A function is added to replace a substring in a text fragement with ASCII codes. With this function, a user defined control sequence (for example \n) can be converted to a carriage return - line feed sequence (13,10).(1141) 34. UMRA Console: The drag- and drop and cut-copy-paste functions are extended.(1141) 35. UMRA Service: A new variable is automatically generated and updated when a form is submitted: %UmraFormSubmitAccount%. The variable contains the name fo the user account that submitted a form. See Built-in variables for more information.(1141) Critical fixes 1. Demo version: The demo version now supports all script actions.(1117) Major fixes 1. Action - Edit user (AD): The attribute of a user account can now be cleared. In previous versions, an error occurred when the attribute was set to an empty value.(1117) 2. Action - Move - rename user (AD): When renaming a user account, the new name can contain comma's (,).(1117) 3. Action - Create directory - Copy directory: When setting the permissions of the target directories and files, in previous the versions, the specification of the Read permission incorrectly granted the Delete access right as well. The problem is fixed.(1117) 4. Action - Create directory: When specifying the permissions for a share, an account can now be removed for the share from the list with permissions.(1141) 5. Action - Delete directory: The script action now also delete files and directory that start with a dot (.).(1117) 6. Action - Format variable value: A specification problem regarding the format functions and format function arguments has been resolved.(1141) 7. Action - Export Variables The variables can now be exported in UNICODE format. See Script Action: Export Variables for more information.(1141) 8. Variables: The special variables %NowMonth%, %NowDay% and %NowYear% can be used in all modules (not only mass-projects). See Built-in variables for more information.(1141) 9. Mass projects - input data: The maximum number of columns read from a CSV file is increased from 26 to 75 columns.(1117) Minor fixes 9
User Management Resource Administrator 7.2 1. Action - Edit user (AD): When a property is specified is an text with no length, the property value is shown as <empty text>. In previous versions, nothing was shown for the empty value.(1117) 2. Menu option - Add action to script: The menu option can be used for mass and form projects.(1141) 3. Menu option - File, Save: The shortcut key combination Ctrl+S can be used to save projects.(1141) 4. Action - Get User (AD): When a user account is specified using a domain name, OU-name and common name (full name), a warning is now displayed if the user account cannot be found and no (empty) OU-name is specified.(1141) 5. Action - Format variable value: The name of the formatting functions are updated.(1141) 6. Mass projects - column variable: When a variable is associated with a column, the name of the variable can now be selected from the list with variable names when specifying script action properties. In previous versions, these variables could be specified but were not shown on the list with variable names.(1141) 7. Form projects - script message: When submitting a local form from the UMRA Console application, the script message was shown twice. The problem has been resolved.(1141) 8. Form projects: When the form project properties (format, fonts, options and security) are updated, the project is now marked as changed.(1141) 9. Form project: The calculation of the length of a form is now more accurate. This results in better vertical scroll bar settings in a form.(1141) 10. Form project: The mouse scroll-wheel is now supported in a form.(1141) 11. Form project: When changing the table type of a form network table, the columns are now updated.(1141) 12. UMRA Console: When the application is closed and a project has not been saved, you can now Cancel the application close operation.(1141) 13. UMRA Console: When the error settings or label of a script action is specified, the project is now marked as changed.(1141) 14. UMRA Console: When dragging and dropping a script action on the same position now nothing happens (as expected). In previous versions, the actions was incorrectly moved to the last position in the script.(1141) Cosmetic fixes 1. Form projects: When form projects are opened to be designed, the column width is automaticlly updated.(1141) 2. Form projects: When editing form fields and the Cancel button is pressed, the window no longer indicates that something is changed.(1141) 3. Tooltips: The What's This tooltips for form projects are now correct.(1141) 4. Tooltips: The tooltips shown in various tree windows are hidden when the mouse is moved in the tooltip area.(1141) 5. Action - Create directory: The action now logs test only when the script action is executed in test mode. In previous versions, the test only phrase was not shown for this action.(1141) 6. Action - Create user (AD): The action now logs test only more explicitly when the script action is executed in test mode.(1141) 7. All actions - Properties: When selecting a variable as the new value for a property, the name of the variable is now immediately inserted as the property value if the property value is empty. In previous versions, you always needed to press the Insert button.(1141) 8. Menu: In rare occasions, the menu text shown could be updated incorrectly in previous versions. The problem has been fixed.(1141) 9. Icons: The icons for the script actions to delete a share and execute a command line are updated.(1141) Build 1065, September 17, 2004 New features 1. Terminal Services Support: The new version supports the configuration and specification of Terminal Services settings for new and existing user accounts (1033). 2. Name generation: A new function is added to add characters at the end of a name to lengthen the name (1065). 3. Action - Add account to local group: A new action is added to add user and global group account to local groups of domains, member servers and workstations. See Script Action: Add account to local group for more information. (1065) 4. Action - Create user (AD): The property Computer account is added to allow the creation of workstation - computer accounts. See Script Action: Create User (AD) and Script Action: Create User (no AD) for more information.(1065) 5. Action - Create directory: The option to setup permissions of shares and the maximum number of connections for shares is added. See Script Action: Create Directory for more information.(1065) 6. Action - Create directory: The option to set the owner of a directory is added. The owner is specified by using the security property of Script Action: Create Directory.(1065) 7. Action - Set User Group Memberships (AD): Property Group names (Pre-W2K name) is added to allow the specification of multiple groups using variables. See Script Action: Set User Group Memberships (AD) for more information.(1065) 10
Release notes 8. Action - Setup user global group memberships: By using the new option Error if already member you can configure the application not to generate an error when adding a user to a global group and the account is already a member. (1065) 9. General: To facilitate the specification of groups and other properties, you can now assign multiple values to a single variable. (1065) 10. General: The input data of all projects can now be exported and printed. (1065) Critical fixes No critical fixes were found or reported Major fixes 1. Active Directory: The comma (,) character can now be used in the name of user accounts (1033). 2. Name generation: When no name generation algorithm is specified, the application no longer uses the last 'configured' algorithm. This feature is particularly used when the user name is directly specified in the import file when creating user accounts (1033). 3. Name generation: The names generated by the name generation algorithms can now be used in subsequent actions of the same script. Example: If you create a user account using a name generation algorithm you might want the algorithm to generate a separate name for an Exchange mailbox for the same user account. This name can now be stored in another variable that can be used in the action that creates the Exchange mailbox (1033). 4. Name generation: The function Add if empty now correctly does not add the specified character if the name is not empty. (1065) 5. Script execution: The Security Identifier (SID) can now be exported in text format. (1065) Minor fixes 1. When a read-only project is started from the User Management Resource Administrator wizard, the project is now correctly shown in the projects bar (1033). 2. The on-line help is shown always when F1 is pressed. In previous versions, the on-line help was not activated when F1 was pressed and some windows were active (1033). 3. The help text of some of the sample projects has been updated (1033). 4. The information shown for the action Execute command line is no longer shown with the error icon. (1065) Build 1030, July 1, 2004 This is the first build of User Management Resource Administrator version 6.0. The new version 6 is considerably different compared to version 5. For more information on UserManagemeNT version 5, see Notes on UserManagemeNT version 5. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 11
User Management Resource Administrator 7.2 Notes on User Management version 5 User Management version 5.4 is the predecessor of UMRA. The new version is considerably different compared to version 5. UMRA is build from scratch and is build with a complete new engine, concept and software architecture. The basic functionality, e.g. manage user accounts and resources is still the same. Because of the new concept and design, it is not possible to upgrade configuration files and settings from version 5.x to the new version. To facilitate the usage of the new version, the product does contain a number of build-in sample projects. UserManagemeNT version 5.4 consists of 3 modules: Professional, Delegation and Import (the free module UserManagemeNT Lite is considered part of UserManagemeNT Professional). The following tabel shows the relationship between the old UserManagemeNT 5.4 modules and UMRA: UserManagemeNT 5.4 UserManagemeNT Professional UserManagemeNT Import UserManagemeNT Delegation UMRA UMRA Console UMRA Console UMRA Console+Service+Forms Because of the new design and architecture, it is expected that UMRA is regarded as more easy to configure, more flexible in usage and better scalable. For instance, the number of complicated steps to configure 5.4 initially are no longer required in UMRA. More information: What is User Management Resource Administrator Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 12
Release notes Features Application type Graphical user interface application to perform user account administration tasks for Windows 2003/2000/NT network in bulk. Reads data from text files or the network environment containing appropriate input information and executes configurable scripts for each input line. Supports a rich straightforward simple programming language to setup scripts containing script actions. Script actions interact with the network environment to setup, modify and delete user accounts and all associated resources, e.g. mailboxes, group memberships, home- and profile directories and so on. Supports Microsoft's COM object model and several command line interfaces to integrate with many other software packages and application to automate the management of user accounts. Network features Create user accounts in Active Directory Windows 2003/2000 networks Create user accounts in Windows NT4 networks Create user accounts on non-domain controller computers Automatic unique name generation according to configurable algorithms Automatically generate and set passwords for user account according to configurable password generation rules Setup attributes for Active Directory Windows 2003/2000 network user accounts Setup built-in attributes for Windows NT4 SAM accounts Setup user account groupmemberships for local, global and universal groups for security and distribution groups Setup Exchange 2003/2000 mailbox for new user accounts Setup Terminal Server user settings Create user account directories (home-, profile- terminal server- and other directories) Setup shares for user account directories Setup configurable permissions for user account directories Execute any command for each user account with configurable parameters Script features Graphical interface to setup scripts Drag- and drop support to setup scripts and manage script actions Supports test- and real-mode script execution Supports step-mode, single line mode, all data mode, selected lines mode Supports ability to abort running scripts Extensive logging available Configurable error handling (continue, abort script, abort session) Supports any number of configurable variables Supports variable management functions to set, split, format, map, log and export variables and values Supports multiple programming features to control the order of script action executions Other product features Shipped with built-in sample scripts Shipped with multiple name generation algorithms Configurable comment fields for scripts and variables Supports printing input data Wizards available for all major functions More information: 13
User Management Resource Administrator 7.2 Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables UMRA Automation - Introduction Help on help 14
Reference Installation Installation Installing UMRA Console is simple and straightforward. The whole installation and configuration process takes less then 5 minutes. System Requirements The following table shows all of the requirements to run the User Management Resource Administrator application. Description Required Recommended Operating system to run the application on: Supported network operating system: Required privileges of logged on user: Windows XP, Windows 2003 (all versions), Windows 2000 (all versions) Windows 2003 (all modes), Windows 2000 (all modes), Windows NT4 (SP6) Administrative access to Active Directory and/or all computers and domains with managed user accounts Available hard disk space: 10 MB 20 MB or more Required processor: Pentium III, 600 MHz, AMD 900 MHz Pentium IV, > 1 GHz or AMD > 1.6 GHz System memory: 256 MB 512 MB or more Exchange 2003/2000 requirements In order to use the Exchange 2003/2000 features within User Management Resource Administrator, you must have a functional Exchange server in your network. Additionally, it is required to have the Exchange system Management tools installed on the local machine that runs the User Management Resource Administrator application. To install the Exchange system management tools for Exchange 2003, do the following: 1. Insert the CD containing the Microsoft Exchange 2003 Software (standard or enterprise edition), and run setup.exe. 2. Under Deployment select Exchange deployment tools. 3. Choose the option Install Exchange System Management Tools Only. 4. Follow the instructions presented for your specific operating system. For Exchange 2000, the procedure is similar. Installing UMRA Console To start, download the most recent version of the User Management Resource Administrator software from www.tools4ever.com. All of the User Management Resource Administrator software is contained in a single executable file: SETUPUSERMANAGEMENT.EXE. Run the file. When asked, you can setup both the UMRA Console, UMRA Forms and UMRA Automation software. This will setup the UMRA software on the local computer. The User Management Resource Administrator setup procedure is straightforward and takes less then 1 minute. If User Management Resource Administrator is already installed on the computer, you can upgrade to the latest version by running the same file. Configuring User Management Resource Administrator Once User Management Resource Administrator is installed, no specific options need to be configured. To continue you can run a project using the wizard or start a new mass or form project. 15
User Management Resource Administrator 7.2 More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 16
Reference Projects Different project types UMRA supports 2 basic project types: 1. Mass project: To create, manage and delete multiple users and associated resources and other objects. A mass project typically uses a text file (csv) or network data as input. Project examples: Create multiple user accounts in a domain, OU, multiple OU's or NT4 domain, move users to another OU/domain, setup groupmemberships for multiple users, migrate users from one domain to another domain, restructure home directories and directory permissions, setup Exchange mailbox (properties) for multiple users. A mass project is created and executed with the UMRA Console application. 2. Form project: Used to execute a single task, for example to reset the password of a user, create a user in an OU and setup all associated resources, add a user to a group etc. The input data is specified in a configurable form. The form is very easy to use, for instance by helpdesk employees. By using the UMRA Service, forms execution is controlled in a delegated manner: With delegation, a helpdesk employee runs the UMRA Forms application and is presented only the forms he is allowed to run. Form projects are always maintained and stored at the UMRA Service. Functions are available to import and export form projects. The following table summarizes the different project options. Project type Mass project Form project Form project Project storage location UMRA Console (local) Project executed by UMRA Console Description and usage To create, manage and delete multiple users and associated resources and other objects. UMRA Service UMRA Console Design and test phase of a form project. UMRA Service UMRA Forms Production environment. Execution of the form is delegated to helpdesk employees. Helpdesk employees run UMRA Forms to submit the presented form that is executed and access controlled by the UMRA Service. To start a new project, start UMRA Console. Select menu option, File, New. The Select type of new project is presented. 17
User Management Resource Administrator 7.2 For the new project, you have two options: Mass project Start a new mass project. See Principle of operation for more information. Form project Start a new form project. See Form project - Principle of operation for more information on form projects. This option is avaialble only if the application is connected to an UMRA Service. If this is not the case, a Connect... button is shown. Press the button to connect to or start the installation of an UMRA Service. 18
Reference Scripts 19
User Management Resource Administrator 7.2 Basics Manage script actions Both the UMRA mass and form projects contain a script. The scripts contains the actions that perform a specific task. A script for example creates a user account, sets up the Exchange mailbox, creates a home directory and adds the new user account to a number of groups. Such a script is shown in the mass project below. The available actions that can be added to a script are predefined and shown in the Actions bar. Add script action to script There are several ways to add actions to a script. For a basic understanding of projects, input data and scripts, see Principle of operation. With the following operations you can add an action to a script. Note that a project window must be open to perform these operations: 1. Select the script action in the Actions bar and select menu option Actions, Add action to script, or right click on the script action and select the menu option. 2. Drag and drop the script action from the Action bar to the script area of the project window. 3. Drag and drop a script action from another project to the script area of the target window. In this case, all the properties are copied to the new project as well. 4. If you drag and drop a script action in the same project script with the Ctrl key pressed down, the script action is copied to the new position. Move script action in script The position of a script action in a script is important. If the order is not correct, the script cannot be executed correctly. Example: if you create a user account and Exchange mailbox, the action to create the user must precede the action that creates the Exchange mailbox. To move a script action in the script to another position, drag and drop the script action to the desired position. Delete script action from script To delete a script action from a script, select the action and press the Del key or select menu option Actions, Delete script action. Script action execution order By default, script actions are executed in the order as they appear in the script. But depending on the result of script actions and by special variable actions you can control the order in which script actions are executed. With these possibilities the script becomes a program with conditional jumps and better controller action execution. From this point of view, User Management Resource Administrator is a programming language to program the Windows network. To change the order in which actions are executed, labels are used for script actions. A label refers to a script action. To set a label for a script action, select the action in the script of the project (lower left part of the project window) and select menu option Actions, Set script action label. Each action can have only one label. When script execution continues at a label, the next action executed is the action with the specified label. If no action has the label specified, an error is generated and script execution is stopped. Note: since you can also jump to previous script actions, you can introduce deadlock situations where script execution never ends. It is the responsibility of the user to prevent this situation from happening. There are two general ways to change the order used to execute the script actions, described in the sections below. Script action execution order: Error handling When the execution of an script action fails, you have several options to control the execution of script action. To specify these settings, select the action in the script of the project (lower left part of the project window) and select menu option Actions, Script action error handling. Option Continue with the script. Jump to the script action with label Description If this script actions encounters an error, it will (try to) continue normally with the next consecutive script action in the script If this script actions encounters an error, it will jump to the script actions specified 20
Reference xxxx Terminate the script but continue the session with the next line Terminate the session by the here specified destination label If this script actions encounters an error the current script execution is terminated. The session continues by running the script with the next line of input. If this script actions encounters an error the current script execution is terminated and also the current session is terminated Script action execution order: Variable actions The GOTO script action is used to continue script execution with another script action than the next script action. The referenced label can be a variable name. More information: Principle of operation Project operations - Input data Project operations - Variables Help on help 21
User Management Resource Administrator 7.2 Project operations - Manage script action properties Each script action has a predefined set of properties. A property specifies a characteristic of an action. To setup a script action, you need to specify the values for the script action properties but you cannot add or remove properties from a script action. For more information on projects, scripts, actions and properties, see Different project types and Principle of operation. To set the value for script action property, select the script action in the lower left part of the project window. Once selected, the script action properties are shown in the lower right part of the project window. In the example shown, the selected script action is Create user (AD). In the lower right part of the window the properties are shown. In this example the selected property is SurName with value %LastName%. To specify the value of a property, double click the property or select menu option Actions, Properties of action property. The Properties window shows up: 22
Reference The window shows the name of the property, a description of the property and in the bottom section of the window, you need to specify the value of the property. You have three options: 1. Value specified as a constant value: Select option Use the following value. In this case, the value of the property is set to a fixed constant value. You can use this option only if the property value must be the same each time the script is executed. This method is advised for fixed constant properties that have a value that is not used for other properties of the same or other script actions. Examples: the password flags (user cannot change password, password expired), the flag indicating if a share must be created for a home directory. These values are probably the same each time the script is executed. 2. Value specified as a variable: Select option Use the following value. With this option instead of specifying a value you specify the name of a variable. By default, the name of a variable should be enclosed with %- characters. At run-time, the name of the variable is replaced by the value of the variable. There are 2 major reasons to use variables: link to input data: a column of the input data specifies the value for the variable. If you want to use the value of a column from the input data in a script, you need to use variables. In the example shown, the second column of the input data contains the last name of the user accounts that must be created. For script action Create user (AD) the value of property SurName is set to variable %LastName%. Next, the second column is linked to variable %LastName%. For more information in this topic, see Project operations - Variables. The second reason to use variables is to simplify the configuration of script action properties. This happens when multiple script action properties should get the same constant value. In this case you can specify the constant value for each property but you can also introduce a variable at the beginning of the script and specify the variable name for the script action properties. Example: if you setup a user account and associated resources (mailbox, group membership, home directory,...) you need to specify the name of the domain for various properties of these actions. Instead of specifying the name of the domain as a constant for each of these properties you can also introduce the variable %Domain% as a separate script action and set the value to the target domain. Next, you can specify the value %Domain% for all script actions properties that should contain the name of the domain. Note that a variable is automatically created if you specify a variable name %...%. 3. Value not specified: Select option Do not specify a value for this property. Some action properties are mandatory, others are optional. For optional properties, you do not always need to specify the property value. For instance, if you don't want to use it, you don't need to specify Active Directory attribute Phone number for a user account. 23
User Management Resource Administrator 7.2 Output properties The result of some script actions can be used by subsequent script actions. In User Management Resource Administrator, this is accomplished by using output properties. For these properties, the result corresponds with a value that is stored in a variable. This variable can then be used as a property value in subsequent script actions. For more information, Project operations - Variables. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 24
Reference Variables User Management Resource Administrator intensively uses variables. Variables are placeholders for actual values. A variables consists of 2 items: 1. The name of the variable 2. The value of the variable. By default, variable names are enclosed with %-characters. The %-characters are considered part of the variable name. Examples of variable name are: %FirstName%, %Domain%, %OU%. The value of a variable does not always exist and may change in time. Typically, a variable name is used in some specification and at run-time, the name of the variable is replaced by the current value of the variable. In User Management Resource Administrator, variables are used to specify properties of script actions. For more background information on projects, scripts, actions and properties, see Principle of operation. There are 2 main reasons to specifying the value of a property using a variable: Link the input data to the script and simplify the configuration of script action properties. Link input data to script Supposre you are working on a mass project. If you want to use the value of a column from the input data in a script, you need to use variables. In the example shown, the second column of the input data contains the last name of the user accounts that must be created. For script action Create user (AD) the value of property SurName is set to variable %LastName%. Next, the second column is linked to variable %LastName%. 25
User Management Resource Administrator 7.2 In the figure shown, the input data contains a column linked to variable %LastName%. The script of the project contains the property SurName in script action Create user (AD). By resolving the variable, the property gets a value that equals the value of the corresponding column of the input data To link a column to a variable, simply right click in the column header. The popup menu shows all available variables. 26
Reference Select the variable. This will set the link between the column and the specified variable. With this method, you can only map columns to variables that are in use by properties of the script. When the project is executed, the application reads a line from the input data and sets the value of the specified variable to the value of the column for the current input data line. As an alternative, you can also open the project properties: View, Properties, select tab Variables. Select the column of interest and press Edit. The column properties window is shown. 27
User Management Resource Administrator 7.2 In this window, you see the name of the column and the current variable linked to the column. The lower section of the window shows all script actions where the specified variable is used. For each action, the property that contains the variable and the property value is shown. To select another variable, open the variable list and select the variable. To select a variable that is not used yet in any script action property, simply type the variable name. Simplify the configuration of script action properties Another reason to use variables is to simplify the configuration of multiple properties and script actions even if the value is the same for all input data lines, e.g. each time the script is executed. It is very well possible that multiple action properties of different or the same script actions must obtain the same value. For instance, the name of the domain might be used in multiple properties when creating user accounts. Suppose the name of the domain is fixed and the same constant value for all user accounts that must be created. Then instead of specifying the same domain name for each script action property, a variable %Domain% can be used. This variable should then be specified as the value for all properties that use this specification. In the beginning of the script, the variable assignment action should be specified. Only at this location, the real domain name is specified. Variable set (advanced) For advanced script configuration, it is important to understand how and when variables are created and destroyed. This section gives a little background information on this topic. In User Management Resource Administrator, all variables are destroyed when a script is executed. During the execution of a single script, e.g. multiple script actions, a variable set exists. A variable set is a collection of variables. In a variable set each variable has a value. Before the first script action is executed, the columns that are linked to variables a loaded into the variable set. In a simple straightforward script, this variable set will not change. In a script action one or more of the following changes can be applied to the variable set: 1. A new variable-value pair is added to the variable set: This happens when the property of a script action is configured as an output variable. Upon execution of the script action, the variable set now contains the new variable-value. This mechanism is mainly used when one script action is somehow dependent on a previous 28
Reference action. Example: the action Create user (AD) can generate a unique username of a user account automatically. This name is also used when a home directory is created for the user account. Since the username is not known in advance, it is generated by the action Create user (AD). During the execution of the action, the value of the username is added to the variable set. Subsequent actions can then use the new created variable. In order to add the value of a property as a variable to the variable set, open the properties of the property and select the Output tab. In User Management Resource Administrator, this mechanism is used for a number of properties. For these properties the variables are configured to output the value to a variable by default. 2. The value of a variable is changed: There are a number of script actions available to change the value of a variable: Set variable, Split variable, Format Variable value, Map variable. Note: as a separate script action, you can insert the Script Action: Log Variables to log all variables of the variable set to the log window. This might help you to setup more advanced scripts. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Built-in variables Help on help 29
User Management Resource Administrator 7.2 Built-in variables A built-in variable is a variable that is generated automatically by UMRA. These variables can be used for logging and script-debugging purposes. The built-in variables are predefined. The following list shows all of the built-in variables. Variable name Example value Description %NowYear% 2005 The current year (2004,...). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %NowMonth% 11 The current month (1,...,12). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %NowDay% 26 The current day (1,...31). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %NowHour% 14 The current hour (0,...,23). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %NowMinute% 35 The current minute (0,...,59). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %NowSecond% 9 The current second (0,...,59). The value is generated when a script is executed by either the UMRA Console of UMRA Service application. %UmraFormSubmitAccount% Domain_A\WillliamsJ The name of the user account that runs the UMRA Forms or UMRA Console application and submits a form to the UMRA Service. The variable value is determined by the UMRA Service when a form submit request is received. Note: When the value of a built-in variable is generated, an existing value of a variable with the same name is overwritten. More information: Principle of operation Form project - Principle of operation Project operations - Input data Project operations - Manage script actions Built-in variables Help on help 30
Reference Data specification - Text list User Management Resource Administrator processes data of different formats: text, numbers, date and time values etc. In specific cases, the data can not be specified as a single value, but as a series of values. For instance, the Script Action: Set User Global Group Memberships supports the property Global groups. The property holds a series of global group names. So a single property specifies multiple names. If you want to assign global group memberships using variables you want the variable to hold the multiple values: 1. Variable %GroupSet% contains groups GlobalGroupA, GlobalGroupB, GlobalGroupC 2. Script action Set User Global Group Memberships: Set property Global groups = %GroupSet% To support this mechanism, you can set the value of a variable using the multivalue type Text list. To start, add an action Set variable to the script. Edit the properties of the action and select Text list as the type of the variable value. Next, press the browse (...) button. The Specify input window is presented. The window shows a list with all of the current values of the variable. Press the Add, Edit and Delete buttons to manage the values of the variable. 31
User Management Resource Administrator 7.2 When you press the Add button, you can directly specify a new value for the variable or you can search the network to find one or more items. If you select option Specify name, you can simply enter the value and press OK. If you select option Specify search method. you can specify the type of the search, and the format of the output names. Once the search method and name format is selected, press OK to continue. When ready, the results will be shown in the Specify input window. More information: Project operations - Variables Script Action: Set Variable Script_Action: Map variable Script Action: Set User Global Group Memberships 32
Reference Script Actions 33
User Management Resource Administrator 7.2 User 34
Reference Active Directory Script Action: Create User (AD) Function Create an user account on an Active Directory domain. This action is intended to create user accounts in domains and organizational units of Active Directory. In addition to just creating the account itself it also will also configure Active Directory attributes of the account, such as for example the password and the description of the account, and many more. Some attributes of the user account may specify the usage by the account of other resources in the network. These resources themselves will not be created by this action. If these resources need to be created, this can be done by separate actions that follow this action in the User Management Resource Administrator script. An example of such a property is the Home Directory. When specified in this Create User action, the Home Directory attribute of the user account will be set. The directory itself however is not created. In order to create the directory itself, the script action File System, Create directory should be performed This action cannot be used to create accounts outside of Active Directory. In order to create user accounts in a NT4 domain, or to create local user accounts on specific computers, use the action "Script Action: Create User (no AD)" instead. Deployment This action is typically used as core part of a script designed to create users in Active Directory domains, in order to create the account and its attributes itself. In such a script this is usually the first major action invoked. After creating the account, the script usually continues by invoking actions to create home directories, home shares, group memberships, etc. Properties Property Name Description Typical setting Remarks Domain The domain in which to create the user domain account. %Domain% Often the domain name is used in many different actions, and is determined and stored in a variable previous to the action ( e.g. %Domain%). The name of the domain can be either in DNS or NETBIOS style. (e.g. Tools4ever.com or TOOLS4EVER). For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. Organizational Unit-Container The name of the Active Directory Organizational unit or other container in which to create the account. Users Specify the path of the organizational unit (OU) or container relative to the domain. To specify OU's in OU's, use the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU. Examples: students or students/group1. For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. LDAP container Optional: The LDAP name of the container in which to create the account. Optionally specifies name of the Active Directory container in which the user is created directly by means of its LDAP name (Example: CN=users, DC=tools4ever,DC=com Example: OU=Group1, OU=Students, DC=tools4ever, DC=com) This specification can be used instead of the Domain and Organizational Unit-Container properties of this action. If specified, the specified LDAP Container takes precedence, and the Domain And Organization Unit-Container properties are ignored. For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. 35
User Management Resource Administrator 7.2 Domain (controller) Optional: The name of the domain controller or domain used to access the domain. If this value is not specified, the application creates the account on a domain controller that is determined by Active Directory (serverless binding). If a domain controller is specified, the account is explicitly created on the specified controller (server binding). In both cases, Active Directory itself will replicate the account information to all domain controllers in the forest automatically as required. Depending on the actual User Management Resource Administrator Script used, it may be necessary to specify a domain controller here. If an subsequent script action does an Active Directory query to obtain information of the newly created user, this query may occur before Active Directory has replicated the new information to other Domain Controllers. As a consequence, the query may fail to find the newly created user. When both actions however specify the same domain controller, the newly created user can be found. Often a requery of Active Directory by subsequent actions for the newly created user can be prevented by using the User Object that is created by this action in subsequent actions, instead of the name of the user. Name generation algorithm Specifies the name of the algorithm used to generate user names Default The main purpose of the Name Generation algorithm is to create unique names that adhere to your company's syntax requirements. A common implementation of the algorithm will take as input the three variables %FirstName%, %MiddleName% and %LastName%, and generate from these the variables %FullName% and %UserName%. Here %FullName% contains the complete name of the user formatted for display purposes, and %UserName% the name formatted for use as the name of the account. These resulting variables can then be used as input for the other properties of this action For a thorough discussion, please see Name Generation Algorithms SAM-Account- Name The user logon name(pre- Windows 2000) without the (NETBIOS) Domain name. %UserName% This name is required, also in domains that use solely Active Directory domain controllers. This name is usually chosen to be the same as the prefix of the User Principal Name. A SAM-Account-Name cannot be identical to any other user or group name on the domain being administered. It can contain up to 20 uppercase or lowercase characters, except for the following: " / \ [ ] : ; =, + * < >. A SAM-Account-Name cannot consist solely of periods (.) or spaces. Typically the name contained in %UserName% is generated by the Name generation algorithm. If the name is found not be unique, the next iteration of the algorithm is tried until unique definite names are generated. User-Principal- Name The User-Principal-Name (UPN) is an Internet style %UserName% @Mycompany.com The UPN is the preferred loin name for Active Directory users. Users should be using their UPN 36
Reference logon name for the user. to log on to the domain. The UPN has the format account_name@domain.com, where account_name is the UPN prefix and domain.com is the UPN suffix. The UPN Prefix is usually chosen to be the same as the SAM-Account-Name. Typically the name contained in %UserName% is generated by the name generation algorithm. CommonName The CommonName is the full name of the user. This name is most commonly used in user interfaces. %FullName% Typically the name contained in %FullName% is generated by the name generation algorithm. DisplayName This is the Display name attribute of the account. It usually contains the full name of the user. %FullName% Typically the name contained in %FullName% is generated by the name generation algorithm. Given-Name Optional. The given name corresponds usually with the first name of the user. %FirstName% Typically the variable %FirstName% is directly read from the a import file specifying the users to create. Initials Optional. The initials of the user. It has a maximum length of six characters. %MiddleName% Typically the variable %MiddleName% is directly read from the a import file specifying the users to create. SurName Optional. The surname of the user. %LastName% Typically the variable %LastName% is directly read from the a import file specifying the users to create. Password generator The specification how to generate passwords for the user account Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable is used as the value for the Password property. Password The password for the created account %Password% Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file. Description A text string, that will be shown in the Description field of the user account in windows. The string can have any length. Home directory The home directory of the user as specified in the "Home folder" setting of the user account \\%HomeServer%\ users\ %UserName% The value can be specified either in the form \\<server name>\<share name>\<rest of path>, or as an local path e.g. G:\UserData\<user name>. Note, This specification does create the home directory itself if it does not exist. In order to create the home directory, specify the action Create Directory in the User Management Resource Administrator script after this action. Typically the name contained in %UserName% is generated by the name generation algorithm, and 37
User Management Resource Administrator 7.2 Home directory drive The drive letter to which the home directory is connected. Specify only the drive letter itself without colon and or backslash the name contained in \\%HomeServer% is specified previously in the script, or in the import file. If the drive letter is specified, the Home directory must be specified in the form \\<server name>\<share name>\<rest of path>, and not as a local path. User profile Logon script The profile path of the user account Full or relative path to the script file that is executed by Windows when the user logs on \\%HomeServer%\ profiles\ %UserName% \\%HomeServer%\ scripts\ %UserName%.bat or The value must have he form \\<server name>\<share name>\<rest of path>. If a relative path is specified, this is relative to the default Script directory of Windows. %UserName%.bat User must change password at next logon User cannot change password Password never expires Store password using reversible encryption Account Disabled Smart cart is required for interactive logon. Account is trusted for delegation Account is sensitive and cannot be delegated Specifies whether the user must change the password at the next logon Specifies whether the user is disallowed change the assigned password Specifies whether the password will never expire Specifies whether the password will be stored using reversible encryption Specifies whether the account should be create in the disabled state Specifies whether a smart cart is required Specifies whether the account is trusted for delegation Specified that the account cannot be delegated. Yes No No No No No No Valid specifications are YES and NO. The default value is NO. When set to YES, the User cannot change password property must by set to NO. Valid specifications are YES and NO. The default value is NO. This setting has no effect on members of the administrators group. When set to YES, the User must change password at next logon property must by set to NO. Valid specifications are YES and NO. The default value is NO. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer. Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not be used. Valid specifications are YES and NO. The default value is NO Requires that the user possesses a smart cart to log on to the network interactively. The users must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart cart. When this option is selected, the password for the user account is automatically set to a random and complex value and the Password never expires account option is set. Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer Allows control over a user account, such as a for guest or temporary account. This option can be user if this account cannot be assigned for delegation by another account Use Des Provides support for Data No The Default value is NO 38
Reference encryption types for this account Do not require Kerberos preauthentication Encryption Standard (DES) Provides support for alternative implementations of the Kerberos protocol Computer account This is a computer account for a MS Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain. Default value: 'No'. Account Expiration Logon hours Workstations Specifies the date after which the account is expired The hours the user account can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. A list of workstation names, separated by ",", on which the user is allowed to logon. No No The Default value is NO. Specify Yes if the account is computer workstation account. If not specified, the account will never expire. The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. The hours of each day are represented by 6 characters. If specified, the user is only allowed to logon when seated at one of the computers (workstation or server) listed. A maximum of 8 computer (workstation or server) names can be specified. General - Office General - TelephoneNumber General - E-mail The users's office location This is the person's office location, including the building and office address or number. The user's phone number The user's e-mail address. The e-mail address appears with the universal principal name suffix (for example, someone@microsoft.com). If not specified, such an explicit restriction does not apply. General - Web- Page The user's home page URL, either on the Internet or in the local intranet site. Address - Street Address - P.O. Box Address - City Address - State/province Address - The user's street address The user's post office box number The city where the user is located The state or province where the user is located The zip or postal code 39
User Management Resource Administrator 7.2 Zip/Postal Code Address - Country/region Telephones - Home Telephones - Pager Telephones - Mobil Telephones - Fax Telephones - IP phone Telephones - Notes applicable for the user The user's country or region The user's home telephone number The user's page number The user's mobil telephone number The user's fax number The users IP telephone number Descriptive information and any comments for this user. The country can be either explicitly chosen from a drop down list, or be specified as text. In the latter case it can also be read from a variable, for instance created by a column from the list of users. Organization - Title Organization - Department Organization - Company The user's title The user's department The users's company Output Properties When the action is run, the actual value of the properties are determined at run time, and the action is executed using these values. Generally these values are not stored for later usage. However, it may be that the actual value of a specific property is required for an successive action in the User Management Resource Administrator script. To facilitate this need, any property can be explicitly configured to be saved in a variable when the action has been performed. For example, when the password of a user is created with the password generator, the resulting password value may be stored in a variable, so it can be exported to a file by an other action in the script. By default the following properties are saved in a variable for usage in other scripts. Properties that are exported are shown with an image with a green arrow in the properties list. Property Description Default variable name Remarks SAM- Account- Name The user logon name(pre-windows 2000) without the (NETBIOS) Domain name, that was used to create the account %UserName% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried. Common name The CommonName is the full name of the user. This name is most commonly used in user %FullName% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried. 40
Reference interfaces. Password The password for the new account %Password% User Security Identifier (SID) After execution of the action, this property will contain the security Identifier (SID) of the new account. This is an outputonly property %UserSid% The User-Security Identifier (SID) is created by the Active directory automatically when the user is created. The SID is used when setting permissions, for instance on home directories. The Create User (AD) action copies this value to this property, so it can be stored in a variable for later usage. By default it is stored in the variable %UserSid%. This can then be used later in subsequent actions, for example when permissions for this account must be specified on files and directories. User object This Internal application object representing the just created account. %UserObject% The User Object is main purpose is to ease subsequent operations on the same account by actions that follow in the script. For several actions this object can be used as input to specify the account the actions work on. Remarks Domain / OU / Container / LDAP -specification User Management Resource Administrator supports several methods to specify the entity (domain, OU or container) in which the user account will be created. These methods differ in the way the property values are specified. The properties involved are: Domain, Organizational Unit-Container, LDAP container. Depending on your network environment and input data, you should choose the method that fits best: Properties specified Domain Organizational Unit-Container Domain LDAP container Properties not specified LDAP container LDAP container Organizational Unit- Container Domain Organizational Unit- Container Example Domain: TOOLS4EVER or tools4ever.com Organizational Unit-Container: STUDENTS/GROUP1 Description This is most easy method to create user accounts in OU's. To create the account, User Management Resource Administrator will automatically compose the LDAP name of the container to create the user account. TOOLS4EVER or tools4ever.com Use this method only, to create user accounts in the domain root. No OU is involved. OU=Group1, OU=Students, DC=tools4ever, DC=com Use this method if you want to specify the OU directory using the LDAP format. If this property is specified, the Domain and Organizational Unit- Container properties are ignored. Related topics Help on help Principle of operation Project operations - Manage script action properties 41
User Management Resource Administrator 7.2 Script Action: Create contact (AD) Function Creates an Active Directory contact. A contact is an active directory object which contains contact information. Deployment This action is typically used as a part of a script designed to create contacts in Active Directory domains.contacts are most often used to make communicatie between different active directories possible. When you create a contact, the contact can not login on the network. The setting of the contact can be used by users of the network to contact other users or entities that are not connected to the network. Properties Property Name Description Typical setting Remarks Domain The domain in which to create the user domain account. %Domain% Often the domain name is used in many different actions, and is determined and stored in a variable previous to the action ( e.g. %Domain%). The name of the domain can be either in DNS or NETBIOS style. (e.g. Tools4ever.com or TOOLS4EVER). For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. Organizational Unit-Container The name of the Active Directory Organizational unit or other container in which to create the account. Users Specify the path of the organizational unit (OU) or container relative to the domain. To specify OU's in OU's, use the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU. Examples: students or students/group1. For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. LDAP container Optional: The LDAP name of the container in which to create the account. Optionally specifies name of the Active Directory container in which the user is created directly by means of its LDAP name (Example: CN=users, DC=tools4ever,DC=com Example: OU=Group1, OU=Students, DC=tools4ever, DC=com) This specification can be used instead of the Domain and Organizational Unit-Container properties of this action. If specified, the specified LDAP Container takes precedence, and the Domain And Organization Unit-Container properties are ignored. For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. Domain (controller) Optional: The name of the domain controller or domain used to access the domain. If this value is not specified, the application creates the account on a domain controller that is determined by Active Directory (serverless binding). If a domain controller is specified, the account is explicitly created on the specified controller (server binding). In both cases, Active Directory itself will replicate the account information to all domain controllers in the forest automatically as required. Depending on the actual User Management Resource Administrator Script used, it may be necessary to specify a domain controller here. If an subsequent script action does an Active Directory query to obtain information of the newly created 42
Reference user, this query may occur before Active Directory has replicated the new information to other Domain Controllers. As a consequence, the query may fail to find the newly created user. When both actions however specify the same domain controller, the newly created user can be found. Often a requery of Active Directory by subsequent actions for the newly created user can be prevented by using the User Object that is created by this action in subsequent actions, instead of the name of the user. Name generation algorithm Specifies the name of the algorithm used to generate user names Default The main purpose of the Name Generation algorithm is to create unique names that adhere to your company's syntax requirements. A common implementation of the algorithm will take as input the three variables %FirstName%, %MiddleName% and %LastName%, and generate from these the variables %FullName% and %UserName%. Here %FullName% contains the complete name of the user formatted for display purposes, and %UserName% the name formatted for use as the name of the account. These resulting variables can then be used as input for the other properties of this action For a thorough discussion, please see Name Generation Algorithms CommonName The CommonName is the full name of the user. This name is most commonly used in user interfaces. %FullName% Typically the name contained in %FullName% is generated by the name generation algorithm. DisplayName This is the Display name attribute of the account. It usually contains the full name of the user. %FullName% Typically the name contained in %FullName% is generated by the name generation algorithm. Given-Name Optional. The given name corresponds usually with the first name of the user. %FirstName% Typically the variable %FirstName% is directly read from the a import file specifying the users to create. Initials Optional. The initials of the user. It has a maximum length of six characters. %MiddleName% Typically the variable %MiddleName% is directly read from the a import file specifying the users to create. SurName Optional. The surname of the user. %LastName% Typically the variable %LastName% is directly read from the a import file specifying the users to create. Description General - Office General - TelephoneNumber General - E-mail A text string, that will be shown in the Description field of the user account in windows. The string can have any length. The users's office location This is the person's office location, including the building and office address or number. The user's phone number The user's e-mail address. 43
User Management Resource Administrator 7.2 The e-mail address appears with the universal principal name suffix (for example, someone@microsoft.com). General - Web- Page The user's home page URL, either on the Internet or in the local intranet site. Address - Street Address - P.O. Box Address - City Address - State/province Address - Zip/Postal Code Address - Country/region Telephones - Home Telephones - Pager Telephones - Mobil Telephones - Fax Telephones - IP phone Telephones - Notes Organization - Title Organization - Department Organization - Company The user's street address The user's post office box number The city where the user is located The state or province where the user is located The zip or postal code applicable for the user The user's country or region The user's home telephone number The user's page number The user's mobil telephone number The user's fax number The users IP telephone number Descriptive information and any comments for this user. The user's title The user's department The users's company The country can be either explicitly chosen from a drop down list, or be specified as text. In the latter case it can also be read from a variable, for instance created by a column from the list of users. Output Properties When the action is run, the actual value of the properties are determined at run time, and the action is executed using these values. Generally these values are not stored for later usage. However, it may be that the actual value of a specific property is required for an successive action in the User Management Resource Administrator script. To facilitate this need, any property can be explicitly configured to be saved in a variable when the action has been performed. For example, when the password of a user is created with the password generator, the resulting password value may be stored in a variable, so it can be exported to a file by an other action in the script. By default the following properties are saved in a variable for usage in other scripts. Properties that are exported are shown with an image with a green arrow in the properties list. 44
Reference Property Description Default variable name Remarks Common name The CommonName is the full name of the user. This name is most commonly used in user interfaces. %FullName% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried. Contact object This Internal application object representing the just created contact object. %ContactObject% The Contact Object is main purpose is to ease subsequent operations on the same object by actions that follow in the script. For several actions this object can be used as input to specify the object the actions work on. Remarks Domain / OU / Container / LDAP -specification User Management Resource Administrator supports several methods to specify the entity (domain, OU or container) in which the user account will be created. These methods differ in the way the property values are specified. The properties involved are: Domain, Organizational Unit-Container, LDAP container. Depending on your network environment and input data, you should choose the method that fits best: Properties specified Domain Organizational Unit-Container Domain LDAP container Properties not specified LDAP container LDAP container Organizational Unit- Container Domain Organizational Unit- Container Example Domain: TOOLS4EVER or tools4ever.com Organizational Unit-Container: STUDENTS/GROUP1 Description This is most easy method to create user accounts in OU's. To create the account, User Management Resource Administrator will automatically compose the LDAP name of the container to create the user account. TOOLS4EVER or tools4ever.com Use this method only, to create user accounts in the domain root. No OU is involved. OU=Group1, OU=Students, DC=tools4ever, DC=com Use this method if you want to specify the OU directory using the LDAP format. If this property is specified, the Domain and Organizational Unit- Container properties are ignored. Related topics Help on help Principle of operation Project operations - Manage script action properties 45
User Management Resource Administrator 7.2 Script Action: Get user (AD) Function Access an user account in Active Directory. The action is used always in combination with other subsequent actions. Once the user is found, an internal data structure representing the user account is setup. This structure is stored in a variable (%UserObject%) that can be used by other actions. The action supports several methods to find the user. Deployment This action is typically used in a script that is used to manage, edit or delete existing user accounts. A number of actions are available to manage user accounts. Most of these actions require a input variable (%UserObject%) that holds the user account. When this action is executed successfully, the subsequent actions in the script have access to the user account using this variable. You have three options to identify the user account. 1. LDAP name: The user account is identified by its full LDAP name. Example: cn=john Williams, ou=schools, dc=tools4ever, dc=com. You only need to specify the property LDAP name to identify the user account. Optionally you can specify a domain controller. The user account is always searched for using LDAP. By specifying the name of a domain controller, the program directly binds to the domain controller instead of a domain controller chosen by Active Directory. 2. Domain, Organizational Unit-Container, FullName: From these components, User Management Resource Administrator will compose the LDAP name. If necessary, the components are converted to a suitable format. If the FullName is specified but no Organizational Unit-Container is specified, User Management Resource Administrator will not be able to find the user account. Optionally you can specify a domain controller. The user account is always searched for using LDAP. By specifying the name of a domain controller, the program directly binds to the domain controller instead of a domain controller chosen by Active Directory. 3. Domain, Username: The user account is specified using the NT-style format Domain/UserName. User Management Resource Administrator will convert the name to the full LDAP name. This method requires most resources but does not need the organizational unit to be specified. If none of these options can be used, you can use the Script Action: Search object (AD) to search for the user account. The result of the Search object action is the LDAP name of the user account that can be used for option 1. Properties Property Name Description Typical setting Remarks Domain Organizational Unit-Container Full name The name of the domain (DNS or NETBIOS style, e.g. tools4ever.com or TOOLS4EVER) of the user account. The user account is specified using LDAP. To specify the user account, you have three options. 1: LDAP name (available from network tree browse operations), 2: Domain + Organizational Unit-Container + FullName (the LDAP name is composed from the individual components), 3: Domain + Username (NT-style, LDAP name is searched for). For each option, you need to specify the corresponding properties. The name of the Organizational Unit-Container of the user account (example: Students or Students\\Group1). The user account is specified using LDAP. To specify the user account, you have three options. 1: LDAP name (available from network tree browse operations), 2: Domain + Organizational Unit- Container + FullName (the LDAP name is composed from the individual components), 3: Domain + Username (NT-style, LDAP name is searched for). For each option, you need to specify the corresponding properties. The full name, more precisely known as the common name of the user account in the Organizational Unit-Container - Domain (example: John Williams). The user account is specified using LDAP. To specify the user account, you have three options. 1: LDAP name (available from network tree browse operations), 2: %Domain% %FullName% See Deployment section. See Deployment section. See Deployment section. 46
Reference Username LDAP name Domain controller User Object User Security Identifier (SID) Domain + Organizational Unit-Container + FullName (the LDAP name is composed from the individual components), 3: Domain + Username (NT-style, LDAP name is searched for). For each option, you need to specify the corresponding properties. The pre-windows 2000 logon name of the user account (example: JWilliams). The user account is specified using LDAP. To specify the user account, you have three options. 1: LDAP name (available from network tree browse operations), 2: Domain + Organizational Unit-Container + FullName (the LDAP name is composed from the individual components), 3: Domain + Username (NT-style, LDAP name is searched for). For each option, you need to specify the corresponding properties. The full LDAP name of the user account. (example: cn=john Williams, ou=schools, dc=tools4ever, dc=com). If this value is specified, it takes precedence and the values for the properties 'Domain', 'Organizational Unit-Container', 'Full name' and 'Username' are ignored and do not have to be specified. Optional: The name of the domain controller, used to access to the domain, container or organizational unit where the account exists. This property can be used for any of the methods used to specify the user account. If this value is not specified, Active Directory chooses one automatically (serverless binding). An internal data structure representing the user account. This property is an 'output only' property and is generated automatically when the user is found in Active Directory. This property can be used in other script actions, for instance to create an Exchange mailbox, setup group memberships or modify user attributes. The security identifier (SID) of the new user account. This property is an 'output only' property and can be determined when the user is found in Active Directory. The 'User Security Identifier (SID) is created by the Active Directory automatically when the user account was created. The SID is used when setting permissions, for instance on home directories, Exchange mailboxes etc. The SID is stored by default in the variable %UserSid%. %UserName% No input value can be specified. Always specify an output variable, for example %UserObject% No input value can be specified. See Deployment section. See Deployment section. See Deployment section. Specify an output variable value if the SID is needed in subsequent actions. Remarks Each of the properties Full name, Username and LDAP name can be specified as output variables, even if the user account is determined by other than the output properties. Related topics Help on help Principle of operation Project operations - Manage script action properties 47
User Management Resource Administrator 7.2 Script Action: Edit user (AD) Function Edit an existing user account in Active Directory. The account is identified by a variable containing the User Object. Use the action Get user (AD) to find the user first. For the user account, all regular attributes can be changes and/or reset. Deployment This action is typically used as one of the main action to manage existing user accounts in Active Directory. You can use this action for a single change, for instance resetting the password of an account or multiple changes like home directory, profile directory and Active Directory attributes. To change the common name (full name) of a user account, you cannot use this action. Use the action Script Action: Move - rename user (AD) instead to do this. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. The Edit user action contains a large number of properties. As described above, the User Object property is used to identify the user account. Further all the properties are initially not specified. This means that the corresponding Active Directory attributes of the user account are not changed when the action is executed. So only when a property is specified, the attribute is updated in Active Directory. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. %UserObject% See Deployment section. SAM-Account- Name The user logon name (pre- Windows 2000) without the (NETBIOS) domain name. In most cases the SAM-Account- Name is equal to the prefix of the User-Principal-Name and specified by the general %UserName% name variable. The name must be unique within the domain. Specify the path of the organizational unit (OU) or container relative to the domain. To specify OU's in OU's, use the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU. Examples: students or students/group1. For more information on how to specify the domain/ou/container in which the user account is created, see the Remarks section below. User-Principal- Name The User-Principal-Name (UPN) is an Internet-style login name for the user. The UPN is the preferred logon name for Active Directory users. Users should be using their UPNs to log on to the domain. The UPN has the format 'account_name@domain.com', where 'account_name' is the UPN-prefix and 'domain.com' is the upn-suffix. In most cases the User-Principal-Name prefix is specified by the general user name variable. The UPN is the preferred loin name for Active Directory users. Users should be using their UPN to log on to the domain. The UPN has the format account_name@domain.com, where account_name is the UPN prefix and domain.com is the UPN suffix. The UPN Prefix is usually chosen to be the same as the SAM-Account-Name. Typically the name contained in %UserName% is generated by the name generation algorithm. DisplayName This is the Display name 48
Reference Given-Name Initials SurName Password generator attribute of the account. It usually contains the full name of the user. The Given-name corresponds with the first name of the user account. The Given-name is an optional attribute of Active Directory user accounts. The 'Initials'-field name corresponds with the middle name of the user account. The 'Initials'-field is an optional attribute of Active Directory user accounts. The 'Surname' corresponds with the last name of the user account. The 'Surname' is an optional attribute of Active Directory user accounts. The specification how to generate passwords for the user account Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. Password Description Home directory Home directory drive The password of the user account. A user comment. The field can contain a text of any length. The path of the home directory of the user account. Note that the home directory is not moved or created by this action. Instead, the home directory specification in the Active Directory is updated. You can move the home directory, by adding the actions 'Copy directory' and 'Delete directory' to the script. The drive letter to which the home directory is connected. Specify only the drive letter itself without colon and or backslash. The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable must be specified as the value for the Password property. Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file. The value can be specified either in the form \\<server name>\<share name>\<rest of path>, or as an local path e.g. G:\UserData\<user name>. Note, This specification does create the home directory itself if it does not exist. In order to create the home directory, specify the action Create Directory in the User Management Resource Administrator script after this action. If the drive letter is specified, the Home directory must be specified in the form \\<server name>\<share name>\<rest of path>, and not as a local path. User profile A path to the user's profile. Note that this specification does not create the profile directory. Instead, it specifies the profile's path in the SAM user account database. You can create the profile The value must have he form \\<server name>\<share name>\<rest of path>. 49
User Management Resource Administrator 7.2 directory, by adding the action 'Create Directory' to the script. Logon script User must change password at next logon User cannot change password Password never expires Store password using reversible encryption Account disabled Smart cart is required for interactive logon. Account is trusted for delegation Account is sensitive and cannot be delegated Use DES encryption types for this account Do not require Kerberos preauthentication The path for the user's logon script file. The script file can be a.cmd file, an.exe file, or a.bat file. The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password. The user cannot change password. When the user cannot change the password, only the administrator can change the password. The password should never expire on the account. An password specific option. If you have users logging on to your Windows 2000 network from Apple computers, select this option for those user accounts. The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network. Specifies whether a smart cart is required Specifies whether the account is trusted for delegation Specified that the account cannot be delegated. Provides support for Data Encryption Standard (DES) Provides support for alternative implementations of the Kerberos protocol Account expiration Specifies the date after which the account is expired Logon hours The hours the user account can log on to the domain. By When set to Yes the User cannot change password property must by set to No. Valid specifications are Yes and No. This setting has no effect on members of the administrators group. When set to Yes, the User must change password at next logon property must by set to No. Valid specifications are Yes and No. The default value is No. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer. Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not be used. Requires that the user possesses a smart cart to log on to the network interactively. The users must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart cart. When this option is selected, the password for the user account is automatically set to a random and complex value and the Password never expires account option is set. Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer Allows control over a user account, such as a for guest or temporary account. This option can be user if this account cannot be assigned for delegation by another account The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. 50
Reference Workstations default, domain logon is allowed 24 hours a day, 7 days a week. A list of workstation names, separated by ",", on which the user is allowed to logon. The hours of each day are represented by 6 characters. If specified, the user is only allowed to logon when seated at one of the computers (workstation or server) listed. A maximum of 8 computer (workstation or server) names can be specified. If not specified, such an explicit restriction does not apply. General - Office General - TelephoneNumber General - E-mail The users's office location This is the person's office location, including the building and office address or number. The user's phone number The user's e-mail address. The e-mail address appears with the universal principal name suffix (for example, someone@microsoft.com). General - Web- Page The user's home page URL, either on the Internet or in the local intranet site. Address - Street Address - P.O. Box Address - City Address - State/province Address - Zip/Postal Code Address - Country/region Telephones - Home Telephones - Pager Telephones - Mobil Telephones - Fax Telephones - IP phone Telephones - Notes Organization - Title Organization - The user's street address The user's post office box number The city where the user is located The state or province where the user is located The zip or postal code applicable for the user The user's country or region The user's home telephone number The user's page number The user's mobil telephone number The user's fax number The users IP telephone number Descriptive information and any comments for this user. The user's title The user's department The country can be either explicitly chosen from a drop down list, or be specified as text. In the latter case it can also be read from a variable, for instance created by a column from the list of users. 51
User Management Resource Administrator 7.2 Department Organization - Company The users's company Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Move - rename user (AD) 52
Reference Script Action: Edit user logon Function Edit the logon settings of an existing user account. The account is identified by a variable containing the User Object. Use the action Get user (AD) to find the user first. For the user account, all regular attributes can be changes and/or reset. Deployment This action is typically used as one of the main action to manage existing user accounts in Active Directory. You can use this action for a single change, for instance resetting the password of an account or multiple changes like home directory, profile directory and Active Directory attributes. To change the common name (full name) of a user account, you cannot use this action. Use the action Script Action: Move - rename user (AD) instead to do this. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. The Edit user action contains a large number of properties. As described above, the User Object property is used to identify the user account. Further all the properties are initially not specified. This means that the corresponding Active Directory attributes of the user account are not changed when the action is executed. So only when a property is specified, the attribute is updated in Active Directory. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. Username The SAM account name of the user for which you want to edit the logon settings. Domain Domain controller Password generator The domain in which the user account, for which you want to edit the logon settings, is located. The domain controller of the domain in which the user account, for which you want to edit the logon settings, is located. The specification how to generate passwords for the user account %UserObject% See Deployment section. You should only use this option when you are not using the %UserObject% variable. Instead of the %userobject variable an user account can also be identified by the username and the domain name or the domain controller. You should only use this option when you want to identify the user account by username and domain name. You should only use this option when you want to identify the user account by username and domain controller. Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. Password The password of the user account. The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable must be specified as the value for the Password property. Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example 53
User Management Resource Administrator 7.2 User must change password at next logon User cannot change password Password never expires Account disabled Unlock the account The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password. The user cannot change password. When the user cannot change the password, only the administrator can change the password. The password should never expire on the account. The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network. Unlock an user account. When an account is locked it is temporarly impossible to log on to the network. An account gets locked when an incorrect password is specified. "test1234". You can also read the password from the input file. When set to Yes the User cannot change password property must by set to No. Valid specifications are Yes and No. This setting has no effect on members of the administrators group. When set to Yes, the User must change password at next logon property must by set to No. Valid specifications are Yes and No. The default value is No. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer. Valid specifications are Yes and No. The default value is No. When set to Yes an locked account will be unlocked. This property can only be used when an account is locked. Help on help Principle of operation Project operations - Manage script action properties Script Action: Move - rename user (AD) 54
Reference Script Action: Delete user (AD) Function Delete an existing user account from Active Directory. The account is identified by a variable containing the 'User Object'. Use the action Get user (AD) to find the user first. Deployment This action is typically used to delete one or more user accounts and associated resources from Active Directory. This action, should be the last action. First the user's resources, e.g. group memberships, home- and profile directories should be deleted. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. With this action you can not delete local computer accounts and Windows NT4 domain account. Use Script Action: Delete user (no AD) instead. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. %UserObject% See Deployment section. Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Get user (AD) Script Action: Move - rename user (AD) Script Action: Delete user (no AD) 55
User Management Resource Administrator 7.2 Script Action: Set User Group Memberships (AD) Function Make an Active Directory user account a member of specified Active Directory universal, domain global or domain local groups. The groups can be either security or distribution groups. Deployment This action is typically used in a script that is intended to create new users in Active Directory, after creation of the actual user account with Script Action: Create User (AD). It can also be used for modifying existing accounts. The groups can be specified by two properties using LDAP names (property: Group names (LDAP)) and pre-windows 2000 names (property: Group names (Pre-W2K name)). For both properties, the LDAP name is used to add the user account to the group. For property Group names (Pre-W2K name) the LDAP name is searched for in Active Directory. If the group names are known in advance and there is no need to use variables in the specification of the group names, it is recommended to use property Group names (LDAP) to specify the names of the groups. In case you want to use pre- Windows 2000 names and variables, it is more convenient to use property Group names (Pre-W2K name). This property contains a list with the pre-windows 2000 names of the groups. The entries of the list can be a single group name or a variable containing one or more group names specified as a text list. When the action is executed, the application will search in Active Directory to find the LDAP name of the group. The method used to access Active Directory is determined by the syntax used to specify the group name: Syntax Example Description GroupName Administrators The Active Directory path of the %UserObject% property is used to access Active Directory. Domain\GroupName SEASONS\Administrators The application accesses Active Directory through the domain: LDAP://Domain \\Server\GroupName \\SPRING\Administrators The application accesses Active Directory by accessing the server: LDAP://Server Note that for each item of the list a different syntax can be used. A common scenario to specify a number of groups using variables is as follows: 1. A number of Set variable script actions are used to initialize multiple variables, each containing a number of groups: %GroupSetA%, %GroupSetB%, %GroupSetC% etc. See Data specification - Text list for more information. 2. The map variable script actions copies the content of one of these variables into the resulting variable %GroupSet%. The mapping is somehow determined by the content of the input data. 3. The Group names (Pre-W2K name) property contains a single entry: %GroupSet% The mapping performed in step 2 determines the groups of which the user account becomes a member. Properties Property Name Description Typical setting Remarks User Object Internal application object representing the user account that must be made a member of specified groups. Group names (LDAP) The names of the groups of which the user account must become a member. Each group name is specified by 2 text strings: %UserObject% LDAP group names specified by means of a special dialog The User Object must always be specified as a variable. This variable must have been set by a previous script action, e.g. the script action Create user (AD) will by default fill the variable %UserObject% with the User Object of the just created user. The property is list with text pairs. Each pair represents a single group. The pair items are the display name and the LDAP name of the group, 56
Reference Group names (Pre-W2K name) A display name and the LDAP name. The display string has the easy readable format Domain/GroupName, for instance: TOOLS4EVER/Users. The LDAP name is the name of the group in Active Directory. The LDAP name is used by the application to add the user to the group. The names of the groups of which the user account must become a member. Each group name is specified by its pre- Windows 2000 name. This name corresponds with the Windows NT naming style. The application will first search for the full LDAP-name of the group. See the on-line help for more information. Pre-Windows 2000 group names The property is a list. The list contains the pre-windows 2000 names of the groups. The name can be specified using the following syntax: DOMAIN\GroupName, \\SERVER\GroupName, GroupName. See the Deployment section for more information. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 57
User Management Resource Administrator 7.2 Script Action: Remove user group memberships (AD) Function Remove the group memberships of an Active Directory user account. You can filter on local, global, universal, security and distribution groups. Deployment This action is typically used in a script that is intended to manage existing user accounts. With this action you can delete the user accounts from all or various groups of which the account is a member. You can define 2 filters to determine the groups from which the user account is deleted: 1. Filter 1: local - global - universal groups. For each possible value you can specify if the user account must be deleted from the corresponding groups. 2. Filter 2: security - distributions groups. For each possible value you can specify if the user account must be deleted from the corresponding groups. The user account is deleted from a group if both filter criteria are met. Example: If you set the filter properties for global and security to Yes and all other filter properties to No, the user account is deleted from a global security group but not from a global distribution group. Properties Property Name Description Typical setting Remarks User Object Remove from local groups Remove from global groups Remove from universal groups Remove from security groups Remove from distribution groups An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. Remove the user account from local groups Remove the user account from global groups (scope: local - global - universal). Remove the user account from universal groups (scope: local - global - universal). Remove the user account from security groups (scope: security - distribution). Remove the user account from distribution groups (scope: security - distribution). %UserObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get user (AD). Yes Yes Yes Yes Yes See Deployment section See Deployment section See Deployment section See Deployment section See Deployment section More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables 58
Reference Script Action: Set User Group Memberships (AD) Script Action: Set User Global Group Memberships Help on help 59
User Management Resource Administrator 7.2 Script Action: Move - rename user (AD) Function Move an user account in Active Directory to another OU, container or domain. Alternatively, you can also use this action to rename a user account in an organizational unit - container of Active Directory. When moving a user account to another domain, several restrictions apply: 1. The source and destination domain must be in the same forest of domains. 2. The destination domain must be in native mode. Deployment This action is typically used in a script that is intended to manage existing user accounts. With this action you can execute 2 operations: 1. Move user account(s) to other organizational units or domains: The user account can be moved to another organizational unit in the same domain or another domain. If the domain is changed, the domain must be in the same forest and the destination domain must be in native mode. When the account is moved, the common name of the user account is not changed by default. The common name is part of the full LDAP name of the user account that uniquely identifies the user account in the organizational unit or container. Hence, the common name must be unique in the organizational unit. If you execute this action and move an account to an OU and a user account with the same common name already exists in the OU, the action will fail. Alternatively, you can rename the account (property NewName). 2. Rename a user account: With this action you can change the common name of the user account. The common name is part of the full LDAP name of the user account that uniquely identifies the user account in the organizational unit or container. Hence, the common name must be unique in the organizational unit. If the new common name is not unique, the action will fail and an error is generated. You can also combine the 2 possible operations and both move and rename the user account. When you want to move the user account, you need to specify the destination organizational unit or container of the user account. If you only want to rename the user account, the destination organizational unit or container is not changed for the user account. To specify the destination organizational unit or container you have 2 options: 1. Specify properties Domain and Organizational Unit-Container: When moving user accounts to another organizational unit, you must specify the new name of the OU. If the domain is not changed, you don't need to specify property Domain. If you want to use this option, you don't need to specify the property OU-Container LDAP name 2. Specify property OU-Container LDAP name: If you use this option, you need to specify the full LDAP name of the destination organizational unit - container. Examples: ou=schools, dc=tools4ever, dc=com, LDAP://ou=Schools, dc=tools4ever, dc=com, LDAP://domaincontroller/ou=Schools, dc=tools4ever, dc=com. With this option, you don't need to specify the properties Domain and Organizational Unit-Container. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. %UserObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get user (AD). Domain The name of destination domain (DNS or NETBIOS style, e.g. tools4ever.com or TOOLS4EVER) of the user account. If the domain name is not specified, the application assumes that the account is not moved across domains. When no destination Organizational Unit-Container is specified, the user account is not Specification of this property is required only if you want to move and optionally rename the user account across domains. 60
Reference Organizational Unit- Container OU-Container LDAP name Domain controller New name moved but renamed only. The name of the destination Organizational Unit-Container of the user account (example: Students or Students/Group1). When this property is not specified, the user account is not moved but renamed only unless the property 'OU-Container LDAP name' is specified. The full LDAP name of the destination Organizational Unit-Container (example: ou=schools, dc=tools4ever, dc=com). When specified, the properties 'Domain' and 'Organizational Unit-Container' are ignored. When no destination Organizational Unit-Container is specified, the user account is not moved but renamed only. Optional: The name of the domain controller, used to access to the domain, container or organizational unit where the account is moved to or where the account exists in case of a rename operation. This property 'helps' User Management Resource Administrator to access Active Directory. The new name of the user account. The name is the name that identifies the user account in Active Directory e.g. the 'Common-Name'. If this property is not specified, the account is not renamed. To rename other names of user accounts, use the action 'Edit user (AD)'. Specification of this property is required only if you want to move and optionally rename the user account to another organizational unit or container. Specification of this property is required only if you want to move and optionally rename the user account to another organizational unit or container. You only need to specify this property if you want to rename the user account, e.g. change the common name. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 61
User Management Resource Administrator 7.2 Script Action: Create Exchange Mailbox (2003/2000) Function Creates a Exchange mailbox for an Active Directory user account. This action supports MS Exchange versions 2003 and 2000. Deployment This action is typically used in a script that is intended to create new users in Active Directory, after creation of the actual user account with Script Action: Create User (AD). It can also be used for modifying existing accounts. Properties Property Name Description Typical setting Remarks User Object Internal application object representing the user account for which a mailbox must be created. %UserObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action. For example the script action Create user (AD) will by default fill the variable %UserObject% with the User Object of the created user. Exchange server The name of the Exchange server on which the mailbox is created. It can be specified either in DNSstyle or in NT4-style. %ExchangeServer% Mailbox store Optional: The LDAP name of the mailbox store. <not specified> A Mailbox store is required to create an Exchange mailbox. When this property is not specified, User Management Resource Administrator tries to determine the mailbox stores that exist on the specified Exchange server. When only one mailbox store is found, this mailbox store is used for the Exchange mailbox. By default, only one mailbox store is setup when MS Exchange is installed. If multiple mailbox stores exist on the Exchange server, you must explicitly specify this property. Domain controller Optional: The name of the Domain controller used to access the Active Directory. <not specified> Exchange information is stored in Active Directory. Depending on the logged on user account, and the network domain configuration, it may be necessary to specify this property. For instance, if you are logged in a trusted NT4 domain and are creating mailboxes in a Windows 2003/2000 environment, you must specify the name of a domain controller of the Windows 2003/2000 domain of the user account for this property. This property is used only to enable access to Active Directory. Alias Optional: The Alias property specifies the Alias used for E-mail address generation. <not specified> By default E-mail addresses are generated based on the name of the user account. The value is setup by MS Exchange automatically. E-mail addresses Optional: The explicit E- Mail addresses for the Exchange mail box. By default E-mail addresses are generated automatically when the mail box is created. By specifying this property you can overrule this setting and specify additional E-mail addresses. Overruling of automatically generated addresses only occurs for the E-mail types that are explicitly set. That is, if your Exchange server configuration default generates both SMTP and X400 addresses, and the 62
Reference this property specifies only SMTP addresses, the X400 addresses will still be generated as specified on the Exchange server itself. Specify the E-mail address using the format (E-mailtype):(E-mail-Address). To specify the primary address, the E-mail-type must be in capitals. There must be exactly one primary E-mail address of each E-Mail type when used. Example: SMTP:J.Smith@tools4ever.com smtp:john@tools4ever.com Auto-update E-mail addresses Hide from address book When this is set to YES Exchange will automatically generate E- mail addresses according to the Exchange recipient policy for the account. When set to YES, the user's mailbox does not show in address books. YES NO More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Edit Exchange mailbox (2000/2003) Script Action: Delete Exchange mailbox (2000/2003) Help on help 63
User Management Resource Administrator 7.2 Script Action: Edit Exchange mailbox (2000/2003) Function Edit the existing Exchange 2003/2000 mailbox of an user account. The user account and mailbox must already exist. To edit additional attributes of the user account, use the action Edit user (AD). Deployment This action is typically used in a script that is intended to manage existing user accounts and mailboxes. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. Properties Property Name Description Typical setting Remarks User Object Alias E-mail addresses An data structure representing the user account. The property is used to identify the user account for the mailbox and is normally generated as a variable by a previous script action ('Creating user (AD)'). The Alias property specifies the Alias used for E-mail address generation. The E-mail addresses specified for the Exchange mailbox. By default, the E-mail addresses are generated automatically when the mailbox is created. By specifying this property you can configure additional E-mail addresses. %UserObject% By default E-mail addresses are generated based on the name of the user account. The value is setup by MS Exchange automatically. By default E-mail addresses are generated automatically when the mail box is created. By specifying this property you can overrule this setting and specify additional E-mail addresses. Overruling of automatically generated addresses only occurs for the E-mail types that are explicitly set. That is, if your Exchange server configuration default generates both SMTP and X400 addresses, and the this property specifies only SMTP addresses, the X400 addresses will still be generated as specified on the Exchange server itself. Specify the E-mail address using the format (Email-type):(E-mail-Address). To specify the primary address, the E-mail-type must be in capitals. There must be exactly one primary E- mail address of each E-Mail type when used. Example: Auto-update E- mail addresses Hide from address book The E-mail addresses for the Exchange mailbox can be generated according to the recipient's policy by specifying this option. The property specifies whether the recipient is displayed in the address book. SMTP:J.Smith@tools4ever.com smtp:john@tools4ever.com 64
Reference More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Create Exchange Mailbox (2000/2003) Script Action: Delete Exchange mailbox (2000/2003) Help on help 65
User Management Resource Administrator 7.2 Script Action: Modify Exchange mailbox permissions (2000/2003) Function Modify the permissions of an existing Exchange 2003/2000 mailbox. The mailbox and user account must exist. Deployment This action is typically used in a script that is intended to manage existing user accounts and mailboxes. With this action permissions of the mailbox can be added and removed. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. With this action you can perform the following functions: 1. Add permissions for another account to the mailbox. 2. Delete permission for a specific account from a mailbox 3. Set specific mailbox permissions Properties Property Name Description Typical setting Remarks User Object Permission: Delete mailbox storage Permission: Read permissions Permission: Change permissions Permission: Take ownership Permission: Full mailbox access Permission: Associated external account Use special permissions Special permission An data structure representing the user account. The property is used to identify the user account for the mailbox and is normally generated as a variable by a previous script action ('Creating user (AD)'). Set this property to 'Yes' if you want to add the permission 'Delete mailbox storage'. Set this property to 'Yes' if you want to add the permission 'Read permissions'. Set this property to 'Yes' if you want to add the permission 'Change permissions'. Set this property to 'Yes' if you want to add the permission 'Take ownership'. Set this property to 'Yes' if you want to add the permission 'Full mailbox access'. Set this property to 'Yes' if you want to add the permission 'Associated external account'. Set this property to 'Yes' if you want to add a permission entry specified with the properties 'Special permission access mask', 'Special permission inheritance' and 'Special permission deny'. The access mask used for the access control entry that is %UserObject% This property specifies the mailbox that must exist. The mailbox can be created with other actions. (see Script Action: Create Exchange Mailbox (2000/2003)) for more information. One of the standard permissions you can add to the mailbox. One of the standard permissions you can add to the mailbox. One of the standard permissions you can add to the mailbox. One of the standard permissions you can add to the mailbox. One of the standard permissions you can add to the mailbox. One of the standard permissions you can add to the mailbox. If you specify this permission, you must also specify permission Full mailbox access. Only use the special permissions if you cannot use the standard permissions. When you add a special permission, you also need to specify the properties: Special permission access mask and Special permission inheritance. See Use special permissions. 66
Reference access mask Special permission inheritance Permission deny flag Permission account is other account flag Permission account name Permission account SID Remove account permission entries added to the access control list of the mailbox. If you want to use special permissions, set property 'Use special permissions' to 'Yes'. The inheritance settings used for the access control entry that is added to the access control list of the mailbox. If you want to use special permissions, set property 'Use special permissions' to 'Yes'. A flag indicating if the specified permission is granted or denied. Set to 'Yes' to deny access. When not specified or set to 'No', access is granted. A flag indicating if the permissions are updated for the account of the mailbox or another account. If set to 'Yes' a permission entry is added or removed for another account then the account of the mailbox. In this case you must also specify property 'Permission account name' or 'Permission account SID'. The name of an account for which an permission is added or permission are removed. If you want to use this property, you must also set the property 'Permission account is other account flag'. The security identifier (SID) of an account for which an permission is added or permission are removed. If you want to use this property, you must also set the property 'Permission account is other account flag'. A flag indicating if the permissions must be added or removed. If set to 'Yes', the permissions for the specified account (properties: 'Permission account is other account flag' and 'Permission account name' or 'Permission account SID') are removed from the mailbox access control list. See Use special permissions. Set this flag to 'Yes' if the permission should be denied instead of granted. Normally you only specify permissions for a mailbox to grant access. You do not need to explicitly deny access to the mailbox. You can add or remove permissions for the user account of the mailbox or another account. If you don't set this property to 'Yes', the specified permissions are updated for the account of the mailbox. If you want to update permissions for another account, you need to set this property to Yes and specify one of the following properties: Permission account name or Permission account SID to identify the other user account. See Permission account is other account flag. See Permission account is other account flag. To remove permissions from the mailbox, set this flag to Yes. If another account is specified, the permissions for this account are removed from the mailbox. If no other account is specified, the explicit permissions for the account of the mailbox are removed. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Create Exchange Mailbox (2000/2003) 67
User Management Resource Administrator 7.2 Script Action: Delete Exchange mailbox (2000/2003) Help on help 68
Reference Script Action: Delete Exchange mailbox (2000/2003) Function Delete the Exchange 2003 or Exchange 2000 mailbox of an existing user account. The user account is specified by a variable (default: %UserObject%). You can use the action Get user (AD) to find the user account and initialize this variable. Deployment This action is typically used in a script that is intended to delete the mailbox of existing user account and possibly the user's resources and the account itself. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. The property is used to identify the user account for the mailbox and is normally generated as a variable by a previous script action, Script Action: Get user (AD). %UserObject% More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Create Exchange Mailbox (2000/2003) Script Action: Edit Exchange mailbox (2000/2003) Help on help 69
User Management Resource Administrator 7.2 Script Action: Manage Exchange recipient mail addresses (2003/2000) Function Manage an Exchange mailbox for an Active Directory user account. This action supports MS Exchange versions 2003 and 2000. Deployment This action is typically used in a script that is intended to manage existing mailbox accounts. Properties Property Name Description Typical setting Remarks AD Object An data structure representing the Active Directory object for which you want to manage the E-mail addresses. %ActiveDirectoryObject% This property is used to identify the mail recipient. You can obtain this variable by using the following script actions: Create user (AD), Create contact (AD), Get object (AD), Get user (AD). The output variable for these action must be set to %ActiveDirectoryObject% Target address The property specifies the delivery address to which e-mail for this recipient should sent. By specifying this property, mail is automatically enabled for the recipient. If you specify this property, you should not specify the property 'Disable mail'. Disable mail With this property you can disable mail to a recipient. When set to 'Yes' the recipient can no longer receive mail and all mail addresses are cleared. Optional: The Alias property specifies the Alias used for E-mail address generation. No Alias By default E-mail addresses are generated based on the name of the user account. The value is setup by MS Exchange automatically. E-mail addresses Optional: The explicit E- Mail addresses for the Exchange mail box. By default E-mail addresses are generated automatically when the mail box is created. Overruling of automatically generated addresses only occurs for the E-mail types that are explicitly set. That is, if your Exchange server configuration default generates both SMTP and X400 addresses, and the this property specifies only SMTP addresses, the X400 addresses will still be generated as specified on the Exchange server itself. Specify the E-mail address using the format (E-mailtype):(E-mail-Address). To specify the primary address, the E-mail-type must be in capitals. There must be exactly one primary E-mail address of each E-Mail type when used. Example: 70
Reference SMTP:J.Smith@tools4ever.com smtp:john@tools4ever.com Auto-update E-mail addresses Hide from address book Restrict receiving message size Maximum receiving message size Restrict sending message size Restrict sending message size When this is set to 'Yes' Exchange will automatically generate E-mail addresses according to the Exchange recipient policy for the account. When set to 'Yes', the user's mailbox does not show in address books. When set to 'Yes', messages larger then the specified maximum size will not be recieved. Specifies the maximum size, in kilobytes, of a messages that user or group can recieve. When set to 'Yes', messages larger then the specified maximum size will not be send. Specifies the maximum size, in kilobytes, of a messages that user or group can send. Yes No More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Edit Exchange mailbox (2000/2003) Script Action: Delete Exchange mailbox (2000/2003) Help on help 71
User Management Resource Administrator 7.2 Non Active Directory Script Action: Create User (no AD) Function Create an user account on a NT4 domain or on a local computer. This action is intended to create user accounts on NT4 domains. Alternatively it can be used to create user accounts on local computers. In addition to just creating the account itself it also will also configure several attributes of the account, such as for example the password and the description of the account. Some attributes of the user account may specify the usage by the account of other resources in the network. These resources themselves will not be created by this action. If these resources need to be created, this can be done by separate actions that follow this action in the User Management Resource Administrator script. An example of such a property is the Home Directory. When specified in this Create User action, the Home Directory attribute of the user account will be set. The directory itself however is not created. In order to create the directory itself, the action File system, Create Directory should be performed. The action may also be used to create user accounts in the default Users container of Active Directory domains. When this action is used to create domain accounts on Active Directory domains, it will correctly create the account in the Active Directory, but many of the Active Directory properties will have default values. To create Accounts in Active Directory with other than default settings, use the action Script Action: Create User (AD) instead. Deployment This action is typically used as core part of a script designed to create users on NT4 domains or local (non domain controller) computers, in order to create the account itself. In such a script this is usually the first major action invoked. After creating the account, the script usually continues by invoking actions to create home directories, home shares, group memberships, etc. Properties Property Name Description Typical setting Remarks Domain The Domain in which to create the user domain account. %Domain% Often the domain name is used in many different actions, and is determined and stored in a variable previous to the action ( e.g. %Domain%). Alternatively the domain name can be specified directly here. Use the NETBIOS (NT4-style) domain name and not the DNS name of the domain This is usually the same as the first part of the DNS domain name. Computer The computer on which the local user account is created If specified, the domain property is ignored, and the account created is a local account on the specified computer, and not a domain account. Name generation algorithm Specifies the name of the algorithm used to generate user names The main purpose of the Name Generation algorithm is to create unique names that adhere to your company's syntax requirements. A common implementation of the algorithm will take as input the three variables %FirstName%, %MiddleName% and %LastName%, and generate from these the variables %FullName% and %UserName%. Here %FullName% contains the complete name of the user formatted for display purposes, and %UserName% the name formatted for use as NT Account. These resulting variables can then be used as input for the other properties of this action. For a thorough discussion, please see Name Generation Algorithms 72
Reference Username The name of the user account %UserName% A user name cannot be identical to any other user or group name on the computer being administered. It can contain up to 20 uppercase or lowercase characters, except for the following: " / \ [ ] : ; =, + * < > A user name cannot consist solely of periods (.) or spaces. Typically the name contained in %UserName% is generated by the name generation algorithm. Full name The full name of the user %FullName% Typically the name contained in %FullName% is generated by the name generation algorithm. Password generator The specification how to generate passwords for the user account Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. Password Description Home directory The password for the created account A text string, that will be shown in the Description field of the user account in windows. The sting can have any length The home directory of the user as specified in the "Home folder" setting of the user account %Password% \\%HomeServer%\ users\ %UserName% The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable is used as the value for the Password property. Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file. The value can be specified either in the form \\<server name>\<share name>\<rest of path>, or as an local path e.g. G:\UserData\<user name>. Note, This specification does create the home directory itself if it does not exist. In order to create the home directory, specify the action "Create Directory" in the User Management Resource Administrator script after this action. Home directory Drive The drive letter to which the home directory is connected. Specify only the drive letter itself without colon and or backslash Typically the name contained in %UserName% is generated by the name generation algorithm, and the name contained in \\%HomeServer% is specified previously in the script, or in the import file. If the drive letter is specified, the Home directory must be specified in the form \\<server name>\<share name>\<rest of path>, and not as a local path. User profile The profile path of the user account. \\%HomeServer%\ profiles\ %UserName% The value must have he form \\<server name>\<share name>\<rest of path>. Logon script Full or relative path to the script file that is executed by Windows \\%HomeServer%\ scripts\ If a relative path is specified, this is relative to the default Script directory of Windows. 73
User Management Resource Administrator 7.2 when the user logs on %UserName%.bat or %UserName%.bat User must change password at next logon User cannot change password Password never expires No password required Computer account Account disabled Account expiration Specifies whether the user must change the password at the next logon Specifies whether the user is disallowed change the assigned password. Specifies whether the password will never expire Specifies whether it is allowed to specify an empty Password value for the user account. This is a computer account for a MS Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain. Default value: 'No'. Specifies whether the account should be create in the disabled state. Specifies the date after which the account is expired Logon hours The hours the user account can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. Workstations A list of workstation names, separated by ",", on which the user is allowed to logon. Yes No No Valid specifications are YES and NO. The default value is NO. When set to YES, the "User cannot change password " property must by set to NO. Valid specifications are YES and NO. The default value is NO. This setting has no effect on members of the administrators group. When set to YES, the "User must change password at next logon" property must by set to NO. Valid specifications are YES and NO. The default value is NO. This setting overrides the "Maximum Password Age" setting in the password policy for the domain/computer. Valid specifications are YES and NO. The default value is NO. Setting this value to YES allows empty passwords to be specified. For security reasons it is strongly advised to set this property to NO. If not specified, the password is required. No Specify Yes is the account represents a computer - workstation account. Valid specifications are YES and NO. The default value is NO. If not specified, the account will never expire. The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. The hours of each day are represented by 6 characters. If specified, the user is only allowed to logon when seated at one of the computers (workstation or server) listed. A maximum of 8 computer (workstation or server) names can be specified. Special user comment A text string containing additional comments If not specified, such an explicit restriction does not apply. This property of an user account is not exposed in the User Manager for Domains on a NT 4 machine, or the local accounts snap-in on windows 2000,XP and 2003 computers, but may be shown for informational purposes in other applications. Output Properties When the action is run, the actual value of the properties are determined at run time, and the action is executed using these values. Generally these values are not stored for later usage. However, it may be that the actual value of a specific 74
Reference property is required for an successive action in the User Management Resource Administrator script. To facilitate this need, any property can be explicitly configured to be saved in a variable when the action has been performed. For example, when the password of a user is created with the password generator, the resulting password value may be stored in a variable, so it can be exported to a file by an other action in the script. By default the following properties are saved in a variable for usage in other scripts. Properties that are exported are shown with a blue arrow in the properties list. Property Description Default variable name Remarks User name The name of the user account Full name The full name of the user Password The password for the created account %UserName% %FullName% %Password% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried. If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried. Related topics Help on help Principle of operation Project operations - Manage script action properties 75
User Management Resource Administrator 7.2 Script Action: Edit user (no AD) Function Edit an existing user account. All main properties and attributes of the account, including password, full name, home directory settings etc. can be modified with this action. Deployment This action is typically used as one of the main action to manage existing user accounts. The account can be a: 1. Windows NT 4 domain account 2. Local workstation or member server account 3. Active Directory account. For Active Directory account, you can also use Script Action: Edit user (AD) to edit the account. To execute this action you need to specify the properties that identify the user account: Username and Domain or Computer. To edit a user account on an Active Directory workstation, you need to specify the name of the workstation for the Computer property. By default, all properties that effect the user account are not specified, e.g. nothing is changed for the user account. By specifying one or more properties, changes are made. Properties Property Name Description Typical setting Remarks Domain The name of the domain of the user account. The domain can be specified using with a DNS or NETBIOS name. If the 'Computer' property is specified, this property is ignored. To specify the user account, specify properties Username and Domain or Computer. Computer The name of the computer that maintains the user account. This computer can be specified with a DNS or NETBIOS name. The computer can be a domain controller of a Windows NT4/2000/2003 domain, a member server of a domain or a workstation. If this property is specified, the 'Domain' property is ignored. To specify the user account, specify properties Username and Domain or Computer. Username The name of the user account. The name equals the SAM account name of the user account. To specify the user account, specify properties Username and Domain or Computer. Full name The full name of the user account. When specified, the current name of the user account is changed into the name specified. Password generator A password can be generated automatically. The 'Password generator' specifies how the password is generated, e.g. password length, password complexity requirements, password output variable etc. When this property is specified the password is generated automatically. The password output variable (default: %Password%) should correspond with the variable generated by the password generator. Password The password of the user account. Description A description associated with the user account. The field can contain a text of any length. Home The path of the home directory of the user 76
Reference directory Home directory drive User profile Logon script User must change password at next logon User cannot change password Password never expires No password required Account disabled Account expiration account. Note that this specification does not create the home directory. Instead, it specifies the home directory in the SAM user account database. You can create the home directory, by adding the action 'Create Directory' to the script. The drive letter assigned to the user's home directory for logon purposes. A path to the user's profile. Note that this specification does not create the profile directory. Instead, it specifies the profile's path in the SAM user account database. The path for the user's logon script file. The script file can be a.cmd file, an.exe file, or a.bat file. The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password. The user cannot change password. When the user cannot change the password, only the administrator can change the password. The password should never expire on the account. No password is required for the user account. The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network. The time and date when the account expires. The value can be 'Never' or a time and date. Logon hours The hours the user account can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. Workstations Optional: the names of the workstations from which the user can log on (8 maximum), separated by commas. Special user comment A user comment. The field can contain a text of any length. The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. The hours of each day are represented by 6 characters. Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Create User (no AD) Script Action: Edit user (AD) 77
User Management Resource Administrator 7.2 Script Action: Edit user logon Function Edit the logon settings of an existing user account. The account is identified by a variable containing the User Object. Use the action Get user (AD) to find the user first. For the user account, all regular attributes can be changes and/or reset. Deployment This action is typically used as one of the main action to manage existing user accounts in Active Directory. You can use this action for a single change, for instance resetting the password of an account or multiple changes like home directory, profile directory and Active Directory attributes. To change the common name (full name) of a user account, you cannot use this action. Use the action Script Action: Move - rename user (AD) instead to do this. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. The Edit user action contains a large number of properties. As described above, the User Object property is used to identify the user account. Further all the properties are initially not specified. This means that the corresponding Active Directory attributes of the user account are not changed when the action is executed. So only when a property is specified, the attribute is updated in Active Directory. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. Username The SAM account name of the user for which you want to edit the logon settings. Domain Domain controller Password generator The domain in which the user account, for which you want to edit the logon settings, is located. The domain controller of the domain in which the user account, for which you want to edit the logon settings, is located. The specification how to generate passwords for the user account %UserObject% See Deployment section. You should only use this option when you are not using the %UserObject% variable. Instead of the %userobject variable an user account can also be identified by the username and the domain name or the domain controller. You should only use this option when you want to identify the user account by username and domain name. You should only use this option when you want to identify the user account by username and domain controller. Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. Password The password of the user account. The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable must be specified as the value for the Password property. Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example 78
Reference User must change password at next logon User cannot change password Password never expires Account disabled Unlock the account The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password. The user cannot change password. When the user cannot change the password, only the administrator can change the password. The password should never expire on the account. The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network. Unlock an user account. When an account is locked it is temporarly impossible to log on to the network. An account gets locked when an incorrect password is specified. "test1234". You can also read the password from the input file. When set to Yes the User cannot change password property must by set to No. Valid specifications are Yes and No. This setting has no effect on members of the administrators group. When set to Yes, the User must change password at next logon property must by set to No. Valid specifications are Yes and No. The default value is No. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer. Valid specifications are Yes and No. The default value is No. When set to Yes an locked account will be unlocked. This property can only be used when an account is locked. Help on help Principle of operation Project operations - Manage script action properties Script Action: Move - rename user (AD) 79
User Management Resource Administrator 7.2 Script Action: Delete user (no AD) Function Delete an user account from a NT4 domain or local computer. Deployment This action is typically used as core part of a script designed to delete user accounts. With this action you can delete user accounts from NT4 domains, member servers and workstations and local computers. You can also delete user accounts from Active Directory domains running Windows 2003/2000 but for Active Directory it is recommended to use Script Action: Delete user (AD) instead. The user account that must be deleted is specified by the name of user account and the domain or computer. Properties Property Name Domain Description The name of the domain from which the account is deleted. The domain can be specified using with a DNS or NETBIOS name. If the 'Computer' property is specified, this property is ignored. Computer The name of the computer from which the account is deleted. This computer can be specified with a DNS or NETBIOS name. The computer can be a domain controller of a Windows NT4/2000/2003 domain, a member server of a domain or a workstation. If this property is specified, the 'Domain' property is ignored. Username The name of the user account that must be deleted. Typical setting Remarks The name is the SAM account name. Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Delete user (AD) 80
Reference Script Action: Set User Global Group Memberships Function Make a Active Directory or NT4 user account member of a global group. The global group can be a global group from a Active Directory, or an NT4 domain. In both cases the group is identified by its NT4-style (NETBIOS) name. The user and the groups must be all in the same domain. The groups may be either security groups or distribution groups. To specify groups using variables, see Data specification - Text list. Deployment This action is typically used in a script that is intended to create new users in Active Directory or NT4 domains, after creation of the actual user account with Script Action: Create User (AD) or Script Action: Create User (no AD). This action is then used to make the users member of a global group Properties Property Name Description Typical setting Domain Domain controller Username Global groups Remove from other global groups The NT4 style (NETBIOS) name of the domain that contains the global groups Optional: the name of the NT4 style (NETBIOS) name of the domain controller of the domain that contains the groups The NT4 or Pre-Windows 2000 user logon name of the user that must be added to the groups. A list of global group names of whom the user is to be made a member. Multiple names can be specified by using a comma "," as separator. Indicates whether or not the user must be removed from all other global groups %Domain% No Error if already When set, no No Remarks If a DNS-style domain is given, this is converted to a NT4-style domain name by truncating at the first "." encountered in the name. If a value for the domain controller is specified, the value entered in the domain property is not used. The logon name must exist on the domain or domain controller specified in order for the action to succeed. Any domain names and or backslashes that are specified in this field are automatically stripped from the user name before setting this property The groups must exist on the domain or domain controller specified in order for the action to succeed. Any domain names and or backslashes that are specified in this field are automatically stripped from the user name before setting this property. For more information on the specification of groups using variables, see Data specification - Text list. 81
User Management Resource Administrator 7.2 member error is generated when the user account is already a member of the global group. Default value: 'No'. Related topics Help on help Principle of operation Project operations - Manage script action properties Data specification - Text list Script_Action: Map variable 82
Reference Script Action: Add account to local group Function Add an existing user or global group account to a local group of a domain, server or workstation. Deployment This action is typically used in a script that manages user accounts and local group memberships. The action can be used in Active Directory, Windows NT domains or workgroup environment. The account is an existing user or global group account. In case the user account is created in the same script, or the user is searched for in Active Directory the security identifier (SID) of the user account can be used to specify the new local group member. The target local group is one of the following: 1. Active Directory domain local group. In this case you can also use Script Action: Set User Group Memberships (AD) to add the account to the local group; 2. Windows NT4 domain local group. The group is a local group of the domain, maintained on the primary and backup domain controllers of the Windows NT4 domain. 3. Member server local group. The server is not a domain controller and either a member server of an Active Directory domain, Windows NT4 domain or a workgroup. 4. Workstation local group. The workstation is either a member server of an Active Directory domain, Windows NT4 domain or a workgroup. Depending on the type of local group, you must specify the Local group name and the Domain or Computer property to identify the local group to which the new member is added. The new member is specified by either the name (property: Member (name)) or security identifier (SID) (property: Member (SID)) of the member. If the new member is a domain user account that is just created in the same script, and multiple domain controllers exist, it is strongly recommended to use the security identifier to specify the new member. The Create user script action by default generate a variable (%UserSid%) that holds the security identifier for the new user account. This variable can be used to specify the property: Member (SID) = %UserSid%. The reason behind this mechanism is the fact that internally, the network operating system will try to resolve a specified account name to find the security identifier when the account is added to the local group. This operation might fail in case different domain controllers are used to create the account and to find the security identifier. Properties Property Name Description Typical setting Remarks Computer Domain Local group name Member (SID) The name of the computer that contains the local group. The computer can be a workstation, domain member server, domain controller or workgroup member. The name must be specified as a NETBIOS or DNS name. If this property is specified, the property 'Domain' is ignored. The name of the domain that contains the local group. The domain must be specified as a NETBIOS or DNS name. If the group is not a domain local group, this property must not be specified. The name of local group. The name must be specified as a single text field, for instance 'Administrators'. Preceding domain and computer names and (back)slashes are removed. The new group member, specified as a (variable holding a) security identifier (SID). When the SID of the new member is available, it is recommended to use this property to When specified, the Domain property is ignored. Only used if the Computer property is not specified. Mandatory property. Name of the local group to which the new member is added. When specified, the Member (name) property is not used. See Deployment section for more information. 83
User Management Resource Administrator 7.2 specify the new member. If this property is specified, the property 'Member (name)' is ignored. Member (name) Error if already member The new group member specified by the name of the new member. When the SID of the new member is available, it is recommended to use property 'Member (SID)' instead. When the SID is not available, you should use this property. The group member can be a user account or global group. The name must be specified using syntax 'DOMAIN\\MEMBER' or 'MEMBER'. When set, no error is generated when the account is already a member of the local group. Default value: 'No'. No Only used when the Member (SID) property is not used. See Deployment section for more information. Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Set User Group Memberships (AD) 84
Reference Script Action: Remove group member Function Removes the group member from a specific group. Deployment This action is typically used in a script that is intended to manage existing user accounts. With this action you can remove a group member from a specific group. Properties Property Name Description Typical setting Remarks Group domain name Group computer name Group name Member name Global group flag The domain name of the group from which the member must be removed. To identify the group, specify a value for either the preoperty "Group name" or "Group computer name". The computer name of the group from which the member must be removed (e.g. SERVER_A). The name of the computer can be a local computer, server or domain controller. To identify the group, specify a value for either the property "Group name" or "Group domain name". The name of the group as specified by the SAM account name (e.g. "Students"). To identify the group, specify a value for either the property "Group domain name" or "Group computer name". The name of the group member that must be removed. For global groups, please specify the SAM account name of the member. For local groups, you need to include the domain name (e.g. STUDENTS\Group_A) A flag which indicates if the group is a globall group (="Yes"), a domain group (="No"), or a computer local group (="No"). The default value is "Yes". NA NA NA NA Yes 85
User Management Resource Administrator 7.2 General user actions Script Action: Edit user logon Function Edit the logon settings of an existing user account. The account is identified by a variable containing the User Object. Use the action Get user (AD) to find the user first. For the user account, all regular attributes can be changes and/or reset. Deployment This action is typically used as one of the main action to manage existing user accounts in Active Directory. You can use this action for a single change, for instance resetting the password of an account or multiple changes like home directory, profile directory and Active Directory attributes. To change the common name (full name) of a user account, you cannot use this action. Use the action Script Action: Move - rename user (AD) instead to do this. For this action, the user account is identified by a variable (default: %UserObject%). To execute this action successfully, the variable must have a valid value. The variable is an output variable of the action Script Action: Get user (AD). The Get User action supports several ways to find the user and fill the variable. The Edit user action contains a large number of properties. As described above, the User Object property is used to identify the user account. Further all the properties are initially not specified. This means that the corresponding Active Directory attributes of the user account are not changed when the action is executed. So only when a property is specified, the attribute is updated in Active Directory. Properties Property Name Description Typical setting Remarks User Object An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. Username The SAM account name of the user for which you want to edit the logon settings. Domain Domain controller Password generator The domain in which the user account, for which you want to edit the logon settings, is located. The domain controller of the domain in which the user account, for which you want to edit the logon settings, is located. The specification how to generate passwords for the user account %UserObject% See Deployment section. You should only use this option when you are not using the %UserObject% variable. Instead of the %userobject variable an user account can also be identified by the username and the domain name or the domain controller. You should only use this option when you want to identify the user account by username and domain name. You should only use this option when you want to identify the user account by username and domain controller. Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available. Password The password of the user The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable must be specified as the value for the Password property. Typically the name contained in the 86
Reference User must change password at next logon User cannot change password Password never expires Account disabled Unlock the account account. The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password. The user cannot change password. When the user cannot change the password, only the administrator can change the password. The password should never expire on the account. The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network. Unlock an user account. When an account is locked it is temporarly impossible to log on to the network. An account gets locked when an incorrect password is specified. variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file. When set to Yes the User cannot change password property must by set to No. Valid specifications are Yes and No. This setting has no effect on members of the administrators group. When set to Yes, the User must change password at next logon property must by set to No. Valid specifications are Yes and No. The default value is No. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer. Valid specifications are Yes and No. The default value is No. When set to Yes an locked account will be unlocked. This property can only be used when an account is locked. Help on help Principle of operation Project operations - Manage script action properties Script Action: Move - rename user (AD) 87
User Management Resource Administrator 7.2 Script action: Terminal Services user settings Function Set the Terminal Services settings for a new or existing user account. The account either exists in a Active Directory or NT4 domain. Deployment This action is typically used in a script that is intended to: 1. create new users in Active Directory or NT4 domains and to setup the Terminal Services settings for each individual account or 2. to setup the Terminal Services for a number of existing user accounts. For new user accounts, the action that creates the user account should precede this action. For new user accounts in Active Directory, it is strongly recommended to create the user account using server binding, e.g. specify the domain controller both in this action and the action that creates the user account in Active Directory. Properties Property Name Description Typical setting Remarks User account The name of user account for which the Terminal Services settings must be applied. The user account must be specified using the first part of the user logon name (j.smith@tools4ever.com -> j.smith) in Active Directory or the SAM account name (username) in Windows NT4 networks. %Username% Domain Controller The name of the domain controller that maintains the user account (DNS or NETBIOS style, e.g. server_1.tools4ever.com or SERVER_1). In case the user account is just created and multiple domain controllers exist, this property should equal the domain controller used to create the account. If this value is specified, the 'Domain' property is ignored. %DomainController% If the Domain Controller property is specified and the user account is created in Active Directory in the same script, you must specify the same domain controller in the action that creates the user account in Active Directory. Domain The name of the domain (DNS or NETBIOS style, e.g. tools4ever.com or TOOLS4EVER) of the user account. If this property is specified and the 'Domain Controller' property is not specified, User Management Resource Administrator searches for an arbitrary domain controller of the domain. In case the user account is just created and multiple domain controller exist, this domain controller might not recognize the user as an existing user account. In this case it is advised to specify the property 'Domain Controller' instead. This property is ignored if a value is specified for the property 'Domain Controller'. Profile path The Terminal Services Profile path. The profile is a roaming or mandatory user profile for use when the user logs on to a Terminal server. To enable a roaming or mandatory profile, type the network path in this form: \\\\server name\\profiles folder 88
Reference name\\user name. To assign a mandatory user profile, type the network path in this form: \\\\server name\\profiles folder name\\user profile name. The Terminal Services profile path is used for logging on to Terminal servers only. If you specify a profile path for logging on to Windows 2000, the path is also used for logging on to Terminal servers unless you specify a Terminal Services profile path here. Home directory Home directory drive Allow logon to terminal server End disconnected session (seconds) Active session limit (seconds) Idle session limit (seconds) Disconnect on connection broken - timeout Allow reconnection from any client The Terminal Services home directory. Each user on a Terminal server should have a unique home directory. This ensures that application information is stored separately for each user in the multiuser environment. You can specify a directory on the local server (example: C:\\Users\\%Username% -> C:\\Users\\johnw) or shared network directory (\\\\Server_A\\Users\\%Username% -> \\\\Server_A\\Users\\johnw). In the latter case, you also need to specify a value for the 'Home directory drive' property. The Terminal Services home directory drive. Specify the drive letter (example: J:) mapped to the shared network directory specified for property 'Home directory'. In case you specify a local home directory, you should not to specify this property. Specifies whether the user is permitted to log on to the Terminal server. Sets the maximum time that a disconnected session remains active on the server. If you specify this property, a disconnected session is reset after the time in seconds elapses. The value is specified in seconds. Do not specify this property if you don't want to reset a disconnected session on the server. Sets the maximum duration for sessions in seconds. If you specify a duration, the session is disconnected or reset after the time elapses. Do not specify this property (or specify a value of 0 (zero)) to allow the connection to continue for an unlimited period. Sets the maximum idle time in seconds allowed before the session is disconnected or reset. If you specify a duration, the session is disconnected or reset after there has been no client activity for that period of time. Do not specify this property (or specify a value of 0 (zero)) to allow clients to remain idle indefinitely. Disconnect the client when the connection to the server is broken for any reason, including a request, a connection error, or a session limit is reached. The client can reconnect to the session if needed. If you specify no, the session is reset. A reset session cannot be reconnected. Specifies that Terminal Services allows reconnection to a disconnected session from any computer. This is the default setting. If you select 'No' a reconnection to a disconnected session is restricted to the computer that started the session. This option is supported only for Citrix ICA-based clients that provide a serial number when connecting."), Yes Yes Yes User can specify initial program Specifies whether the user can start any program. If you specify 'No' the program specified at property 'Logon program' runs automatically when the user logs onto a remote computer. Terminal server logs Yes 89
User Management Resource Administrator 7.2 the user off when the user exits that program. Logon program Logon program working directory Connect client drives at logon Connect client printers at logon Default to main client printer Remote control Callback enabled Fixed callback phone number Callback phone number The path and file name of the application that you want to start when the user logs on to the Terminal server. The working directory path for the application that you want to start when the user logs on to the Terminal server. This option is for ICA clients only. Specifies whether to automatically reconnect to mapped client drives. Specifies whether to automatically reconnect to mapped client printers. Specifies whether to automatically print to the client s default printer. Specify the level to control or observe a user's session. If you do not specify value for this property, the remote control function is disabled. Set this property to 'Yes' if you want to enable the Terminal Server callback function. By default, (or when you specify 'No'), this function is disabled. Set this property to 'Yes' if you want the Terminal Server to callback at a default fixed phone number. You need to specify the number for property 'Callback phone number'. Specify the callback phone number. If you set this, value, you should also set the value of properties 'Callback enabled' and 'Fixed callback phone number' to 'Yes'. Yes Yes Yes Related topics Help on help Principle of operation Project operations - Manage script action properties 90
Reference Script Action: Dial-in user settings Function Set the dial-in setting for an active directory user account. This function is used for remote access permissions to be explicitly allowed, denied, or determined through remote access policies. Deployment This action is typically used in a script that is intended to create new user accounts or manage existing user accounts. The user account, for which the dial-in setting should be set, is identified by two properties (User account and Domain Controller). To execute this action successfully, these two properties must have a valid value. Different settings can be applied to increase the security. Dial-in options should always be set as secure as possible. Properties Property Name Description Typical setting Remarks User account The name of user account for which the Dial-in settings must be applied. The user account must be specified using the first part of the user logon name (j.smith@tools4ever.com -> j.smith) in Active Directory or the SAM account name (username) in Windows NT4 networks. %UserName% Domain Controller The name of the domain controller that maintains the user account (DNS or NETBIOS style, e.g. server_1.tools4ever.com or SERVER_1). In case the user account is just created and multiple domain controllers exist, this property should equal the domain controller used to create the account. %DomainController% Allow access Specifies whether dial-up, virtual private network (VPN), authentication switch, or wireless access is allowed for the user. Yes This option should be cleared when you want to use the 'Use Remote Access Policy' option. Use Remote Access Policy Specifies whether a remote access policy is used for setting dial-up, virtual private network (VPN), authentication switch, or wireless access properties for the user. When set to 'Yes', the 'Allow access' option should not be set. No Callback If this property is enabled (default), the RAS server doesn't call the caller back during the connection process. Yes Only one of the three callback options (No Callback, Callback - Set by Caller, Callback - Always Callback preset phone number) should be set to Yes. Callback - Set by Caller Specifies whether a user can set the callback number. No Only one of the three callback options (No Callback, Callback - Set by Caller, Callback - Always Callback preset phone number) should be set to Yes. Callback - Always Callback preset phone number Specifies whether a preset phone number is used for the callback function. No Only one of the three callback options (No Callback, Callback - Set by Caller, Callback - Always Callback preset phone number) should be set to Yes. When set to 'Yes' a Callback phone number 91
User Management Resource Administrator 7.2 Callback phone number Specifies the number the server should call back to. should be set. This option should only be used when the 'Callback - Always Callback preset phone number' option is set to Yes. Related topics Help on help Principle of operation Project operations - Manage script action properties 92
Reference Active Directory Script action: Create object (AD) Function Creates an AD object Deployment This action is typically used for creating non-user objects in the AD (e.g. an OU) Properties Property Name Description Typical setting Remarks Domain Organizational Unit- Container LDAP container Domain (controller) Class name Common Name Active Directory Object The name of the domain where the object will be created The name of the Organizational Unitcontainer where the object must be created. The LDAP name of the OU or container where the object must be created. The name of the domain controller or domain, used to access the domain, container or OU where the object must be created. The object type to be created. Specify as the LDAP class name. The CommonName corresponds with the Common Name of the object. This name defines the contact in an OU and must be unique. You can use the Name generation algorithm to make the name automatically unique. An internal data structure representing the object. This property is an "output only" property and is generated If you specify a value for this property, please do not specify a value for property LDAP container since this specification takes precedence. If you specify a value for this property, you should also specify a value for the Domain property. In that case, do not specify a value for the property LDAP container since this specification takes precedence. You must specify a value either for this property or values for the properties Domain and Organizational Unit- Container. If values for both methods are specified, this method takes precedence. Optional. If this value is not specified or if the name of a domain is specified, the application creates the account on a domain controller that is to be determined by ActiveDirectory (serverless binding). If a domain controller is specified, the account is explicitly created on the specified controller (server binding). In both cases ActiveDirectory will replicate the account information to all domain controllers in the ActiveDirectory forests and domains. 93
User Management Resource Administrator 7.2 automatically. This property cannot be used in other script actions. 94
Reference Script Action: Get attribute (AD) Function Get the value of an attribute of an Active Directory user account or other object. The attribute is specified by the LDAP display name of the attribute. For the most common properties, the LDAP name can be selected from a list. Deployment This action is typically used in a script that is intended to manage existing user accounts or other Active Directory objects. Once the attribute is found for the object, the attribute value is saved in a variable that can be used by subsequent actions of the script. The actions supports multi-value attirbutes: When an attribute has multiple values, the values can be stored as multi-values or converted toa single value. The attribute can be obtained from any Active Directory object. In most scripts, the Active Directory object is an user account. The Active Directory object must be specified as a variable. This variable is used for property User Object or property Active Directory Object. The script action Get user (AD) can be used to set the value for the variable used for property User Object. For property Active Directory Object the action Script Action: Get object (AD) can be used. Only one of the properties User Object and Active Directory Object msut be used. Properties Property Name Description Typical setting Remarks User Object Active Directory Object Multi-value flag LDAP attribute display name Error if no attribute found An data structure representing a user account. If you want to obtain the property of a user account object, you can use this property to specify the Active Directory object for this action. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. A data structure representing a Active Directory object for which an attribute must obtained. This property can only be used as a input variable. Earlier in the script, another script action must have generated the value for this variable. Save multi-values as multi-values for the attribute. If set to 'Yes' and the attribute is multi-valued, the values are stored as multi-values. If set to 'No' and the attribute is multivalued, the values are converted into a single value. Default value: 'Yes'. The LDAP name of the attribute. The name identifies the attribute of the Active Directory object. For a number of well-known attributes, the LDAP name can be selected from a list but you can specify any other valid name. Generate an error for this script action if the specified attribute is not found. %UserObject% Yes Yes The User Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get user (AD). If set to 'Yes' (default), multi-values are stored as multi-values. A LDAP attribute has several names. In the Windows 2003/2000 schema, for instance the common name and the LDAP-Display-Name are used. (example: for the NT-style name of a user, the common name is 'SAM- Account-Name' and the LDAP display name is samaccountname. Note that these names are case sensitive. 95
User Management Resource Administrator 7.2 Error if empty Attribute value Generate an error for this script action if the attribute is found but attribute value is empty. The value found for the attribute. This property is an 'output only' property and is generated by the application automatically. By default, the value for this property is stored in variable %AttributeValue%. Yes In most cases, you must specify a output variable for this property. Otherwise, the value of the attribute cannot be used in other script actions. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Set user attribute (AD) Help on help 96
Reference Script Action: Set attribute (AD) Function Set the value of an attribute of an Active Directory object. You can select an Active Directory user account by the %UserObject% variable (Use Script Action: Get user (AD) to obtain the variable) or every other Active Directory object by the %ActiveDirectoryObject% variable (Use Script Action: Get object (AD) to obtain the variable). The attribute is specified by the LDAP display name of the attribute. For the most common properties, the LDAP name can be selected from a list. There are several option to specify which changes are made. You can for example skip or overwrite an attribute when the attribute value is already present. Deployment This action is typically used in a script that is intended to manage existing objects and update a particular Active Directory attribute. Properties Property Name Description Typical setting Remarks User Object Active Directory Object Active Directory object LDAP name LDAP attribute display name Attribute value Skip if new value empty A data structure representing a user account. If you want to set the property of a user account object, you can use this property to specify the Active Directory object for this action. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'. A data structure representing an Active Directory Object. If you want to set the property of an Active Directory Object, you can use this property to specify the Active Directory object for this action. Use the action 'Get object (AD)' to find the object in Active Directory and setup the variable that contains the 'Object'. The full LDAP name of the target Active Directory object. This object can be any object in Active Directory. The LDAP name of the attribute. The name identifies the attribute of the Active Directory object. For a number of well-known attributes, the LDAP name can be selected from a list but you can specify any other valid name. The value of the attribute. The value must be specified as a text value. When the attribute value is multi-value, the multi-value flag should be set to 'Yes' Default value: 'No'. Specify 'Yes' to ignore this action if the new %UserObject% %ActiveDirectoryObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get user (AD) The Active Directory Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get object (AD) A LDAP attribute has several names. In the Windows 2003/2000 schema, for instance the common name and the LDAP-Display-Name are used. (example: for the NT-style name of a user, the common name is 'SAM- Account-Name' and the LDAP display name is samaccountname. Note that these names are case sensitive. The new attribute value is empty when the text value contains no 97
User Management Resource Administrator 7.2 attribute value is empty. In this case, the attribute is not changed. If this property is not specified or set to 'No', the target attribute is always updated."), characters. If the value contains a single blank character, it is considered not empty. Multi-value flag Append versus update multi-value flag Default value: 'No'. This value must be set to 'Yes' when multivalue attributes should be set. Default value: ' No'. When set to 'Yes' the current values will stay the same. When set to 'No' the current values will be replaced with the specified values More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Get user attribute (AD) Help on help 98
Reference Script Action: Set group membership (AD) Function Make an Active Directory object a member of specified Active Directory universal, domain global or domain local groups. An update of the group membership will take place. The group membership will be added to the 'Member Of' list of the Active Directory object. Deployment This action is typically used in a script that is intended to manage existing objects in active directory. This action can be used to set group memberships for every object in your Active directory. In this action the Active Directory Object is identified by a property value. You should either provide a data structure provided by an other action (Property: Active Directory Object) or provide the object distinguished (Property: Active Directory name). When you want to add the object to multiple groups, the Group names must be obtained from a multi-text variable Script Action: Manage multi-text value variable. Properties Property Name Description Typical setting Remarks Active Directory Object An Active Directory object for which the group memberships are updated. %ActiveDirectoryObject% The value of this variable should be obtained from an other action. This value can be obtained from script actions: Create user (AD), Create contact (AD), Get User (AD) or Get object (AD). You should make sure the export variable of these actions is the same as the import variable of the property (default: %ActiveDirectoryObject%) Active Directory name The object distinguished name of the Active Directory object. You should use either the Active Directory Object (%ActiveDirectoryObject%) to identify the object or the Active Directory name. The active directory name should be specified by the object distinguished name. Example:cn=Group1,ou=OrgUnit,dc=tools4ever,dc=com Group names (variable) The names of the groups of which the object becomes a member. The group names should be specified by there full LDAP name. You should use a multi-text variable to set this property.script Action: Manage multi-text value variable. The group memberships are updated not reset. The specified object will remain member of earlier specified groups. Related topics Help on help Principle of operation Project operations - Manage script action properties Script Action: Get object (AD) 99
User Management Resource Administrator 7.2 Script Action: Remove specific group memberships (AD) Function Remove a specific group membership of an Active Directory user account. Unlike the script action Script Action: Remove user group memberships (AD) it does not remove ALL user groups, but only a specific one. Deployment This action is typically used in a script that is intended to manage existing user accounts. With this action you can delete the user account from a specific group of which the account is a member. More specifically, you would be using this function if a user moves from department A to B in which case you will need to remove specific group memberships and add new ones. Properties Property Name Description Typical setting Remarks Group name (LDAP) The full LDAP name of the group from which the membership must be updated. To specify the group, enter a value for either the property "Group name (LDAP)", "Group name (SAM account name)" or "Group object". NA Unique within OU Group name (SAM account name) The group name specified using the SAM account name (e.g. DOMAIN_A\Group_C). To specify the group, enter a value for either the property "Group name (LDAP)", "Group name (SAM account name)" or "Group object". NA Unique within domain Group object A data structure representing the group. To specify the group, enter a value for either the property "Group name (LDAP)", "Group name (SAM account name)" or "Group object". NA This value can only be generated as a variable resulting from a previous script action. Account name The LDAP name of the account from which the group membership must be removed (e.g. LDAP://DC_B/CN=Student,DC=Domain,DC=com) NA Account object A data structure representing the account from which the group membership must be removed. To specify the group member, enter a value for either the property "Account Name" or "Account object". NA This value can only be generated as a variable resulting from a previous script action. 100
Reference Script Action: Create group (AD) Function Create a group in Active Directory. Using this action you can create Local groups, Global groups or Universal groups. The groups can be Security groups or Distribution groups. The groups can be placed in any container you specify. A description can be added to easily identify the group. Deployment This action is typically used for creating multiple groups. When building your Active Directory from the ground up, one of the first thing you should do is create the groups of which the other Active Directory object will be members. Groups can be used to easily allow or deny users access to parts of the network. Properties Property Name Description Typical setting Remarks Domain The domain in which to create the group. %Domain% Often the domain name is used in many different actions, and is determined and stored in a variable previous to the action ( e.g. %Domain%). The name of the domain can be either in DNS or NETBIOS style. (e.g. Tools4ever.com or TOOLS4EVER). For more information on how to specify the domain/ou/container in which the group is created, see the Remarks section below. Organizational Unit- Container The name of the Active Directory Organizational unit or other container in which to create the group. Users Specify the path of the organizational unit (OU) or container relative to the domain. To specify OU's in OU's, use the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU. Examples: students or students/group1. For more information on how to specify the domain/ou/container in which the group is created, see the Remarks section below. LDAP container Optional: The LDAP name of the container in which to create the group. Optionally specifies name of the Active Directory container in which the group is created directly by means of its LDAP name (Example: CN=users, DC=tools4ever,DC=com Example: OU=Group1, OU=Students, DC=tools4ever, DC=com) This specification can be used instead of the Domain and Organizational Unit- Container properties of this action. If specified, the specified LDAP Container takes precedence, and the Domain And Organization Unit-Container properties are ignored. For more information on how to specify the domain/ou/container in which the group is created, see the Remarks section below. Domain (controller) Optional: The name of the domain controller or domain used to access the domain. If this value is not specified, the application creates the account on a domain controller that is determined by Active Directory (serverless binding). If a domain controller is specified, the account is explicitly created on the specified controller (server binding). In both cases, Active Directory itself will replicate the account information 101
User Management Resource Administrator 7.2 to all domain controllers in the forest automatically as required. Depending on the actual User Management Resource Administrator Script used, it may be necessary to specify a domain controller here. If an subsequent script action does an Active Directory query to obtain information of the newly created group, this query may occur before Active Directory has replicated the new information to other Domain Controllers. As a consequence, the query may fail to find the newly created group. When both actions however specify the same domain controller, the newly created group can be found. Often a requery of Active Directory by subsequent actions for the newly created group can be prevented by using the Group Object that is created by this action in subsequent actions, instead of the name of the group. CommonName The CommonName is the name of the group. This name is most commonly used in user interfaces. %GroupName% In this action the CommonName and SAM-Account-Name will be the same by default. To change this, you should create an other variable for one of the settings. SAM-Account-Name The group name(pre- Windows 2000) without the (NETBIOS) Domain name. %GroupName% This name is required, also in domains that use solely Active Directory domain controllers. A SAM-Account-Name cannot be identical to any other user or group name on the domain being administered. It can contain up to 20 uppercase or lowercase characters, except for the following: " / \ [ ] : ; =, + * < >. A SAM-Account-Name cannot consist solely of periods (.) or spaces. Description A text string, that will be shown in the Description field of the group in windows. The string can have any length. Local group When set to 'Yes' the created group will be a (domain) local group. No One of the three groups (local, global and universal), must be set to 'Yes'. Global group When set to 'Yes' the created group will be a global group. No One of the three groups (local, global and universal), must be set to 'Yes'. Universal group When set to 'Yes' the created group will be a universal group. No One of the three groups (local, global and universal), must be set to 'Yes'. Security group When set to 'Yes' the created group will be a security group. When set to 'No' a distribution group will be created. No No error if group already exists When set to 'Yes' no error will be generated. No Warning: when set to 'Yes' some errors are ignored and scripts may not be 102
Reference Group Object An internal data structure representing the group. this property will only give an output. this output can be used in other script actions. completed correctly. This script action has an output variable (default: %GroupObject%). This variable can be used in other script actions. Remarks Domain / OU / Container / LDAP -specification User Management Resource Administrator supports several methods to specify the entity (domain, OU or container) in which the group will be created. These methods differ in the way the property values are specified. The properties involved are: Domain, Organizational Unit-Container, LDAP container. Depending on your network environment and input data, you should choose the method that fits best: Properties specified Domain Organizational Unit-Container Domain LDAP container Properties not specified LDAP container LDAP container Organizational Unit- Container Domain Organizational Unit- Container Example Domain: TOOLS4EVER or tools4ever.com Organizational Unit-Container: STUDENTS/GROUP1 Description This is most easy method to create groups in OU's. To create the group, User Management Resource Administrator will automatically compose the LDAP name of the container to create the group. TOOLS4EVER or tools4ever.com Use this method only, to create groups in the domain root. No OU is involved. OU=Group1, OU=Students, DC=tools4ever, DC=com Use this method if you want to specify the OU directory using the LDAP format. If this property is specified, the Domain and Organizational Unit- Container properties are ignored. Related topics Help on help Principle of operation Project operations - Manage script action properties 103
User Management Resource Administrator 7.2 Script Action: Get Object (AD) Function Access an object in Active Directory. The action is used always in combination with other subsequent actions. Once the object is found, an internal data structure representing the group is setup. This structure is stored in a variable (%ActiveDirectoryObject%) that can be used by other actions. Deployment This action is typically used in a script that is used to manage, edit or delete existing Active Directory objects. When this action is execute successfully, the subsequent actions in the script have access to the object using the variable %ActiveDirectoryObject%. Properties Property Name LDAP name Active Directory Object Description The full LDAP name of the object. The LDAP name is used to identify the Active Directory Object. An internal data structure representing the object. This property will only give an output. The output can be used in other script actions. Typical setting Remarks Example: cn=john Williams, ou=schools, dc=tools4ever, dc=com This script action has an output variable (default: %ActivedirectoryObject%). This variable can be used in other script actions. Related topics Help on help Principle of operation Project operations - Manage script action properties 104
Reference Script Action: Search object (AD) Function Searches the Active Directory for one or more objects. For each object found, the object distinguished name is returned. For the search, you need to specify the environment (LDAP, GC, domain, ou, etc.) and the LDAP search string. Deployment This action is typically used in a script that is intended to manage existing user. The accounts can be specified by an Active Directory attribute. This action is then used to find the Active Directory user object. Next, the output distinguished name of the user account can be used to compose to full LDAP name. The resulting name is then used in the Get user (AD) action to bind to the user account. The search is performed in an environment you can specify. 3 options are available: 1. Search in the entire Active Directory: The application first determines the root domain name of the Active Directory environment and then binds to Active Directory. To select, specify LDAP for the property Search environment. 2. Search in the global catalogue of Active Directory: The application first determines the root domain name of the Active Directory environment and then binds to Active Directory. To select, specify GC for the property Search environment. 3. Search in a specific domain, organizational unit or container of Active Directory: With this option you can limit the scope of the search operation. To select, specify the full LDAP name of the object you wish to search in for the property Search environment. Optionally, you can specify the name of domain controller (NETBIOS or DNS format) computer that the application must use to bind to Active Directory. Example: LDAP://domaincontroller/OU=students,DC=domain,DC=com. If you are searching for specific objects in Active Directory, you need to specify a filter with criteria that only match for the objects searched for. The filter is specified as a text string according to RFC 2254. Example: to search for a object of class User, (e.g. a user account) with a specific content for the attribute description (1234) the filter looks like this: (&(objectclass=user) (&(description=1234))) If you don't know how to specify the filter, please contact Tools4ever support (www.tools4ever.com, support@tools4ever.com). Properties Property Name Search environment LDAP search Filter Error if nothing found Error if multiple found Description The search is performed in one of three possible environment: LDAP, GC or any other object. To search the entire Active Directory environment accessible from the local computer, specify the word LDAP (1). To search in the Global Catalog, specify the word GC (2). To search in any other environment, specify the LDAP binding string to access the object (3). Example: To search in a specify domain: LDAP://domain or LDAP://host. To search in a specific OU: LDAP://domaincontroller/OU=students,DC=domain,DC=com. The LDAP search filter according to RFC 2254. Example, to find user accounts with a specific description field 1234: (&(objectclass=user) (&(description=1234))) Generate an error for this script action if no matching objects are found. Generate an error for this script action if multiple matching objects are found. Typical setting LDAP Yes Yes Remarks See Deployment section 105
User Management Resource Administrator 7.2 Search in child objects Number of objects found Object distinguished names Search in the specified environment and child objects, for example child domains. The number of matching objects found. This property is an 'output only' property and is generated by the application automatically. By default, the value for this property is stored in variable %SearchResultCount%. The distinguished names of the matching objects. This property is an 'output only' property and is generated by the application automatically. By default, the value for this property is stored in variable %SearchResults%. Yes The number of objects found can be stored in a variable. By default, the name of this variable is %SearchResultCount%. The object distinguished names are collected for each matching object. These names are stored in a single variable. By default the name of the variable is %SearchResults%. More information: Security - Overview Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Get user (AD) Help on help 106
Reference Script Action: Set primary group (AD) Function Sets the primary group Deployment The user's primary group applies only to users who log on to the network from a Macintosh client or who run POSIXcompliant applications. Unless you are using these services, there is no need to change the primary group from Domain Users, which is the default value. Properties Property name Description Typical setting Remarks Active Directory object Primary group name A data structure representing the Active Direcory object for which the primary group is updated. The name of the primary group (e.g. DOMAIN_A\Students). NA NA This value can only be specified as a variable resulting from a previous script action. 107
User Management Resource Administrator 7.2 Script action: Get primary group Function Gets the primary group Deployment The user's primary group applies only to users who log on to the network from a Macintosh client or who run POSIXcompliant applications. Unless you are using these services, the default primary group is Domain Users.. Properties Property name Description Typical setting Remarks Active Directory object Primary group name A data structure representing the Active Direcory object for which the primary group is updated. The name of the primary group (e.g. DOMAIN_A\Students). NA NA This value can only be specified as a variable resulting from a previous script action. 108
Reference File system Script Action: Create Directory Function Create a directory on a (NTFS) file system. For the directory, you can setup the permissions as well. Additionally, you can create a share for the directory. Deployment This action is typically used in a script that is intended to create new users in Active Directory or NT4 domains, after creation of the actual user account with Script Action: Create User (AD) or Script Action: Create User (no AD). This action is then used to create for example the home directory and share for that user in the file system. It can however also be used in any other context. Properties Property Name Description Typical setting Remarks Computer Parent path Directory name Always create unique directory Security The computer name on which the directory is created The relative path to the parent directory of the new to be created directory The name of the directory to be created Add a number to the directory name before creating the directory, if a directory with the original name does already exist. Specifies the (NTFS) access rights on the Directory %HomeServer% users %UserName% Yes Set by special dialog See the Remarks section below. See the Remarks section below. The path has the form <share name>\<subdir1>\... Example: users\students\2004 See the Remarks section below. The directory will be created as a sub-directory of the specified parent path. Specifies the access rights for different users on the directory. It is possible to use variables to construct the names. It is also possible to use a variable that contains the SID of a user instead of a user name. When creating a user with the script action Create User, the SID of the user is exported to the variable %UserSid% by default. This variable can be used inside the dialog to refer to the just created user. For more info see Directory security - Overview. Share the directory Share name Specifies if the directory must be shared. The name by which the directory is shared. No %UserName% or %UserName%$ In order to create a hidden share, specify a $ as the last char of the name Share The permissions of the If the permissions of the share are not specified, the 109
User Management Resource Administrator 7.2 permissions Share user limit share (!) of the new directory. If this property is not specified, the default settings apply. Specifies the number of users who can connect to the shared folder at one time. If this property is not specified, the number is set to unlimited. share permissions are set to full control for everyone. If not specified, an unlimited number of user connections is accepted. Remarks A directory is always created in a parent directory. The directory can be created on a remote or the local computer. The parent directory must be accessible in order to successfully create the directory. Further, the user running the application must have sufficient access rights for the parent directory to create the directory and setup the share and permissions. The parent directory has the following format (specified using property names): Computer\Parent path The field Computer specifies the name of the computer in NETBIOS of DNS-style. The Parent path specifies the name of a share and eventually a directory on the Computer. The table below shows some examples. In this table the following columns are in shown: Computer: property of the action; Parent path: property of the action: Local path on specified computer: The logical drive path of the resulting total path of the parent directory. This path is relative to the specified computer. Resulting total path of parent directory: The target directory is created in this directory. Using this specification, the parent path can be access from a remote computer. Comments: Description of this example entry. Computer Parent path Local path on specified computer Resulting total path of parent directory Comments SERVER_A Users G:\Users \\SERVER_A\Users The directory G:\Users is shared as Users on the computer. SERVER_A Users\Sales G:\Users\Sales \\SERVER_A\Users\Sales The directory G:\Users is shared as Users on the computer. The directory Sales is a subdirectory of this directory. SERVER_A Sales G:\Users\Sales \\SERVER_A\Sales The directory G:\Users\Sales is shared as Sales on the computer. SERVER_A G$\Users G:\Users \\SERVER_A\G$\Users The local drive G:\ on the computer is shared as G$ (administrative share). The directory Users is a subdirectory of logical drive G:\. More information: Security - Overview Principle of operation 110
Reference Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 111
User Management Resource Administrator 7.2 Script Action: Copy directory Function Copy the contents of one directory to another directory. The source and destination directory can reside on different computers. A number of options are available: create the destination directory, setup permissions, copy permissions etc. Deployment This action is typically used in a script that is intended to manage existing user accounts and move for instance home directories. By combining the action Copy directory and Delete directory the Move directory action can be implemented. Besides copying the files and directories, the security permissions can be setup for the destination directories and files. For the permissions, three options are available: 1. Copy security settings from source directory: All permissions settings are copied for each individual file and directory. To select, set the property Copy security option to Yes and property Setup security option to No. 2. Setup security settings for destination directories and files: Initialize the security settings for the destination files and directories. The security settings of the source directories and files are not used. Instead, you can specify the new security settings for the destination files and directories. To select, set the property Copy security option to No and property Setup security option to Yes and specify the security settings with property Security. 3. No configuration: The copy operation is executed but not security settings are explicitly setup. The security settings of the destination directory and files are determined by the security settings of the destination parent directory and inheritance rules. To select, set the property Copy security option to No and property Setup security option to No. This is the default option. Properties Property Name Source directory Destination directory Create destination directory Copy subdirectories Copy directories, no files Use backup and restore Description The name of source directory. The source directory can be specified in two ways: For local directories: <logical drive>\\<directory>\\<directory> etc. Example: 'C:\\UserData\\Marketing'. For remote and local directories: \\\\<computer>\\ <share>\\ <directory>\\ <directory>. Example: '\\\\SERVER_A\\Users\\Data'. The source directory must exist. The name of destination directory. The destination directory can be specified in two ways: For local directories: <logical drive>\\<directory>\\<directory> etc. Example: 'C:\\UserData\\Marketing'. For remote and local directories: \\\\<computer>\\<share>\\<directory>\\<directory>. Example: '\\\\SERVER_A\\Users\\Data'. If the destination directory does not exist, it can be created. A flag indicating that the destination directory must be created if it does not exist. Default value: 'Yes'. Specify 'Yes' to copy the complete directory tree, including subdirectories and files, and subdirectories of subdirectories. Specify 'Yes' to copy directories only, no files. Default value: 'No'. If you specify 'Yes', no files are copied, only the directory tree is copied to the destination directory. A flag indicating that backup and restore privileges must be used to copy the directory. This property is Typical setting Yes Yes No Yes Remarks If the destination directory does not exist, it can be created by setting property Create destination directory to Yes. This will create the full path if necessary. If not specified, the default value Yes is applied. If not specified, the default value Yes is applied. If not specified, the default value No is applied. If not specified, the default value Yes is applied. The access rights are configured 112
Reference privileges required in case the logged on user has no access rights to the directories and files that must be copied. The logged on user must have the corresponding access rights configured on the target computer to use these privileges successfully. Default value: 'Yes'. using policies. Depending on the environment, Domain security, Domain Controller Security or Local Security policies apply. The backup and restore privileges are configured by settings the Backup files and directories and Restore files and directories policies of the User Rights Assignment for the logged on user account. Continue on error A flag indicating that the copy directory action must continue if an error occurs when copying a file or directory. Default value: 'Yes'. Yes If set to Yes the copy action continues, but an error will be reported and is returned by the action. Overwrite existing files A flag indicating that existing destination files must be overwritten if they already exist. If you specify 'No' instead, an error is generated and the file is not overwritten. Default value: 'Yes'. Yes Copy security option Copy security settings from the source directory and files to the destination directory and files. The security settings include the access rights, owner and auditing settings. If the security is not explicitly specified, the security settings of the destination parent directory determine the new security settings. See Deployment section. Setup security option Setup the security settings for the target directory and files. The security settings include the access rights, owner and auditing settings. The security settings are specified with property 'Security settings'. If the security is not explicitly specified, the security settings of the destination parent directory determine the new security settings. See Deployment section. Security The new security settings for the target directory and files. If you want to use this option, you must set the value of property 'Setup security option' to 'Yes'. This property is only used when the value of property Setup security option is set to Yes. For more information, see Security - Overview More information: Security - Overview Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Create Directory Script Action: Delete directory Help on help 113
User Management Resource Administrator 7.2 Script Action: Rename file or directory Function Renames the name of a file or a directory (e.g. a home directory for a user) Deployment This action is typically used in a script that is intended to manage existing user accounts. With this action you can rename a home directory for a user or to move user files to a differrent location. Properties Property name Description Typical setting Remarks Source file / directory The full path of the original file or directory Destination file / directory The full path of the destination file or directory Allow the move to different volume flag Allows moving the file to a different volume. The default value is "Yes" Yes Delay rename until reboot flag Specifies that the file should not be moved until the operating system has been restarted. The default value is "No". No Replace existing file flag Replaces the fdestination file if it already exists. The default value is "Yes". Yes This option can only be used for files, not for directories. Flush before return flag The script action remains active until the move has been completed and the data written to disk. The default value is set o "No." 114
Reference Script Action: Delete directory Function Delete the directory tree, including all files and subdirectories. Optionally, you can delete the specified directory itself. The directory tree is specified by a single directory name. The name must have the syntax: \\\\COMPUTER\\Share\\Directory_To_Delete or DRIVE:\\Directory\\Directory_To_Delete (local drive). If the directory to delete corresponds with a remote share (\\\\COMPUTER\\Shared_Dir_To_Delete), you can use the administrative share (\\\\COMPUTER\\DRIVE$) to delete the directory tree."); Deployment This action is typically used in a script that is intended to remove user accounts and all of the associated resources. More generally, the action can be used to delete one or more directory trees. To access the directory that must be deleted, a share is used. In case the specified directory must be deleted as well, and the directory is specified as \\SERVERNAME\ShareName, the specified share cannot be used to delete the directory. In this case, another share must be used to delete the directory. By default, the administrative share (\\SERVERNAME\C$, \\SERVERNAME\D$) is then used to delete the directory. If this share cannot be used, an error occurs. Properties Property Name Directory name Delete directory option Delete readonly files and directories Always use administrative share Never use administrative share Use backup and restore privileges Description The name of the directory tree to delete. All files, directories and subdirectories will be deleted from the specified directory. Optionally, you can delete the specified directory itself. The directory name must have the syntax: \\\\COMPUTER\\Share\\Directory_To_Delete or DRIVE:\\Directory\\Directory_To_Delete. If the directory to delete corresponds with a remote share (\\\\COMPUTER\\Shared_Dir_To_Delete), you can use the administrative share (\\\\COMPUTER\\DRIVE$) to delete the directory tree. A flag indicating if the specified directory itself (property: 'Directory name') must be deleted. A flag indicating if read-only files and directories must be removed as well. Default value: TRUE. To delete the read-only files and attributes, the readonly attribute is reset first. A flag indicating that the administrative share must be used to delete the directory. The administrative share is by default only used if the specified directory must be deleted and the directory corresponds with a share (Syntax: \\\\COMPUTER\\Shared_Dir_To_Delete). A flag indicating that the administrative share should not be used to delete the directory. The administrative share is by default only used if the specified directory must be deleted and the directory corresponds with a share (Syntax: \\\\COMPUTER\\Shared_Dir_To_Delete). A flag indicating that backup and restore privileges must be used to delete the directory. This property is required in case the logged on user has no access rights to the directories and files that must be deleted. The logged on user must have the corresponding access rights configured on the target computer to use these privileges Typical setting No Yes No No No Remarks If not specified, the default value No is applied. If not specified, the default value Yes is applied. If not specified, the default value No is applied. If not specified, the default value No is applied. If not specified, the default value Yes is applied. The access rights are configured using policies. Depending on the environment, Domain security, Domain Controller Security or Local Security policies apply. The backup and restore privileges are configured by settings the 115
User Management Resource Administrator 7.2 successfully. See the online help for more information. Backup files and directories and Restore files and directories policies of the User Rights Assignment for the logged on user account. Ignore error A flag indicating that errors must be ignored when a directory tree is deleted. No This flag can be used to prevent error messages when a directory for instance does not exist. More information: Security - Overview Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Create Directory Script Action: Copy directory Help on help 116
Reference Script Action: Create share Function Create a share on a directory or disk. Using this function you can set the share permission and user limit as well. Deployment This action is typically used in a script that is intended to manage existing user accounts and move user home directories. When you use Script Action: Copy directory no share is created. When you want to share a directorie the Create share action should be applied. A share is typically used to connect to network data that should be available for a group of users. Properties Property Name Description Typical setting Remarks Share path The full path of the directory that is going to be shared. Both remote and local directories can be shared. %SharePath% The share path can be specified in two ways: For local directories: <logical_drive>\<directory>\<directory> etc. Example: 'C:\UserData\Marketing'. For remote and local directories: \\<computer>\<share>\<directory>\<directory>. Example: '\\SERVER_A\Users\Data'. The directory which is going to be shared must exist. Share name Make share name unique Share permissions User limit The name given to the share. The name must be unique with respect to other shares on the computer. Makes the share name unique. A share name must always be unique, when the share name is not unique the share will not be created. The permissions of the share (!) of the new directory. If this property is not specified, the default settings apply. Specifies the number of users who can connect to the shared folder at one time. If this property is not specified, the number is set to unlimited. %ShareName% You should always use a name that is easily identified. An user homedirectory for example would be easily identified by the username. A number is added to make the share name unique. The number starts with 1 and will increase till an unique name is found. When this property is not set the share will not be created when the share name already exists. If the permissions of the share are not specified, the share permissions are set to full control for everyone. If not specified, an unlimited number of user connections is accepted. Related topics Help on help Principle of operation Project operations - Manage script action properties 117
User Management Resource Administrator 7.2 Script Action: Delete share Function Delete a share from a directory or disk. This action only removes the share of a directory or disk, it does not remove the directory or disk. Use Script Action: Delete directory to delete a directory. Deployment This action is typically used in a script that is intended to remove a users account in Active Directory or NT4 domains, after removing of the actual user account with Script Action: Delete User (AD) or Script Action: Delete User (no AD). This action is then used to remove for example the share on the home directory. It can however also be used in any other context. Properties Property Name Description Typical setting Remarks Computer Share name Ignore error The name of the computer that maintains the share. The name by which the shared directory is identified. When this flag is set to 'Yes' and the specified share can not be deleted, no error will be generated. The name of the computer can be specified in NETBIOS or DNS-style (e.g. SERVER_A, server_a.my_domain.com) In order to remove a hidden share, specify a $ as the last char of the name. The share name is not necessarily the name of the shared directory. This option can be used to prevent the script form stopping when an error is generated. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 118
Reference Other actions Script Action: Execute Command Line Function Execute a Windows command line on the local computer that runs User Management. The command line can contain any number of arguments, including variables. Deployment This action is typically used in a script that is intended to create new users in Active Directory or NT4 domains, usually as one of the last script commands issued. This action is then for instance used to copy some standard files in the user's home directory, or perform some other site specific batch commands related to the just created account. Properties Property Name Description Typical setting Remarks Command Line The command line that must be executed The command line starts with a name of a file that can be executed (.exe.bat etc), followed by options as required by the specific command. It may be required to specify the complete path the the file to be executed. Wait until terminated Specifies whether or not User Management waits for the command to finish before it continue with the next action of the script. Yes When set to Yes, the execution of the script is suspended until the command has finished, either successfully or unsuccessfully Show command window Specifies whether a command window must show. No More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 119
User Management Resource Administrator 7.2 Variable Actions Script Action: Set Variable Function Define and set a script variable. This action does not do any network calls. It is used for configuration within the User Management script. For more information on variables, see Principle of operation and Project operations - Variables. Deployment Many implementations of User Management scripts are configured so that the input for the properties of the script actions they contain are defined as variables. Variables are correspond with a column of the input data or they get a fixed constant value in the beginning of the script using this action. For instance, when creating new users in a domain, the Domain property of the Create User (AD) script action, and many other actions, is usually specified as %Domain% in the script action. If al user that need to be created should be created in the same domain it is usually easier to specify the name of the domain directly in the script, then requiring that the domain name is available in every row of the Project Table. To specify the contents of a variable directly in the script, this script action should be inserted in the script. It must be inserted prior to any script action that uses the specific variable. Properties Property Name Description Typical setting Remarks Variable Name The name of the variable to set The Name of the variable must be enclosed in "%" characters. e.g. %Domain% Value The value of the variable. This value will be used in all following script actions. The value to which the variable is set. Note that the Value might contain the name of another variable or a combination of text and other variables. The variable can then be used in any following script actions in the script. See Project operations - Variables for more information. Value Type The type of the variable. That is text, boolean,numeric or date-time or text list. Resolve immediately The method used to resolve variable names in the specified value. No No: Other variable names specified as part of the variable value, are not resolved until the variable is used as an argumenin in another script action. Yes: Other variable names specified as part of the variable value are resolved immediately. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Data specification - Text list Help on help 120
Reference Script Action: Split Variable Function Split the value of an existing variable in two parts, and store the results in two (new) variables. This action does not do any network calls. It is used for configuration and formatting within the User Management script. The Variable is split in two parts, the split position is determined by a separator character available in the data. Deployment Many implementations of User Management scripts are configured so that the input for the properties of the script actions they contain are defined as variables. The contents of these variables are usually read from the input data. This table is often created from information provided by the user. This information may however not fit seamless to the requirements of the script actions in the script. Therefore there are several functions that can be used in the script for some formatting of data. This is one of these. This function in particular can be used as one variable in the input data contains information that a certain script action expects to be in different variables. For example, the input data may have a field that contains the variable %HomeDirectory% in the form "server name\share name\sub directory". The action Script Action: Create Directory for instance that creates a directory, requires the name of the server, the name of the share, and the rest of the path to be in three different variables. With the script action Split variable it is possible to create the required variables. In this particular example the action is first used to retrieve the server name, and then used again to retrieve the share name. Properties Property Name Description Typical setting Remarks Input variable The name of the variable that contains the information that must be split. The name of the variable must be enclosed in "%" characters. e.g. %Domain% Output variable 1 The name of the variable that contains as result the first part of the input string up to the first separator character. Output variable 2 The name of the variable that contains as result the rest of the original string Result if no split Specifies which variable contains a copy of the original string as the data cannot be split. Value of variable 2 empty Sometimes the data cannot be split if there is no separator character. This setting determines which of the 2 output variables should get a value in this case. Process from right to left specifies that the input string is should be evaluated from right to left No if specified, the part of the string after the last separator character is stored in variable 1, and the part before the last separator character is stored in variable 2 Separator(s) Specifies which character(s) count as separator No The variable is split at the first position that one of the specified characters is encountered. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 121
User Management Resource Administrator 7.2 122
Reference Script Action: Format Variable Value Function Formats the variable value according to the specified format functions. With this action you can specify several formatting functions that are consecutively applied on the value of the input variable. The resulting value is stored in the same variable. Deployment This script action is typically used to remove undesired characters from the variable value or limit the length of the variable value. The original content of the variable often is determined by a user provided import file. Such a file is likely to contain some irregularities, or the format may be not always be exactly correct. This action helps to correct such problems. For instance, by removing any trailing blanks in the value. Properties Property Name Description Typical setting Remarks Variable Number of Formatting functions Applied The name of the variable that contains the value to be formatted. Lists the number of formatting functions that are applied The resulting formatted value will be stored in the same variable This is a read only value shown for informational purposes. Double click to open a dialog to configure the formatting functions. Test Name Formatting functions. A example value that can be specified to test the result of the formatting functions on a value A list of formatting functions that are consecutively applied to the value of the variable. This value is not used when the script is run This property is not directly shown in the right pane of the Project. Double click any property to open a dialog that reveals a button to specify the functions used Specifying Formatting functions. Double clicking on any property shows a dialog to configure the properties of this action. Select the Format functions button to specify which functions to use and in at order that they are applied. See Name Generation: Formatting functions for more information. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 123
User Management Resource Administrator 7.2 Script Action: Update numeric variable Function With this function you can increment the value of a variable. Deployment This script action is typically used to accommodate for reiteration within a loop (e.g. as a result of a goto label). Similarly, you could cycle through the rows of a table and use this script action to increment the row counter. 124
Reference Script Action: Generate generic table This script action creates a generic table using either an LDAP query or an MS Access file as a data source. The only difference with the generic table object in the form design window is that the data from the table are not shown in a project form. See also: Generic table - Introduction 125
User Management Resource Administrator 7.2 Script Action: Manage table data Function With this action you can manipulate table data and associated parameters. Available table data operation Create table Append a row at the end of the table Append a column at the end of the table Set the data for the specified row and column of the table Get the data at the specified row and column of the table Get the number of table rows Remove duplicate rows Convert multi-text variable to table Log table data Remarks Creates an empty table. Initially, the table contains rows with empty data text fields Adds a row at the end of a table. Initially, the table row contans empty data text fields. The specified row index variable contains the index of the new row when the action is executed. Adds a column at the end of a table. Initially, the table column contans empty data text fields. The specified column index variable contains the index of the new column when the action is executed. Sets the data value of the specified cell to the specified value. The cell is specified by the row and column index. The data cell value can be specified by a text value or variable name. Copies the data value of the specified cell into the value of the specified output variable. The cell is specified by the row and column index Determines the number of rows in the table. The number is stored in the row count variable Removes duplicate rows from the table. The specified key column index is used to find duplicate rows. A duplicate is found when the cell data of two rows in the specified key column are equal. Converts a multi-text variable into a single column of a table Logs the contents of a table as a variable 126
Reference Script Action: Generate name(s) Function Generate one or more names based on the value of one or more input variables. The algorithm that is used to generate the output names is configurable. The output value names are stored in variables. Deployment This action is typically used in UMRA form projects to propose the user name and full name of a new user account. These names are generated by the algorithm of the script action when the end-user specifies the input names (typically first, middle and last name). The resulting names are presented in a form an the end-user can then accept the names or let the algorithm generate new names (next iteration cycle). The script actions that create user accounts, Script Action: Create User (AD) and Script Action: Create User (no AD) contain a user name generation algorithm. If the generated names are used as input names for these actions, the user name generation algorithm of these actions should not be used. So, when creating user accounts, there are 2 methods to generated user names automatically: 1. Use script action Generate name(s) and disable the name generation algorithm of the create user action. 2. Do not use script action Generate name(s) and use the name generation algorithm of the create user action instead. With the first method, the script must implement a loop: 1. Generate name 2. Check if name is unique 3. If name is unique, continue with step 4, if not unique goto step 1 to generate next name 4. Create user account. This method requires a more complex script. On the other hand, the names that are generated by the algorithm can be shown to the end-user before the account is created. To configure the name generation action, the following dialog is used: 127
User Management Resource Administrator 7.2 Use the Edit and browse (...) button to edit the currently configured algorithm or import another algorithm. Iteration - Use internal data (can only be used for mass projects) If the name generation action is called multiple times in mass projects, new names are generated according to the configuration of the name generation algorithm. If this option is selected, the iteration mechanism is controlled by the action itself. This option can only be used in mass projects. In form projects, the same names will be generated if this option is selected. Iteration - Use variable If this option is selected, the iteration mechanism is controlled by a numeric variable specified in this field. This variable holds a number that corresponds with the iteration cycle. The first time, the variable is 0. The action will generate the names according to the first iteration cycle. Next, the value of the variable is incremented. This, the next time the action is called during the same session, the variable has a value of 1. Hence, the next iteration cycle of the name generation algorithm is used to generate the names. This process continues. Note: The action will create the iteration variable if it does not exist when executed. Properties Property Name Description Typical setting Remarks Name generation algorithm The name of the algorithm. Input variable N The name of input variable 1,...,N as configured in the name generation algorithm. Output variable M The name of output variable 1,...,M as configured in the name generation algorithm. Iteration A description of the method used to iterate through the name generation algorithm when the action is called multiple times. %FirstName% %MiddleName% %LastName% %UserName% %FullName% When the action is executed, the input variables should have a value that is used to calculate the output names. 128
Reference Related topics Name Generation Algorithms Script Action: Create User (AD) Script Action: Create User (no AD) Help on help Principle of operation Project operations - Manage script action properties 129
User Management Resource Administrator 7.2 Script Action: Convert text to date/time Function Convert a text value to a date/time value. Both values are stored in a variable. The method used to convert the text to a date/time value can be specified. Deployment This action is typically used in UMRA projects to set the account expiration date as specified in a text file when creating new user accounts. In this scenario, a column of the text file contains the user account expiration date and a variable is assigned to this column. This variable stores the expiration date/time as a text string. In order to use this expiration date/time value, it must be converted from a text value to a date/time type value. This can be done with this action. The action takes the text value of the input variable and converts this text to a date/time value type. The resulting value is stored in a variable that can be used to specify the expiration date of a user account. For the action, the format used to convert the text to a date/time value can be configured. Input text variable The name of the input variable that stores the date/time text value represented as text. Output date/time variable The name of the output variable that upon execution of the action stores the date/time value in as a date/time type. The input and output variable names can be the same: In this case the input variable value is overwritten with the result variable value. Format The format of the input variable text value. The format is specified using the following fields: month,day,year,year,hour,minute and second. In order for this action to succeed, the format must correspond with the input variable value. Example: When the date/time is specified as 7/27/2005 14:30 the format must be specified as: month/day/year hour:minute. A number of predefined formats can be selected from the list. Note that not all fields need to be specified. In this case, the action will use the default values. 130
Reference Default values - Format field - Default value Select one of the possible format fields from the list Format field and specify the default value in the edit box Default value. The default value is only used when it is not specified in the Format string. Related topics Script Action: Create User (AD) Script Action: Create User (no AD) Help on help Principle of operation Project operations - Manage script action properties 131
User Management Resource Administrator 7.2 Script Action: Convert to multi-value variable Function Converts the value of a variable into multiple values. The multiple values will be stored under one variable. This action does not do any network calls. It is used for configuration and formatting within the User Management script. The Variable is split in multiple values and stored under a new variable, the split position is determined by a separator character available in the data. Deployment Many implementations of User Management scripts are configured so that the input for the properties of the script actions they contain are defined as variables. The contents of these variables are usually read from the input data. This table is often created from information provided by the user. This information may however not fit seamless to the requirements of the script actions in the script. Therefore there are several functions that can be used in the script for some formatting of data. This is one of them. This function in particular can be used when one variable in the input data contains information that has multiple values for one property of a script action. For example, the input data may have a field that contains the variable %GroupMemberships% specified as "Domain\Administrators;Domain\Backup Operators;Domain\Users". The action Script Action: Set group membership (AD) for instance can be used to make an user account member of multiple groups. With the script action Convert to multi-value variable it is possible to create the required variable which contains the three groups as separate values under one variable. In this particular example the action is used to separate the value of a variable into three new values for an other variable. Properties Property Name Description Typical setting Remarks Input variable: Output variable: Separator character Insert empty values The variable that contains the data which is multi-value. The variable which contains the same data as the input variable only now the data is available as multiple values instead of one value. A character that separates one value from the other. This character is used to determine where the new value begins. When two separator characters are placed directly after each other a blank value could be created. The data in the input variable should be separated by an separator character. The output variable can be a different variable or the same variable as the input variable. ; The following characters can be chosen to separate the values:, : ; <tab> No When you want blank values to be defined this property should be set to 'Yes'. When you want to remove all blank characters this property should be set 'No'. Related topics Help on help Principle of operation Project operations - Manage script action properties 132
Reference Script Action: Manage multi-text value variable Function Manage a multi-text value variable. Enables you to sort a multi-text value variable and delete empty text values. Deployment This script action is used to manage the multi-text value that is created with Script Action: Convert to multi-value variable. Properties Property Name Description Typical setting Remarks Variable: Delete empty text values Sort values in ascending order Sort values in descending order The variable that contains the data which is converted to multi-value. When a multi-text value contains empty values, these empty values can be deleted by setting this property to 'Yes'. Sorts the multi-text value in ascending order Sorts the multi-text value in descending order No No No Use Script Action: Convert to multi-value variable to convert a data string to a multi value variable. Related topics Help on help Principle of operation Project operations - Manage script action properties 133
User Management Resource Administrator 7.2 Script Action: Merge multi-text variable values Function This action merges two input variables into one output variable Name Description Input variable 1 Name of input variable 1 Input variable 2 Name of inpurt variable 2 Output variable Delete duplicates Delete empty values Sort Name of the output variable Specifies that duplicate entries in the content of the output variable must be deleted Specifies that empty values in the content of the output variable must be deleted Specifies that the content of the output variable must be sorted Deployment This action is typically used in a script where you need to merge two tables and clean up the content. 134
Reference Script Action: Map variable Function The function maps the value of an input variable to a value of an output variable. The mapping table specifies the value of the output variable for each possible value of the input variable. Deployment This script action is usually used in a scripts to handle the case of exceptions to the main rule of the script. The output variable can also be used as a label,.e.g. as the target of a GOTO action. Example: A particular script that creates a user account uses the variable %HomeServer% to contain the home server of the new account. This name is later in the script used to specify the home directory of the user: %HomeDirectory%=%HomeServer%\users\%UserName% by means of the set variable script action. Now this setting works fine for most home servers in your network, but for a particular server, the location where the home directory should be created is different: For your home server named OAK you want the home directory of the user to be %HomeServer%\students\%UserName% In the above case, you can use the map variable action. You specify the variable %HomeServer% to be the input variable, and the variable %HomeDirectory% as the output variable. In the mapping table you specify OAK as the input value to match and %HomeServer%\students\%UserName% as the associated value. The result is that whenever the home server is OAK the name of the home directory is changed from %HomeServer%\users\%UserName% to %HomeServer%\students\\%UserName%. Properties Property Name Description Input variable The name of the variable that contains the information that must be looked up in the list Output variable The name of the variable that is modified by this script action Number of Input-Output values The number of entries in the Mapping table Typical setting Remarks The Name of the variable must be enclosed in "%" characters. e.g. %Domain%. The Name of the variable must be enclosed in "%" characters. e.g. %Domain%. This is only shown in the property list, not in the configuration dialog. Mapping Table Specifies which input value results in the specified output value Specifies a list of (input value, output value) pairs. If the contents of the input variable matches the input value in the list, the output variable will be set to the corresponding output value. This is only shown in the configuration dialog, not in the properties list itself. Set output variable to default value if no match found. Default value of output variable Case sensitive compare If set to Yes, then, when no match is found in the mapping table, the output variable is to the below specified default value. If set to NO, and no match if found, the output variable is not altered. Specifies the value the output variable gets when there is no match Specifies if the compare function to find a match must be case sensitive No This value is only used when the "Set output variable to default value if no match found" flag is set to Yes. 135
User Management Resource Administrator 7.2 More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 136
Reference Script Action: Export Variables Function Write the value of one or more variables to a text file. Deployment Typically used at the end of a script to record the results of the script operation. For instance, in a script that creates user accounts often the user logon name and the password are exported to a file, so the user can be informed. Especially essential when the account are created with random passwords. Properties Double click on any property to open a special dialog to set all properties from one window. Property Name Description Typical setting Remarks Number of exported variables The number of exported variables. Read only property. Export file name The name of the file The name of the file can contain variables: %NowDay% : The current day (00,...,31) %NowMonth%: The current month (01,...,12) %NowYear%: The current year (2005,...) Exported text fields Field separator Value separator Enclose fields with blanks Enclose character A list of strings that are written to the Export file. In order to export variables, specify the variable name in the export string. The character that is exported to separate the exported fields. The character used to separate multi-values Specifies that fields that contain blanks will be enclosed by the enclose character. Specifies the character that is inserted around strings that contain blank chars., Examples of a export strings: Created user %Username% in domain %Domain% %Username% %Password% All strings will be exported on the same line in the file. If the output must be on more lines, use a separate Export Variables script action., or ; The character is inserted between the values of a multivalue variable value. In order to be able to distinguish the different values of a multi-value variable, the values should not contain the value separator character. Example: When exporting the memberof attribute of user accounts, the object distinguished names of the groups of which the user account is a member are returned. These names contain comma's: CN=GroupA, DC=domain (note the comma between GroupA and DC). To separate multiple groups in this case, another value separator should be used, for instance a semi-colon (;). " UNICODE format When checked, the exported data is save in 137
User Management Resource Administrator 7.2 UNICODE format. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Built-in variables Help on help 138
Reference Script Action: Go to Label Function Unconditionally jump to the script action with a specified label, skipping all actions between this action and the action with the specified label. Deployment Each script action can jump to an other labeled action in case of an error. In combination with action Map Variable, you can conditionally specify the value of a label to jump to. Properties Property Name Description Typical setting Remarks Label The label of the script action that is to be executed directly after this action. Note that the name of the destination label may contain variables. This makes it possible to perform conditional jumps if required, for instance by using Script_Action: Map variable earlier in the script to create a variable that specifies a label. To setup the label of an script action, select the target action in the script section (lower left area) of the project window. Right click the mouse or select main menu option Actions and select Set script action label. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 139
User Management Resource Administrator 7.2 Script Action: If-Then-Else Function Evaluates a condition and then performs one or more script actions depending on the results of that condition. The example below will give you a feeling of the possible deployment of this action. For detailed information on setup options for condition criteria see Condition criteria - Setup and Condition criteria - Setup criterion. Example - Creating a home directory if it does not exist yet and update the AD In the following example, we will create a home directory for those users in the organizational unit "Marketing" who do not already have one. For this example we assume that you have a CSV file with users who belong to the OU "Marketing". 1. Drag the Set variable action to the Script Actions window. Set the value for the variable %OU% to "Marketing" 2. Drag the Set variable action to the Script Actions window. Set the value of the variable %ShareName% to "<MyShare>" where <MyShare> corresponds with the name of the share where the home folders should be created (e.g. "Users"). 3. Drag the Set variable action to the Script Actions window. Set the value of the variable %Domain% to the name of the domain. 4. Drag the Get user action to the Script Actions window. Set the Domain property to %Domain% and the Username property to %UserName% 5. Drag the Get attribute action to the Script Actions window. Set the value of the LDAP attribute display name to "homedirectory". This is the attribute representing the home directory for the account. Set the output variable to %HomeDirectoryValue%. Set the Error if empty property to "No". Next, we need to evaluate if a home folder already exists. If not, we will create a homefolder with the full name of the user. If it does exist, the script will do nothing. To achieve this, we will use the If-Then-Else. action. 6. Drag the If-Then-Else action to the Script Actions window and doubleclick on "If...Then Goto label:" The Properties dialog box will appear: 140
Reference In the IF section of this dialog box, you can specify your evaluation criteria. In the Then section you specify which action should be executed if the condition is TRUE In the Else section you specify which action (if any) needs to be executed if the condition is FALSE 7. Click the Edit button. The Setup Condition Criteria dialog box will appear: 141
User Management Resource Administrator 7.2 8. Click the Add button to add a criterion. The Setup criterion dialog box will appear. In this dialog box we need to specify if a home directory already exists. In our case, the home folder is stored in the variable %HomeDirectoryValue%. If it does not exist, a home folder should be created. 9. Select the variable %HomeDirectoryValue% in the list of variable names. In the Equation operator section, select the operator "has no value or does not exist". 142
Reference 10. Click OK. The criterion will now be added to the list of criteria. If you have more than one criterion, you can also specify if ALL conditions should be met, or if at least one of the listed conditions should be met. 143
User Management Resource Administrator 7.2 11. Click OK again to return to the Properties dialog box. In the Then section, enter the label of the action which needs to be executed if the condition is met. For this example, we will use the script label "Create Home Directory". If the condition is not met, no action is required, so we can leave the Else section as is. Click OK to return to the Action window.. 12. Drag the Create directory action to the Script Actions window and set the following property values: Computer - Specify the name of the computer on which the directory must be created Parent Path - The path of the parent directory on the specified computer. For our example, you need to set this to %ShareName% Directory name - For this example, we are assuming that the CSV file you are using contains a column with the full name of the user which has been set to %FullName%. Use this variable %FullName% as the directory name. Share Name - The name of the share that is used to create a share on the new directory. For the purpose of this example, we will assume that it is equal to the variable %ShareName%. In the last step, we will set the home folder attribute to the current value. 13. Drag the Edit User (AD) action to the Scripts Action window and set the following property values: Home directory - The path of the home directory of the user account. For our example, this can be set to \\%ShareName%\%FullName%. Home directory drive - The drive letter assigned to the user's home directory for logon purposes. For this example, we are setting this value to "C:\" (in reality this will be a network drive). Once you have completed these steps, you are ready to run it in test mode. 144
Reference 145
User Management Resource Administrator 7.2 Script Action: For-Each Function Evaluates each row of a table and places the result in a variable. Deployment Typically, this script action would be used to evaluate the rows in a table and to execute a script for each row which is defined in another project form. In other words, the For_Each script action is separated from the script which needs to be executed on the result of this action. Because of this modular approach, you can reuse the For-Each construction for other projects. Property Name Description Typical setting Remarks Table variable name Script project Column Return variable Stop loop on error Variable name of the table on which the For- Each action has to operate Name of the project which contains the script which needs to be executed on the table output variable Corresponds to the column number in the generic table which contains the data you want to operate on Specifies the name of the variable that must be returned when the script is returned. Here you can specify if the script should continue upon encountering an error or not Example In the following example, the use of the For-Each action is illustrated. We will create two forms. The first form will show the user a list of all users and the current groups of which they are a member. The second table in the form shows the available groups. The user is then asked to add the selected user to one or more selected groups. The script contains a For-Each action where for each row in the %SelectedGroup% variable the script in the second form will be executed. This script adds the group membership for each selected group. 1. Create a form Change Group Membership1 and add the following form elements. Text - "Select the user for whom you wish to change group membership" Table - Insert a table to show all users according to the following specifications: - Table type = LDAP query - LDAP filter = (objectclass=user) 146
Reference - Attributes = Users - general information + samaccountname+distinguishedname - Columns - Set the distinguishedname column to the variable %SelectedUser% Vertical Space Table - Insert a second table to show all groups according to the following specifications: - Table type = LDAP query - LDAP filter = All groups (&(objectclass=group)) - Attributes = cn + samaccountname + distinguishedname - Columns - Set the distinguishedname column to the variable %SelectedGroup% Text - "Select one or more groups for which the selected user should become a member" Button - Text: "Add Group Memberships" - Manage actions: "Execute the script of the project that contains the form" and "Return the form of the current project". 2. Add the actions for the first form as follows: First we need to add an action which converts the multi value variable %SelectedGroup% to a table. This table will be called "SelectedGroupTable" Manage table data - Table data operation: Convert multi-text variable into table - Table data variable: %SelectedGroupTable% - Multi-text variable: %SelectedGroup% Now we are ready to add the For-Each action, which will execute the script in the form Set Group Membership for each element (%SingleSelectedGroup%) of the table (%SelectedGroupTable%). For-Each - Table variable name: %SelectedGroupTable% - Script project: Set Group Membership - Column_01: %SingleSelectedGroup 2. Create a second form with the name Set Group Membership and add the following action: Set group memberships (AD) - Active Directory Object property: %UserObject% - Active Directory name property: %SelectedUser% 147
User Management Resource Administrator 7.2 - Group names (variable): %SingleSelectedGroup% 3. Set the security for the two forms. If you now run the first form, you should see something similar to the following screenshot: In this caase, the user Hendrik de Vries will be added to the following groups: USR_IT_GLOBAL USR_IT_LOCAL If you need more help on setting up a generic table, please see Table form field - Generic table. 148
Reference Script Action: Delete variable Function Delete a specific variable from the list with variables. If a the value of a variable is no longer valid, it might be a good idea to delete the variable so it can not accidentally be used in subsequent script actions. Deployment The execution of certain actions might invalidate the value of certain variables. To prevent incorrect usage of these variables, the variables can be deleted with this action. Example: Suppose a script is used to move a user account from one domain to another domain in the same forest. The target user account has a number of properties, for instance the Security Identifier (SID). The SID can be used in User Management to setup directory permissions. Now suppose the user account must be moved, and then the home directory must be moved to another location. For the new home directory, permissions must be setup. The script actions involved are: Script action Get user (AD) Move - rename user (AD) Copy directory Delete directory Description Bind to the user account. The user account and the security identifier are exported in variables (%UserObject%, (%UserSid%) Move the user account to the new domain in the same forest. The variable %UserSid% now becomes invalid since a new Security Identifier is generated for the moved user account. Copy the original home directory to the new location and setup the new security settings using variable %UserSid%. Delete the original home directory. In this example, the variable %UserSid% is no longer valid, once the user is moved and cannot be used to setup the new security settings for the target home directory. Instead, the variable %UserSid% should be deleted. Then a new Get user (AD) action should be used to determine the new value of the SID. In more complicated scripts, you might want to delay certain operations. For instance before an operation is retried or to limit network load. For this purpose, this action can be used. The action simply suspends the script for the specified time. Note that during this time, the script cannot be aborted. Properties Property Name Description Typical setting Remarks Variable The name of the variable to be deleted. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 149
User Management Resource Administrator 7.2 Script Action: Delay Function Wait for a specified number of milli-seconds (1000 milli-seconds = 1 second). This action can be used for instance before the retry of a failed action. Deployment In more complicated scripts, you might want to delay certain operations. For instance before an operation is retried or to limit network load. For this purpose, this action can be used. The action simply suspends the script for the specified time. Note that during this time, the script cannot be aborted. Properties Property Name Description Typical setting Remarks Delay (milliseconds) The delay specified in milli-seconds. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 150
Reference Script Action: No operation Function No operation. The script action does not execute any operation. The script will continue immediately with the next action. Deployment This action is typically used as a reference point, e.g. as the target of a Go To script action. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Go to Label Help on help 151
User Management Resource Administrator 7.2 Script Action: Generate random number Function Generate a random number and assign the value to a variable. The name of the variable and the minimum and maximum possible values of the random number can be specified. Deployment The action is used to generated random values. The random value is generated as a number. The minimum and maximum possible values can be specified. These limits are included, e.g. the generated number can equal the value of these limits. The number is assigned to a variable as a numeric value. This variable can be used in other variables, also text variables, for instance to create a random user id number as described below: 1. Generate variable %ID% as a random number in the range 0,...,99. 2. Specify variable %UserID% as text value: User%ID%. See Script Action: Set Variable on how to do this. 3. Now if number 47 is generated (%ID%=47) the resulting variable equals User47 (%UserID%=User47) Properties Property Name Description Typical setting Variable name The name of the variable that stores the generated random number. Minimum value The minimum possible value of the generated number. 0 Maximum value The maximum possible value of the generated number. 999 More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Script Action: Set Variable Help on help 152
Reference Script Action: Send mail message Function This action specifies the parameters for accessing the mail server and sending an e-mail message. Name To: Cc: From: Subject: Message: X-Sender: Mail Server: Mail Server Port: Authentication: Username: Password: Description E-mail recipient Cc is an abbreviation for carbon copy. If you add a recipient's name to this box in a message, a copy of the message is sent to that recipient Name of the sender Sujbject line for the e-mail message Body text for the e-mail message Some mail software expect 'Sender:' to be an e-mail address which you can send mail to. However, some mail software has as the best authenticated sender a POP or IMAP account, which you might not be able to send to. Because of this, some mail software put the POP or IMAP account into an X-sender header field instead of a Sender header field, to indicate that you may not be able to send e- mail to this address. The mail server which handles mail to addresses in the domain associated with the mail server Deployment This action is typically used in a script where an e-mail needs to be sent as a result of a previous action 153
User Management Resource Administrator 7.2 Script Action: Log Variables Function Write the current value of all variables to the User Management log file. Note that is not the same as the action to export the value of variables to a text file. It can be used at several positions in the same script to log the values of the variables at the moment the specific line of the script was executed. Deployment Typically used for script debugging purposes when developing or customizing a User Management script. If you want to output specific variables to a file for reviewing or post processing outside User Management use the action Script Action: Export Variables Properties This action has no configurable properties More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 154
Reference Name generation algorithms Name Generation Algorithms User Management Resource Administrator supports the creation of unique usernames automatically. This features is mainly used when creating user accounts in Active Directory or NT4 domains. In these environments, a user account has multiple names. Some of these names must be unique, e.g. no user accounts with the same names might exist. To generate these names automatically and to make sure they are unique, User Name uses name generation algorithms. Name Generation Algorithms A name generation algorithm is a set of rules that define how one ore more names can be composed from other names and how the resulting names can be made unique. Example: when creating user accounts in Active Directory 2 names must be unique. For this moment, we use the terminology Username and Full name for these names. For user accounts that are generated from a input file, most times the input data contains the First name, Middle name, Last name or a similar set of names. To generate the unique names, the name generation algorithm takes the three input names and according to the rules of the name generation algorithm it composes the 2 output names. Next, if the names are not unique, the algorithm continues to iterate the generation cycle until the names are unique. 155
User Management Resource Administrator 7.2 In User Management Resource Administrator, the number of input and output names, the methods used to convert the input names to output names and the way the names are made unique are completely configurable. All these configuration settings together are called a name generation algorithm. Name generation algorithms can be stored in files (.uga extension) and multiple name generation algorithms are shipped with User Management Resource Administrator. In most organizations, a policy is used how the user account names need to be composed. By choosing and perhaps customizing one of these algorithms you can let User Management Resource Administrator create unique names that adhere to your company's syntax requirements. To choose an algorithm, select Tools, Options from the main menu. Next, select tab Name generation and press the Manage button: The window shows example values for the input names and a list with available algorithms and the results of these algorithms according to the specified values for the input names. By specifying values for the %FirstName%, %MiddleName% and %LastName% variables you can see the results of each of the available name generation algorithm. From this window, you can Add, Edit, Delete and Copy algorithms. It is advised to copy algorithms first before you customize them. In practice, User Management Resource Administrator uses variables to specify the input and output names of algorithms. So the input names of the algorithm are specified by passing variables. The results of the name generation algorithm is stored as a value for other variables. For more information on variables, see Project operations - Variables. More information: Script Action: Create User (AD) Script Action: Create User (no AD) Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 156
Reference 157
User Management Resource Administrator 7.2 Name Generation: Manage algorithms A name generation algorithm generates one or more output names. For each output name, one or more name generation methods exist. A name generation method (short: method) in detail specifies how a single output name is generated from one or more input names. Further, the method specifies how to make the output name unique, e.g. iterate the method. The number of possible iterations with different outcome for the output name can be one, any other number, or unlimited. The most simple way to iterate the method is to add an increasing number at the end of the name: Jonh1, John2, John3,.... The purpose behind name generation methods is to support complete different ways (methods) of composing the output name if the first results are not unique. So the algorithm starts with the first method of an output name. If the result is not unique, it tries the next iteration of the same method. If the number of iterations is exhausted, the algorithm continues with the next method. Example: suppose a algorithm contains 2 methods to generate an output name. The first one has 5 iterations, and the second has an unlimited number of iterations. Then if no single name is unique, the algorithm generates the following possible names: 1. Method 1, Iteration 1 2. Method 1, Iteration 2 3. Method 1, Iteration 3 4. Method 1, Iteration 4 5. Method 1, Iteration 5 6. Method 2, Iteration 1 7. Method 2, Iteration 2 8. Method 2, Iteration 3 9.... 10.... The methods 1 and 2 can use completely different rules to compose the resulting output names. To create a new method for a new algorithm, select Tools, Options from the main menu. Next, select tab Name generation and press the Manage button. Press Add. 158
Reference The Configure name generation algorithm window is used as a start point to create a new or customize an existing algorithm. The window contains 2 lists: the upper list shows all of the output variables for the algorithm. If you select an output variable in the upper list, the lower list shows the methods configured to generate the selected output variable. For each method the name of the method is shown and the number of iterations supported by the method. The order of the methods shown corresponds with order used by the algorithm to generate the output name. The most common operations initiated with this window are: 1. Add a new output variable name: Press the Add button in the upper section and specify the variable name of the new output name. If the variable name is not shown in the list, simply enter the name, enclosed in %-characters. The list only shows the variable names found in the active script properties. Once the output variable name is created, add one or more methods for the output name. 2. Change the methods for an output variable name: Select the variable output name in the upper list and select the method you want to change in the lower list. Press the Edit button in the lower section. 3. Add a method to an output variable name: Select the variable output name in the upper list and press the Add button in the lower section. 4. Change the order of the methods for an output variable name: Select the variable output name in the upper list and select the method you want to change the order for in the lower list. Use up and down buttons in the lower section to reposition the method. 5. Test the algorithm: To test the name generation for all of the output names and all methods, press the Test button. The Test name generation algorithm is shown and in the list with Algorithm results. Press the Test iteration button to start generating the names. Each time you press the button, the next iteration cycle is executed and the results are shown. 159
User Management Resource Administrator 7.2 More information: Name Generation Algorithms Name Generation: Formatting functions Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 160
Reference Name Generation: Setup algorithm methods A name generation method (short: method) in detail specifies how a single output name is generated from one or more input names. For more information, see the topic Name Generation: Setup algorithm methods. To setup a method for a name generation algorithm you basically need to do three things: 1. Specify the input names that must be contained somehow in the output name: These name parts are specified as input variables. Note that the input names are not necessarily copied into the output name. Instead you can format these name parts. Example: support the output username is composed of all characters of the last name and the first characters of the first and middle names. Then, the output variable %Username% is composed of the input name %LastName%, %FirstName% and %MiddleName%. Note that the order of the input names matters. 2. Specify how to format each input name: You can copy an input name directly into the output name, but you can also format the input name and copy the formatted result into the output name. Example: The output variable %Username% contains the first character of the variable that represent the first name: %FirstName%. The format function takes the full %FirstName% and converts it into the first character only: Jonh -> J. A number of formatting functions are available to change every name part: You can shorten the name, convert the case, remove and add characters, conditionally replace and delete characters and so on. 3. Optional: Specify how to iterate the method: One method can generate multiple names by using an iteration name part (iterator). The most simple iterator is an increasing number, added at the end of the output name: 1,2,3,.... Several options are available to specify the iteration sequence and to position the iterator in the final output name. To setup the algorithm method, open the Configure name generation algorithm window and select a method in the lower section and press Edit or press Add to create a new method. The Configure method of name generation algorithm is shown: 161
User Management Resource Administrator 7.2 In the upper section of the window, you can manage the name parts that compose the output name. You can Add, Edit and Delete name parts and add an Iteration name part. Further you can change the order of the name parts using the arrow buttons. In the lower section of the window, you can setup the format functions that apply to the name part selected in the upper list. Note that you cannot format the Iteration name part. To Add a name part, press the Add button. The Specify name part input variable window is shown: 162
Reference Select the input variable name from the list. If the list does not contain the variable name of your choice, simply enter the name in the field. You can customize the input names shown in the list. See the topic Name Generation: Default input names for more information. Once the input name is select, the corresponding sample value for the input name is shown. When ready, press OK. While you setup the method, the result is shown at the bottom of the window. The Temporary result name shows the value of the output name according to the sample values of the input variables and current configuration of name parts and formatting functions. Again you can format this result by pressing the Advanced button. This leads to the final result name shown at the field Result name. If you do not specify any formatting functions in the Advanced section, both result names are equal. More information: Name Generation Algorithms Name Generation: Formatting functions Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 163
User Management Resource Administrator 7.2 Name Generation: Formatting functions The formatting functions are used to change the value of an input name to a new value that is part of the output name. Each function converts a single input text to an output text. The formatting functions are executed in order. Each next function takes the result of the previous function as its input value. Some function require additional arguments, some just operate on the input text. The Format name part window is used to specify a single format functions. The window can be used and accessed from various locations: 1. When configuring name generation algorithms: To specify formatting functions, open the Configure name generation algorithm window and select a method in the lower section and press Edit or Add to create a new method. The Configure method of name generation algorithm is shown. Select a name part in the upper list and press the Add button in lower section. 2. When configuring the action Format variable value: Select the script action in the script (lower left section of the project window). The properties of the action show up in the lower right section of the project window. Double click one of the properties or select menu option Actions, Properties of variable actions. In the Properties window, press the button Format functions. The Format name specification window is shown. Press the Add button. 164
Reference The window contains a list with all of the available formatting functions. When you select a function from the list, a Description of the function is shown at the bottom of the window. Further, if the function requires arguments, you can specify these in the Arguments section. At the top of the window, you can specify a test input name. The result of the selected format function is shown in the field Result. More information: Script Action: Format Variable Value 165
User Management Resource Administrator 7.2 Name Generation Algorithms Name Generation: Formatting functions Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 166
Reference Name Generation: Iteration The Iteration name part is used to make the output name of a name generation algorithm method unique. The value of the iteration name part changes every iteration cycle. A simple example of a iteration name part is an increasing number, usually added at the end of the output name: 1,2,3,.... To specify the iterator field, open the Configure name generation algorithm window and select a method in the lower section and press Edit or press Add to create a new method. The Configure method of name generation algorithm is shown. Press the Iteration button. The Iteration name part window is shown: The window contains all options to specify the iteration name part. You can choose if the iteration name part must be an increasing number of an arbitrary sequence. For an increasing number, you can specify if the number of iterations should be limited. For arbitrary sequences, the number of iterations is limited to the number of entries in the sequence automatically. If the output name uses an iteration name part, the iteration name part is always included, e.g. every time the method is accessed to generate a value for the output name. This holds even for the first time the method is called. For the first time, you might want to omit the iteration name part. This can be accomplished by using an empty value for iteration name part. To enable this feature, select the option Always start the first iteration as an empty value. More information: Name Generation Algorithms Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 167
User Management Resource Administrator 7.2 168
Reference Name Generation: Default input names By default, the name generation algorithms can use the first, middle, and last name to compose the output name. To offer more flexibility, you can configure this. You can use any number of input variables and you can use any variable you like to compose output name. Further, for every input name, you can specify a sample value that shows up in the various dialogs and windows to help you configure the algorithms. To configure the input names, select Tools, Options from the main menu. Select page Username generation and press button Advanced. The Configure name generation settings window is presented. From this window, you can configure the default input variables that can be selected from in various dialogs and windows that are used to setup name generation algorithms. Use the Add, Edit and Delete button to manage the individual entries. Note: If a variable is not part of this list, you can still use it in the name generation algorithms. The specification of these names is used only for displaying purposes. More information: Name Generation Algorithms Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 169
User Management Resource Administrator 7.2 Name Generation: Embedded algorithms Name generation algorithms are stored with the actions that use the algorithm. Examples: Script Action: Create User (AD) and Script Action: Create User (no AD). These actions have a property that specify the name generation algorithm. By configuring this property you can select and specify the name generation algorithm. To manage name generation algorithms, you can export and import the algorithms using files. Normally these files have the.uga extension. When User Management Resource Administrator is installed, a number of default name generation algorithms are installed. To view and manage these algorithms, select menu option Tools, Options, Username generation, Manage. More information: Name Generation Algorithms Name Generation: Formatting functions Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 170
Reference Password generation Password generation For security reasons, User Management Resource Administrator support automatic password generation. For each user account that is created, a password can be generated automatically. You can configure the complexity of the generated passwords from simple (examples: sbjg, kyfd) to very strong (examples: 2v>`<J)G\0unOY, 3 }3aca9i>4H8Q{v`TS). User Management Resource Administrator further supports the password complexity rules as used in Microsoft Windows 2003/2000/NT networks. When the password is generated, it is stored in a variable. Next, this variable is used to actually set the password for the user account and export the password to an export file. As an alternative, you can also use no password, read the password from the input data or set the password to a constant value. You can specify the rules used to generate a password. To do so, select an script action that supports the Password generator property. This is either the action Create user (AD) or Create user (no AD). The script of a project is shown in the lower left section of the project window. Once the action is selected, the properties of the action are shown in the lower right section of the project window. Double click property Password generator or select the property and select menu option Actions, Properties of action property. Selection option Use the following value and press the Edit button. The Password generator window is shown. 171
User Management Resource Administrator 7.2 Using this window you can setup the rules used to generate the passwords. The section Predefined settings contains a number of generation settings that are most easy to specify. Each setting specifies the value for the Password generation settings. These settings specify the minimum and maximum length of the password and the minimum and maximum number of characters of a specific type used to generate the password. Instead of selecting a predefined setting you can enter these values manually. To see an example of a password generated according to the current settings, press the Test button. In the section Output variable you need to specify the name of the variable that must store the generated password. By default, this is the %Password% variable. It is advised not to change the name of this variable since it is used in related properties as well. More information: Script Action: Create User (AD) Script Action: Create User (no AD) Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 172
Reference Generic table Generic table - Introduction In addition to network data and fixed data, a generic table can also contain data from an LDAP or database query (MS Access). Filling a table with data from an LDAP query Using an LDAP query, you can specify which objects you would like to retrieve from the Active Directory (list of users, list of groups, last logon, etc.). For a query to work properly, you need to define the LDAP binding, an LDAP filter and the LDAP attributes. The examples below will show you how to configure a generic table using an LDAP query. For more detailed information on the individual steps, please see the topics mentioned above. Example 1: Creating a table listing all users 1. Create a new UMRA form. 2. Right-click in the Form Design window and select Table from the Select form field type list. 3. Select Generic table in the Configure form field window. 4. Click the Configure... button. 173
User Management Resource Administrator 7.2 5. Click the Configure... button. The dialog box Setup generic table will appear. 174
Reference 6. Select the option LDAP query. Several additional tabs will now become available in the Setup generic table dialog box: LDAP binding, LDAP filter, Attributes, Options, Variable and Run test. 175
User Management Resource Administrator 7.2 7. Select the LDAP binding tab and choose the Global catalog binding. This will be the data source for your LDAP query. 176
Reference 8. Click the LDAP filter tab and select the predefined option All users from the list Example LDAP search filters. Then click the Insert button. This will insert the LDAP search string in the LDAP search filter window. To list all users, the LDAP search string becomes (objectclass=user) 177
User Management Resource Administrator 7.2 9. Select the Attributes tab and select the predefined attribute Users - full details from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 178
Reference 10. Click the Run test tab (for this example we will ignore the Options and Variable tabs and continue to the Run test tab to check if the filter returns the desired result). The resullt should be similar to the following screen: 179
User Management Resource Administrator 7.2 Example 2: Creating a wildcard search for a user In the following example we will create a form in which we ask the user to enter part of the user name. The first part will ask the user to enter part of the user name to search for, the second part will return a table listing all the users who meet the search criteria. 1. Create a new UMRA form with the name "List Users". 2. Right-click in the Form Design window and select Static text field from the Select form field type list. 180
Reference 3. Enter the text "Please enter the first three letters of the user:" in the text field and click OK. 4. Right-click in the Form Design window and select Input text field from the Select form field type list. 5. Enter "%User_Partname%" in the variable field. The user input will be stored in this variable. Click OK. 6. Right-click in the Form Design window and select Button from the Select form field type list. Type in "Search now" as the displayed text for this button and change the fixed width to 100 pixels. 181
User Management Resource Administrator 7.2 7. Click the Manage actions... button and add the actions "Check the input fields of the submitted form" and "Return the form of project "List Users". Click OK twice to return to the design window. 182
Reference 8. Right-click in the Form Design window and select Table from the Select form field type list. 9. Select Generic table in the Configure form field window. 10. Click the Configure... button. 11. Click the Configure... button. The dialog box Setup generic table will appear. 12. Select the option LDAP query. 13. Click the LDAP filter tab and select the predefined option All entries with the string 'Bert' somewhere in the name from the list Example LDAP search filters. Then click the Insert button. 14. In the LDAP search filter window, replace *bert* with the variable *%User_Partname%* and click the Apply button. 183
User Management Resource Administrator 7.2 15. Select the Attributes tab and select the predefined attribute Users - general information from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 16. Click OK twice to return to the Form Design window. 17. Finally, you need to set the security for this form. Right-click in the Form Design window and select the Form properties command. In the Configure form properties dialog box which appears, click the Security tab. 184
Reference 18. Add the user who is authorized to execute this form. In the example shown above, this is the Administrator account for the domain T4EDOC. 19. Save the form. 20. Right-click in the Form Design window and choose the command Toggle Auto preview to see the runtime version of your form. 21. Type in the first three letters of the user name you want to search for, as shown in the screenshot below. 22. Press the Search now button to retrieve all the matching user names. In our example, only one user name meets the search criteria. 185
User Management Resource Administrator 7.2 Example 3: Showing a list of users who have not used their account since it was created 1. Create a new UMRA form. 2. Right-click in the Form Design window and select Table from the Select form field type list. 3. Select Generic table in the Configure form field window. 4. Click Configure.. twice and select LDAP query as your table type. 5. Select the LDAP binding tab and choose the option Active Directory Root. Note: To retrieve all users who have not logged in since their account was created, we need to use the attribute lastlogon in our search filter. By default, this property is not included in the Global Catalog. If you wish to change this, you can add this attribute to the Global Catalog using the Active Directory Schema snap-in. Please refer to the Microsoft Help for more information on this topic. 6. Select the LDAP filter tab and enter the string "(&(objectclass=user)(lastlogon=0)" 186
Reference 7. Select the Attributes tab and select the predefined attribute Users - general information from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 8. Select the Run test tab to test your LDAP query. Filling a table with data from an MS Access database Many user related data are stored outside the Active Directory, possibly in another information system (e.g. a list of departments). Using a generic table, you can access these data and combine it with the information in your Active Directory. Suppose we have a company X where the administrator would like to see the relation between user groups and departments. Based on this information he wants to perform certain actions such as removing group memberships, adding group memberships, etc. The user group data are stored in the Active Directory, but the relation between user groups and departments is stored in an MS Access database. Using a generic table in UMRA, these data can be accessed and queried. To work with an MS Access database, you need to set up the database, specify the database name and compile a database query. See also: Table form field - Fixed data table Table form field - Network data type 187
User Management Resource Administrator 7.2 Generic table - Table type A generic table can contain data from an LDAP or database query (MS Access). You will use this option to present a list of objects to the user and attach actions to the user selection (e.g. adding group memberships for all selected users in an OU). See also: Table form field - Generic table 188
Reference Generic table - LDAP search LDAP search - LDAP binding Previous actions: 1. Specifying the table type There are three different methods to perform LDAP binding in UMRA: Global Catalog A Global Catalog is a searchable master index with data about all objects in a forest. Only information required to find an object is stored in the global catalog. When the first domain controller in the forest is set up, a default global catalog will be automatically created on this domain controller. Note that only domain controllers can be used as a Global Catalog server. Active Directory root This option will bind to the Active Directory root of the default domain controller. The Active Directory is a database which contains a schema defining all objects and attributes. Binding string If you have to run a search in another forest, you will have to use the Binding String option and specify either a domain name or a Global Catalog server to bind to. Syntax: LDAP://<DomainController> where <DomainController> is the domain controller you wish to bind to GC://<DNS name> where <DNS name> is the DNS name of the global catalog server 189
User Management Resource Administrator 7.2 In either case, you could also pass the name of the domain controller or DNS name as a variable. Using a wizard, for instance, the user could be asked to enter the name of the domain controller where UMRA needs to search for directory data. This domain name can be stored as a variable %DomainController% and used as input in the Binding string field. In the two screens below this example has been illustrated. In the first screen, the user enters the domain controller name "t4edoc" which is stored as a variable (e.g. %DomainName%.). 190
Reference Next, the user is presented with a list of all the OUs on this particular domain controller: 191
User Management Resource Administrator 7.2 In a similar way you could also bind to an OU on a domain controller using a variable. This variable can the be passed to another form in which you list all the user groups for a selected OU: Next actions: 192
Reference 1. Defining the LDAP filter 2. Defining LDAP attributes 3. Setting LDAP options (optional) 4. Specifying a table variable (optional) 5. Running a search filter test 193
User Management Resource Administrator 7.2 LDAP search - LDAP Filter Previous actions: 1. Specifying the table type 2. Specifying the LDAP binding method LDAP filter - General Once you have specified the data source for your generic table (see Table form field - Generic table ) and the LDAP binding method, (see LDAP search - LDAP binding) you will need to specify which objects you would like to retrieve. In more technical terms, the search filter can be defined as a clause specifying the conditions that must be met for records to be included in the resulting recordset. LDAP filter - Syntax As mentioned above, you define all conditions that must be met for an object in the search filter. A condition takes the form of of a conditional statement, such as "(cn=testuser)". Each condition must be enclosed in parenthesis. In general, a condition includes an attribute and a value, separated by an operator. Conditions can be combined using the following operators (note that the operators "<" and ">" are not supported). Operator Description = Equal to ~= Approximately equal to <= Less than or equal to >= Greater than or equal to & AND OR! NOT Conditions can also be nested using parenthesis. Furthermore, you can use the "*" wildcard character in the search filter. The LDAP filter in UMRA For the LDAP filter in UMRA you can either make a choice from a list of predefined search filters under Example LDAP search filters or enter your own search filter directly in the LDAP Search filter window. 194
Reference To select all users for example, simply select the "All users" option and click the Insert button. The actual LDAP search syntax for this filter, "(objectclass=user)" will now appear in the LDAP search filter window. 195
User Management Resource Administrator 7.2 Some examples of filtering actions To Return all user objects except those whose surname attribute equals "Macintosh" Return all user objects with a surname that starts with sm Return all contacts with a surname equal to Smith or Johnson Return all user objects with cn (Common Name) beginning with the string "Joe" Return all computer objects with no entry for description Return all user and contact objects Return all group objects with an entry for description Return all groups with cn starting with "Helpdesk" or "Admin" Return all users with "Password Never Expires" set Use the following LDAP filter (&(objectclass=user)(!(sn=macintosh))) (sn=sm*) (&(objectclass=contact)( (sn=bridges) (sn=macintosh))) (&(objectcategory=person)(objectclass=user)(cn=joe*)) (&(objectcategory=computer)(!description=*)) (objectcategory=person) (&(objcategory=group)(description=*)) (&(objectcategory=group)( (cn=test*)(cn=admin*))) (&(objectcategory=person)(objectclass=user) (useraccountcontrol:1.2.840.113556.1.4.803:=65536)) The attribute useraccountcontrol is a bitmask attribute. See the section Bitmask attributes below for a detailed explanation. 196
Reference Return all users with disabled accounts (&(objectcategory=person)(objectclass=user) (useraccountcontrol:1.2.840.113556.1.4.803:=2)) The attribute useraccountcontrol is a bitmask attribute. See the section Bitmask attributes below for a detailed explanation. Return all users with "Allow access" checked on the "Dial-in" tab of the user properties dialog of Active Directory Users & Computers. These are all users allowed to dial in. Note that "TRUE" is case sensitive (for this query to work, you need to bind to the Active Directory root) Return all user objects created after a specified date (01/01/2005) Return all users that must change their password the next time they logon (for this query to work, you need to bind to the Active Directory root) (&(objectcategory=person)(objectclass=user)&(msnpallowdialin=true)) (&(objectcategory=person)(objectclass=user) (whencreated>=20050101000000.0z)) (&(objectcategory=person)(objectclass=user)(pwdlastset=0)) Bitmask attributes The account status mentioned in the table above (locked out, enabled, disabled, etc.) is part of one attribute called useraccountcontrol attribute. This is called a bitmask attribute: a single attribute actually contains numerous property values. In the same way, the useraccountcontrol attribute holds the following property values: The user account is disabled. The account is currently locked out. No password is required. The user cannot change the password. The user password has expired. In UMRA there are two different ways of evaluating bitmask attributes. You could either make use of the LDAP matching rule or specify a date conversion routine. The LDAP matching rule method is described below. The date conversion routine method for dealing with bitmask attributes in described in LDAP attributes - Data conversion routine (routine 1) Using the LDAP matching rule 1. Create a generic table with an LDAP query as the table type 2. Select the option Active Directory Root as the LDAP binding method 3. Select the LDAP filter tab and enter the following LDAP filter string: "(&(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))" The first part of the filter ""(&(objectcategory=user))" specifies that we are only interested in users. The second part of this strings requires further explanation. As we mentioned above, if the bit2 value for the useraccountcontrol attribute is set, the user account is disabled.. This can be queried using the LDAP Matching Rule. The LDAP Matching Rule has the following syntax: attributename:ruleoid:=value where attributename is the LDAPDisplayName of the attribute, ruleoid is the object ID (OID) for the matching rule control, and value is the decimal value you want to use for comparison. 197
User Management Resource Administrator 7.2 The value of ruleoid can be one of the following: 1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator. 1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator. One example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the useraccountcontrol attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies useraccountcontrol with the UF_ACCOUNTDISABLED bit set would resemble this: "1.2.840.113556.1.4.803:=2" 4. Select the Attributes tab and select the "Users - names" and "useraccountcontrol" attributes. 5. Select the Run test tab and click the Test... button to check if you have obtained the required results. Next action: LDAP search - Attributes 198
Reference LDAP search - Attributes Previous actions: 1. Specifying the table type 2. Specifying the LDAP binding method 3. Defining the LDAP filter General In order to construct an LDAP query, you first need to have a basic understanding about the way in which objects are defined in Active Directory. Active Directory is object oriented, which means that all items in Active Directory are treated as objects. The information which is needed to describe an object, is called an attribute. An object can be defined as a uniquely named set of attributes representing a network resource. The user account object for instance could include the attributes for the user's first and last name and the logon name. Active Directory objects are constructed using classes. These object classes are created with a template which defines the attributes, schema rules and class hierarchy for the objects within an object class. The same principle applies to attributes which require a template to define the syntax rules. Every object that can be created in Active Directory is an example of an object class. The templates for object classes and attributes make up the Microsoft Active Directory schema. It contains definitions of every object class that can be created in an Active Directory where each class has its own set of attributes. For example, the user class has attributes for Telephone-Number, Display-Name, Logon-Hours, and many more. Each and every attribute represents a piece of user information. These attributes are defined only once in the schema. For instance, the attribute "Description" could be used for the object class of both computers and printers, but in the schema it is defined only once. The schema keeps track of which attributes are used with each object class. This means that when a new object is created of the class "User", it will have the same attributes as all other user objects (full name, telephone, etc.). Specifying LDAP attributes In the LDAP filter you have defined which objects you want to retrieve. Using attributes, you will now specify which objects you want to include in the generic table. In UMRA, there are two different was to do this: 1. Selecting a default attribute setting 2. Specifying an LDAP attribute using the Add button 1. Selecting a default attribute setting 199
User Management Resource Administrator 7.2 You can select one or more predefined attributes from the Default attribute settings list to include in your query. The table below shows the corresponding LDAP name which is inserted in the Attributes window when you click the Set button. Default attribute setting LDAP name Display Name Description A. Users - general information cn Name Name that represents an object description Description Contains the description to display for an object. B. Users - locked out, disabled A plus the following: useraccountcontrol Locked out Flags controlling the user account behaviour. C. Users - locked out, disabled + more options useraccountcontrol A+B+D D. Users - password options A plus the following: useraccountcontrol useraccountcontrol Disabled User must change password at next logon User cannot change password 200
Reference useraccountcontrol E. Users - full details C plus the following Password never expires profilepath Profile path Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. scriptpath Script path The path to the user's logon script home drive Home directory drive Specifies the drive letter to which to map the UNC path specified by homedirectory. homedirectory Home directory The home directory for the account. If homedrive is set and specifies a drive letter, homedirectory must be a UNC path. F. Users - names cn Name displayname Display name The display name for an object. This is usually the combination of the users first name, middle initial, and last name. givenname First name First name of the user initials Initials Contains the initials for parts of the user's full name. sn Last name Contains the last name for a user samaccountname SAM Account Name The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. userprincipalname User Principal Name This attribute contains the UPN which is an Internet-style login name for a user based on the Internet standard RFC 822. By convention, this should map to the user e- mail name. The value set for this attribute is equal to the length of the users ID and the domain name. distinguishedname G. Users - last logon A plus the following: Object Distinguished Name Same as the Distinguished Name for an object. Used by Exchange. lastlogon Last Logon The last time the user logged on. This value is stored as a large integer that represents the 201
User Management Resource Administrator 7.2 number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown. For a complete overview of Active Directory attributes, please see the Microsoft website http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/attributes_all.asp Example 1 - Obtaining a list of all users whose family name starts with <string> In this example we will show you how to retrieve all users whose family name matches a specified string. 1. Create a generic table with an LDAP query as the table type 2. Set the LDAP binding method to Global Catalog 3. Select the LDAP Filter tab and select the following LDAP search filter from the Example LDAP search filters list: "Users with a last name that begins with 'h'". 4. Click the Insert button The first part of the search string, "(&(onjectclass=user)", specifies that we are only interested in the User class. The second part, "(sn=h*)", is basically an attribute filter which states that we want to retrieve all users whose surname starts with "h". 5. Change the string "(sn=h*) to "(sn=m**) in order to retrieve all users whose surname starts with the letter "M" 202
Reference 6. Click the Attributes tab and select the attributes you wish to see for the filtered objects. For this example, please select "Users - general information" from the Default attribute settings list. This will return the common name for an object and the object description. 203
User Management Resource Administrator 7.2 7. Select the Run test tab. Click the Test... button to test your query. The resullt should resemble the following screenshot: 204
Reference 2. Specifying an LDAP attribute Apart from selecting a default attribute setting based on its description (Users - last logon, Users - names) you can also specify an attribute yourself. For more information, see LDAP attributes - Attribute specification. Next action: Generic table - Run test 205
User Management Resource Administrator 7.2 LDAP attributes LDAP attributes - Attribute specification Apart from the default attribute settings as discussed in LDAP search - Attributes, you can also specify an attribute yourself. 1. In the Setup Generic table dialog box (based on an LDAP query), select the Attributes tab. 2. Click the Add button. The following dialog box will appear: 206
Reference The LDAP name list in the Attribute window from which you can select an attribute, includes the most commonly used attributes. If the attribute you need is not in this list, please check the Microsoft website for a complete overview of all attributes (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/attributes_all.asp) Attribute value conversions Some attributes contain values which require data conversion. For more information about this topic, see LDAP attributes - Data conversion and LDAP attributes - Data conversion routine. 207
User Management Resource Administrator 7.2 LDAP attributes - Data conversion Some attributes contain values which are hard to interpret. The attribute lastlogon for instance, which is used to check when a user last logged on, returns a value which represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown. The following screenshot gives you an idea what this looks like: In such cases you would probably want to present these values in a more user friendly way. This can easily be achieved using data conversions. Example - Specifying data conversion for the lastlogon attribute 1. Select the Attribute tab and click the Add button. This will bring up the LDAP Attribute specification dialog box 2. In the LDAP name field, enter "lastlogon" (this attribute is not included in the default list of attributes) 3. Click the Setup... button under Data conversion: 4. Click the Add button in the Data conversion dialog box 208
Reference 5. Select the operation Convert large integer (100ns,1-1-1601) to date-time (last logon). 209
User Management Resource Administrator 7.2 6. Click OK. The data conversion routine is now added to the Data conversion routines window. 7. Click OK.twice to return to the Setup Generic table dialog box. Note that the lastlogon attribute has now been added and that data conversion has been set to "Yes". 8. Select the Run test tab and click the Test... button. You will see that the original value representing the last logon for the Administrator has been converted to an understandable date-time format. 210
Reference For more information on data conversion routines, see LDAP attributes - Data conversion routine. 211
User Management Resource Administrator 7.2 LDAP attributes - Data conversion routine In UMRA, data conversion routines are used to present returned attribute values in a more user-friendly way. In LDAP attributes - Data conversion an example was given on how to convert large integers to a date-time format. In total UMRA offers three data conversion operations: 1. Perform logical AND on the input value and specified argument 2. Convert large integer (100ns, 1-1-1601) to date-time (last logon) 3. Convert large integer to specified text if zero. In this topic we will describe the use of operation 1 and 3 and zoom in on some other options in the Data conversion routine dialog box. Perform logical AND on the input value and specified argument The routine Perform logical AND on the input value and specified argument is used to evaluate so called bitmask attribute values. A bitmask attribute is a single attribute that contains multiple properties and property values. For the sake of clarity, just consider a bitmask to be a bank of switches, with each switch representing a different property. If the switch for Account is disabled is on, then the account is disabled. If the switch is on, the user account is enabled. The only difficult part is that these "switches do not have intuitive names such as "Account disabled". Instead, they have hexadecimal values like &H0040. The useraccountcontrol attribute for instance, holds the following properties and hex values: Property Logon script will be executed Account is disabled Account requires a home directory Account is locked out Account does not require a password User cannot change password Encrypted text password allowed Account password never expires Smartcard required for logon Password has expired Value &H0001 &H0002 &H0008 &H0010 &H0020 &H0040 &H0080 &H10000 &H40000 &H800000 If you want to create a generic table which returns a list of all users with a disabled account, you need to do the following: 1. Select the Attribute tab and click the Add button. This will bring up the LDAP Attribute specification dialog box. 2. In the LDAP name field, select the useraccountcontrol attribute and enter "Disabled account" as the display name. 212
Reference 3. Click the Setup... button under Data conversion. 4. Click the Add button in the Data conversion dialog box. 5. Select the operation Perform logical AND on the input value and specified argument. This operation requires that you specify the value of the property as an argument in decimal format (not in hex format). The table above shows that the hex value for the property "Account is disabled" is "&H0002". This hexadecimal value needs to be converted to a decimal before it can be entered as an argument. This conversion can be done in any Windows calculator. In this case, the decimal value is "2". 6. Enter 2 in the Argument text field. 213
User Management Resource Administrator 7.2 7. Click OK. The data conversion routine is now added to the Data conversion routines window. 8. Click OK.twice to return to the Setup Generic table dialog box. Note that the lastlogon attribute has now been added and that data conversion has been set to "Yes". 9. Select the Run test tab and click the Test... button. Users with a disabled account are now displayed in the Disabled accounts column ("Yes" is disabled, "No" is enabled). 214
Reference Converting a large integer to specified text if zero The lastlogon attribute contains a value which tells us when a user last logged in. If the query returns a zero, it means that the last logon time is unknown. By default, this is not displayed. In the following screenshot for instance, the last logon time for the users "Guest" and "Frédéric Vallenet" is unknown, but not displayed as such. 215
User Management Resource Administrator 7.2 By making use of the routine Convert large integer to specified text if zero. we can include a string to be displayed when the value of the lastlogon attribute is zero. 1. Select the Attribute tab and click the Add button. This will bring up the LDAP Attribute specification dialog box. 2. In the LDAP name field, enter "lastlogon" (this attribute is not included in the default list of attributes). 3. Click the Setup... button under Data conversion. 4. Click the Add button in the Data conversion dialog box. 5. Select the operation Convert large integer to specified text if zero. 6. In the Argument field, enter "Unknown". This will display the string "Unknown" for all user objects where the lastlogon attribute value is zero,. Click OK. 7. Click OK. The data conversion routine is now added to the Data conversion routines window. 216
Reference 8. Click OK.twice to return to the Setup Generic table dialog box. Note that the lastlogon attribute has now been added and that data conversion has been set to "Yes". 9. Select the Run test tab and click the Test... button. You will see that the zero value for the two user objects is now displayed as "Unknown". 217
User Management Resource Administrator 7.2 218
Reference LDAP search - Options Previous actions: 1. Specifying the table type 2. Specifying the LDAP binding method 3. Creating an LDAP filter LDAP search options In this section you can define the scope of you LDAP search and some additional options for your LDAP search. The following sections describe in detail the various possible configurations. Time limit options (by default not set) Maximum search time Description Specifies the maximum time for the LDAP search. If the time limit is reached, the search is ended. Page time limit Specifies the amount of time the UMRA client waits for a result set before terminating the search request. Size limit options (by default not set) Total size limit Page size limit Specifies the size of the result set. If the result set reaches search he specified size, the result set is considered complete. The maximum number of records to be processed by the domain controller and returned to the UMRA client before continuing the search. Cache results options (set by default) Cache result Specifies whether the result set should be cached to the client. For very large result sets, disabling caching will reduce memory consumption on the client. Scope options Search subtree, including all the children and the base object (default) Search one level of the immediate children, excluding the base object Search base object only (result contains one object maximum) The search includes the entire Active Directory structure below the search base The search includes any immediate children (sub containers or OUs) This means that only the search base object is included in the search and no child containers or OUs. The maximum number of objects returned is one.. Referral chasing options Never Subordinate referrals only This option needs to be selected if the LDAP search requires proceeding into parts of the directory tree that are not stored on the current domain controller. 219
User Management Resource Administrator 7.2 External referrals only The LDAP search needs to follow up references to an LDAP directory on another domain. Always Referrals Every domain controller holds information about the other domains in the forest in the domain controller's Configuration container. When an LDAP search in Active Directory requires action on objects that are located on another domain controller, the client is referred to a domain controller that holds the requested object. This way, clients can query the root domain and reach the appropriate domain controller without having to know the name or location of the child domain. 220
Reference Generic table - Database query Database query - Database specification When you insert a generic table form field or when you choose the Generate generic table script action, you can select either an LDAP search or an MS Access database as the primary data source for your generic table. If your data source is an MS Access database, please select the option "Database query" in the Setup generic table dialog box. Next steps 1. Selecting a database 2. Specifying a query 221
User Management Resource Administrator 7.2 Database setup Database setup - MS-Access (Jet) Specifying an MS Access database 1. Right-click in the Form Design window and select the Add form Field command. 2. Select the Table option from the Select form field type list and click OK. The Configure form field dialog box will appear. 3. Select the option Generic table and click the Configure... button. The Configure Table dialog box will appear. 4. Click the Configure... button and select the option Database query from the table type list and click OK. The Setup Generic table dialog box will appear. 5. Click the Configure... button in the Database specification window to specify the MS Access database (.mdb file) you wish to use (in the screenshot below a connection is made to the database Departments.mdb). 222
Reference Note: Please ensure that the specified path to the database can be accessed by the UMRA module. In most cases you will define a share for storing the MS Access databases (e.g. \\<Computer name>\<share name> instead of pointing to an absolute path name. 223
User Management Resource Administrator 7.2 Database query - Query Previous steps: 1. Specifying the data source 2. Specifying the MS Access database Once you have completed these steps, you are ready to create a database query. For example, suppose we have am MS Access table called Users.MDB which contains a table Users with the following information: The query syntax for retrieving all the table data is SELECT * FROM USERS Since the query can be considerably more complex than the one for this example, we would advise you to construct the query in MS Access until you are absolutely certain that your query returns the required result. If this is the case, then copy the SQL query into UMRA as follows: 1. Select the Query tab in the Setup generic table dialog box 2. Paste the query into the Database query window. 224
Reference 3. Click the Run test tab and click the Test... button to check once more if the query is working correctly. 225
User Management Resource Administrator 7.2 226
Reference Generic table - Variable The resulting record set of a query (either an LDAP or database query) can be assigned to a variable so that you can refer to it when creating actions. 227
User Management Resource Administrator 7.2 Generic table - Run test Once you have fully completed your search filter for either the LDAP search or the MS Access database, you are ready to test the resulting record set. Testing the LDAP search filter 1. Make sure you have defined a search filter and that you have specified the attributes you wish to see. For example, enter a search string to retrieve all the user groups starting with USR_: "(&(objectcategory=group)(cn=usr_*))" 2. In the Attributes tab, select "Users- general information and click the Insert button. 3. Select the Run test tab. If you click the Test... button you should get a list of all the user groups starting with the string "USR_": 228
Reference Run test on UMRA Service Use this option to check if the search request can also be handled correctly by the UMRA service. If the UMRA service does not have sufficient security privileges to perform the LDAP search, you will receive an error. Testing the MS Access database search filter Before you can start testing, you must have specified the database you want to access and define the SQL filter. We would advise you to perform the latter in MS Access and copy it into UMRA, since UMRA cannot "see" the actual database records. Suppose you have the following MS Access table: 229
User Management Resource Administrator 7.2 The following query has been used in the database query field. This should return a recordset containing all records in the table TestUsers. If you now press the Run test tab and click the Test... button, the following data will appear: 230
Reference Note: You can also test if the UMRA service has all priviliges needed to run the query. To do so, select the option Run test on UMRA Service. For instance, if the MDB file is located on a share to which the UMRA service has no access, you will receive the following error message: 231
User Management Resource Administrator 7.2 Condition criteria Condition criteria - Introduction Condition criteria are also known as control structures in the world of programming. In UMRA, the If-Then-Else action offers the possibility to execute an action if one ore more conditions are met. It is very common to include some code that is only executed if certain conditions are met. If/Then/Else The If/Then/Else statement allows you to evaluate a condition and then perform different actions depending on the results of that condition. For detailed information on how to set up an If-Then-Else variable action in UMRA, see Condition criteria - Setup and Condition criteria - Setup criterion. 232
Reference Condition criteria - Setup 1. Drag the If-Then-Else action to the Script Actions window and doubleclick on "If...Then Goto label:" The Properties dialog box will appear: In the IF section of this dialog box, you can specify your evaluation criteria. In the Then section you specify which action should be executed if the condition is TRUE In the Else section you specify which action (if any) needs to be executed if the condition is FALSE 2. Click on the Edit button to edit an existing criterion or to add a new criterion. 233
User Management Resource Administrator 7.2 234
Reference Condition criteria - Setup criterion In the Setup criterion dialog box you must specify how the variable in your If-Then-Else condition should be evaluated. The variable type can be text, numeric, date-time or a boolean. The equation operator can be one of the following: - has no value or does not exist - equals (case sensitive and case insensitive) - contains (case sensitive and case insensitive) - starts with (case sensitive and case insensitive) - ends with (case sensitive and case insensitive) If you need to obtain an inverted result (e.g. does NOT equal), the option Invert the result should be marked. 235
User Management Resource Administrator 7.2 Directory security Security - Overview User Management Resource Administrator supports Windows 2003/2000/NT permissions for all objects with security settings. For files and directories you can setup the specfic security settings that must apply. User Management Resource Administrator uses similar windows as the Windows 2003/2000 graphical user interface to facilitate the configuration of the permission settings. In User Management Resource Administrator, the security settings can contain variables. At runtime, these variables are replaced by their actual values to calculate and set the effective permissions. The security settings are primarily used for directories created with script action Create directory. To setup the security settings, select the action Create directory in the script section (lower left) of the project window. The properties of the script action are presented in the properties section (lower right) of the project window. Double click property Security or select the property and select menu option Actions, Properties of action property. Select option Use the following value and press the Edit button. The Directory security properties window is presented. 236
Reference The window contains two lists containing names of accounts (upper list) and permission settings (lower list). The upper list shows the accounts for which permissions are defined for the target object (e.g. the directory). These accounts can be specified using existing account names or names containing a variable (As opposed to the equivalent Windows 2003/2000/NT window). By using variables, you can setup security settings for User Management Resource Administrator scripts, e.g. permissions for user accounts that do not already exist buit are specified only by a variable name. To add new accounts, press Add. See Directory security - Adding accounts and permissions for more information. In the lower section of the window, you can setup the basic permissions for the account selected in the upper list. For the permission values shown, simply check the Allow or Deny option to configure the permission setting. In this permission list, you can setup only basic permissions. For most purposes, this will be sufficient. To setup more advanced permission settings, press Advanced. In Windows 2003/2000/NT, you can setup permissions that are inherited (copied) from the parent object. For directories, the parent object is the directory of which the target directory is a subdirectory. You can specify if inheritable permissions (as specified for the parent object), should be inherited by the target object. Use the option Allow inheritable permissions from parent to propagate to this object. If you do not select this option, the permissions of the target object are called protected since inheritable permissions from the parent object will not be copied to the target object. More information: Script Action: Create Directory Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 237
User Management Resource Administrator 7.2 Security - Adding accounts and permissions Access control settings are organized per account. For each account, permissions are specified. To start setting up a permission entry, you need to specify an account first. Then, you can set the permissions for the new account. To add an account, press the Add button in the Directory security properties window. See Security - Overview for more information and how to access this window. The Specify input name window is used to specify the name of an account for which permission settings are setup. The name can be specified as: 1. An existing account name of a user or group: Enter the name or press the Search button to search for the account name. Example: the administrators group of domain SEASONS, e.g. SEASONS/Administrators. Note: at run time, User Management Resource Administrator converts the actual name into it's Windows 2003/2000/NT Security Identifier (SID). In order for this conversion to succeed, User Management Resource Administrator must be able to access a domain controller that maintains the specified account name. 2. A name containing a variable(s): In this case the variable name is resolved at runtime. This construction is often used for names containing 2 components with one well-known name. Examples: %Domain%\Administrators, %Domain%\Users. To select a variable, select it from the Variables list or enter the variable name and press Insert. 3. A single variable name: In this case, the name corresponds with the value of a single variable. The type of the variable can differ from the regular text type. For instance, when a user is created by User Management Resource Administrator in Active Directory, a specific object is created, which is the Security Identifier (SID) of the user account. This object uniquely identifies the new user account and where possible you should use the variable that holds this object. The object is by default stored in an output property variable - %UserSid% - and it should be used to identify the user account in subsequent script action properties. So if you create a user account in Active Directory and want to setup permissions for a directory that include the user account, use the variable %UserSid%. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 238
Reference Security - Access Control Settings To specify detailed permissions settings you should use the Access Control Settings window. To start, select the action Create directory in the script section (lower left) of the project window. The properties of the script action are presented in the properties section (lower right) of the project window. Double click property Security or select the property and select menu option Actions, Properties of action property. Select option Use the following value and press the Edit button. The Directory security properties window is presented. Select a user account in the upper list or create a new account. Next, press the Advanced button. The Access Control Settings window is shown: The window shows a list with all permissions setup for the account. For each permissions entry, a single line is shown. Use the Add, Remove, View/Edit buttons to manage individual permissions entries. In Windows 2003/2000/NT, you can setup permissions that are inherited (copied) from the parent object. For directories, the parent object is the directory of which the target directory is a subdirectory. You can specify if inheritable permissions (as specified for the parent object), should be inherited by the target object. Use the option Allow inheritable permissions from parent to propagate to this object. If you do not select this option, the permissions of the target object are called protected since inheritable permissions from the parent object will not be copied to the target object. 239
User Management Resource Administrator 7.2 More information: Security - Overview Script Action: Create Directory Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 240
Reference Security - Detailed permissions settings With the Permissions entry windows you can specify detailed permissions for an account. You can specify the permission settings itself and the objects to which the permissions apply. To access the window, open the Access Control Settings window first. Select an entry from the list with permissions and press Edit. To add a new entry, press Add. You will be presented the Permission entry window. The window contains several sections: Name Specify the name of the account for which you want to setup permissions. The account name can contain variables. For more information, see Security - Adding accounts and permissions Apply onto Specify the objects to which this permission entry specification applies by specifying one of the possible options. With this 241
User Management Resource Administrator 7.2 specification you determine if the specified permission applies to the target object (directory), contained child objects (files), contained subfolders or a combination of these options. Permissions A list with possible permissions. For each permissions you can either Allow, Deny or not specify the permission. Apply these permissions to objects and/or containers within this container only This option is almost never used. More information: Security - Overview Script Action: Create Directory Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 242
Reference Security - Owner For new directories and other items, you can specify the permissions and optionally the owner. See Security - Overview for an introduction on this topic. To specify the owner, select the tab Owner in the Directory security properties window. You can either specify the owner or let the operating system generate the owner for you. By explicitly specifying the owner of an item, you have more control. The owner can be specified using a fixed name or by using variables. More information: Security - Overview Script Action: Create Directory Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 243
User Management Resource Administrator 7.2 Mass project Principle of operation The principle of an UMRA mass project is best explained by describing an example. Suppose, you want to create a number of user accounts in Active Directory, and setup an Exchange mailbox, home directory and group memberships for the new accounts. To fulfill this task in User Management Resource Administrator, a project as shown in the window below is used: Each User Management Resource Administrator project contains 3 main items: 1. Input data (upper part of project window) 2. Script (lower left part of project window) 3. Link between script and input data (column header of upper part window) Input data The Input data, usually obtained from a file or network operation, specifies the user accounts that must be created. The input data has a tabular form and is shown in the upper part of the project window. The input data is line oriented and has the same format for every line. In the described example, each line of the input data corresponds with a single user account. For each user account, the necessary information must be specified. Further, the input data can contain additional information that is not required or used to create the account. By default, de input data of a project is a (link to a) file. For more information on input data, see Input data Scripts, actions and properties For each user account, a number of actions are performed: the account is created in Active Directory, an Exchange mailbox is created, the home directory is created and group memberships are setup. All of these actions are contained in the script of the project. By default, the script actions are executed one after the other but programming actions are available to control the order of action execution. Together, the script actions form the script of the User Management Resource Administrator project. 244
Reference Each script action has a number of predefined properties. For instance, the script action Create user in Active Directory has a property that specifies the name of the organizational unit in which the user is created. Some of the properties of an action are mandatory, others are optional. For instance, to create a user account in Active Directory, the name of the organizational unit or domain must be specified. But a value for the description of the user is not required. The Input data, usually obtained from a file, specifies the data that is different for each user account that must be created. In this sample project, the input data for instance contains the lastname, firstname, phone number for each user account. It is obvious that this type of information differs for each user account. The Script specifies the actions that must be executed for each line of the input data, e.g. for each user account. In this project the script contains the following actions: Create user (AD), Create Exchange mailbox, Create directory and so on. Each script action contains a number of properties (lower right part of project window). The properties for each action are shown when the action is selected in the lower peft part of the project window. An example of a property is the SurName of the action Create user (AD). When all properties of an action are specified, User Management Resource Administrator can execute the action. Two different types of properties exist: 1. Properties that have a constant value: For these properties, the value should be the same for each user account that is created. Examples: the name of the domain, the name of the Exchange server, the setting User cannot change password. 2. Properties that have no constant value: For these properties, the value is different for each line of the input data. Examples: Given-name, SurName, phone number. In UserManagement, properties of both types are specified using variables. For properties with a constant value, the variable can be assigned a value in the beginning of the script. Example: %Domain%=SEASONS. For this type of properties, the variable is assigned the same value each time the script is executed. For properties that have no constant value, the value must correspond with a column of the input data. For every line of the input data, the variable is assigned a different value. Example: the action Create user (AD) contains the property SurName. In this project, the value of this property is set equal to the (value of) variable %LastName%. (see project window). The second column of the input data corresponds with this variable. When the script execution is started, the first line of the input data is read and the variable is set to: %LastName%=Williams. Then if the Create user (AD) action is executed, the property is set to: SurName=%LastName%=Williams -> SurName=Williams. When creating projects in User Management Resource Administrator, you have complete freedom to use and specify variables, manipulate the value of variables and assign variables to input data columns. The resulting project script can be seen as a black box that performs a specific task when feeded with values for the input variables. In this project, the task is the creation of the user account and properties, home directory, group memberships and Exchange mailbox. Some of the variables used in the script are specified as constants, the other variables get a value from the input data. To create the user accounts and resources, the script is executed for each line of input data. So for each input line from the input data, User Management Resource Administrator reads the value for each column. This data is the input data for the script and is feeded to the script. The script actions are then executed one by one. Then the process starts over again with the next line of the input data. Values and variables To setup a script action, you must setup each property of the script action. A property is setup by specifying the value of the property. The value of a property can be specified by one of the following: 1. Constant value: When the value should be the same each time the script is executed. Example: the name of the domain, or a flag indicating if the user must reset the password. 2. No constant value: The value is different each time the script is executed. Example: The first name of the user account. 3. No value (optional property values only): The property is not used in this script. Example: The Active Directory attribute that specifies the telephone number of the user account. To specify the values, variables can be used. A variable is a placeholder for the actual value. A variable has a name that is normally enclosed with %-characters. Examples: %Domain%, %FirstName%, %LastName%, %ExchangeServer%. At runtime, the application replaces the variable name by the actual value: %Domain%=tools4ever.com, %FirstName%=John etc. Both for constant and non- constant property values, variables can be used. For constant values, the property value is specified as a variable name and the variable's value is assigned as a script action in the beginning of the script. For non-constant values, the property value is specified as a variable that corresponds with a column of the input data. 245
User Management Resource Administrator 7.2 In the figure shown, the input data contains a column linked to variable %LastName%. The script of the project contains the property SurName in script action Create user (AD). By resolving the variable, the property gets a value that equals the value of the corresponding column of the input data More information: Input data Script actions Variables Help on help 246
Reference Input data The input data of a UMRA project specifies the data that is used as input data for the project's script. The input data of a mass project has a tabular format. For each line of the input data, the script of the project is executed. Columns of the input data can be linked to script variables. Each time the script is executed, the corresponding value of these variables are set equal to the content of the column. The input data is obtained from either a file or a network browse operation. In the sequel of this topic, it is assumed that the input data is obtained from a file. For more information on network browse operations, see Project operations - Network bar. The input data is shown in the upper part of the project window. In the example shown, 4 lines of input data are shown. The second column corresponds with script variable %LastName%. The input data is normally read from a text file but the input data can als be part of the project. In this case, the input data is embedded in the project. For more information on the relation between input data and the script of the project, see Principle of operation. You can always change the file - input data of any project. To read the data from a file, either select main menu option File, Import or right click the mouse in the input data are of the window and select menu option Import. A wizard is started that allows you to specify the file that contains the input data. In the first window, select the file. In the next window of the wizard, you can specify how User Management Resource Administrator must read the data of the file. 247
User Management Resource Administrator 7.2 You first need to specify if the columns of the input data are delimited or if the columns have fixed width fields. In the delimited section you can specify all characters that are regarded as delimiter characters. If the file contains fixed width column, select Fixed width, and specify the fixed width positions in the field. In case the first line contain headers select option First line contains headers. In this case, the name of the column headers in the upper part of the project window are set to the column names read from the file. Press Finish to import the data. Once the data is imported, you can manage the project properties by right-clicking in the input data section. Select menu option Properties. 248
Reference For more input data options, see Project operations - Advanced options More information: Principle of operation Project operations - Network bar Project operations - Manage script actions Project operations - Variables Help on help 249
User Management Resource Administrator 7.2 Running a project To start working with User Management Resource Administrator mass projects, it recommended to run a sample project first. The UMRA wizard that is started automatically when you start the application for the first time will show you how to do this. To open a mass project, select File, Open mass project... To start with a new mass project, select File, New and select Mass project. When you run the project, the script of the project is executed for each line of the input data of the project. To customize the project, you might want to change the input data of the project, or change script actions or add other actions to the script. To run the project, you have several options, described in the section below. Test mode User Management Resource Administrator allows you to run a script in test mode first. In test mode, the script is executed as far as possible, but no actual changes are made to the network. So, nothing is changed. The test mode can help you to setup a script and all of the script action properties. In test mode, all logging features are available. The log window and log files will show the fact that test mode is enabled. Test mode is enabled by default. To toggle test mode on and off, select menu option Action, Test only. When the menu option is highlighted, test mode is enabled. Run the script You can run a script in test mode or real mode. The following run options are available, both in test and real mode: 1. Step: Execute the script for the next line of input data. The script is executed once. When you select this option again, the script is executed again for the next line of input data. Once you have selected this option and select Run, script execution continues for all remaining lines of the input data. 2. Run: Execute the script for all lines of the input data. If you selected the Step menu option before you selected this option, script execution continues with the remaining lines of the input data. 3. Run selection: Execute the script for the selected lines of the input data only. 4. Abort: Stop the current execution. You need to confirm this selection. When you select this option again, the status for all input data lines is reset. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 250
Reference Exporting data The input data of a User Management Resource Administrator project can be printed and exported to a file. To print the data, simply select menu option File, Print. To export the data, select menu option File, Export. The same data as shown in the input data section of the project is exported. Optionally, the resulting export file can be shown in a text editor automatically. 251
User Management Resource Administrator 7.2 Advanced settings To setup the advanced project options, right click the input data section of a project and select menu option Properties. Select window tab Advanced. Alternatively, select main menu option View, Properties. The following advanced options can be configured: Data embedded in project The input data of a User Management Resource Administrator project is obtained from a file or network browse operation. By default, the application stores the link, e.g. the name of the file or parameters of network browse information, for the project. As an alternative, you can embed the data into the project and not store the link to the data. This is useful if you want to store all of the project information, including the input data in the project. If this option is selected, the option Reload the input data when the project is opened is not available. Reload the input data when the project is opened For each project, the project input data is stored in the project together with a link to the project data. If you select this option, the input data of the project is reloaded when the project is opened. If the input data is obtained from a file, the file is read. In case the input data originates from a network call, the data is reloaded from the network. This option is selected for file input data by default. More information: Project operations - Input data Project operations - Network input data Name Generation Algorithms 252
Reference Configure predefined variables The script of a User Management Resource Administrator project can contain variables. To run a project, the variables need to be configured. The project can contain additional information for the variables. With the option Configure predefined variables this information is shown for each variable to help you specifying the variable values. The top section of the window describes the variable. It shows the variable name (%Domain%), a description and some example values. In the bottom section of the window, you need to specify variable. If the value of the variable should be the same each time the script is executed for a line of the input data, select option Constant and specify the value of the variable. If the value of the variable corresponds with a column of the input data, select option Input data column and select the column from the list with available columns. More information: Quickstart Help on help Principle of operation Project operations - Manage script action properties Project operations - Variables 253
User Management Resource Administrator 7.2 Specifying predefined variables Each User Management Resource Administrator project contains a number of customizable comment fields. These fields can help an end-user to choose a project and setup the variables of the project. All the comment fields are customizable. For each project, you can define the following comment fields: Project comment This field contains a description of the project. It is shown, when the mouse cursor is positioned above the name of the project in the Projects bar, and in the wizard. To setup of this field, access the project properties and select tab Project comment. Variable info You can define a comment field for each variable used in the script. This information is used in the wizard only. In the wizard, the user can setup the value for one or more variables. For each variable with the variable info field defined, a separate window (Wizard - Setup variable) is shown in the sequence of wizard windows. You need the setup the variable info field if you want this information to show up in the wizard. To start, access the project properties and select tab Variable Info: 254
Reference In the example shown, for 6 variables, the field is defined. Note that the script may contain more variables. Use the Add, Edit and Delete buttons to manage the individual entries. Use the arrow buttons to determine the order entries. The order corresponds with the sequence of windows shown in the wizard. When you setup an individual entry, the Specify variable info window is shown. 255
User Management Resource Administrator 7.2 The window contains the following fields: Variable Select the variable from the list. The list shows the variables that are found in the script. Description The comment field describing the variable. From this description field, the user should be able to understand what the variable is used for. Default value The default value for the variable or a instruction for the used. If the value is specified as a constant value, this value is shown in the corresponding field of the wizard. Example values Some possible values to help the end user specify the value. Probably a constant value When this option is selected, the wizard by default selects the option to specify a constant value. Once specified (user presses Next in the wizard) a Script Action: Set Variable is inserted at the beginning of the script. This action actually sets the value of the variable. Empty value allowed (blank) When specified, the application will not execute the script if no value is specified for this variable. More information: 256
Reference Quickstart Help on help Principle of operation Project operations - Manage script action properties Project operations - Variables 257
User Management Resource Administrator 7.2 Form project Form project - Principle of operation The principle of a UMRA form is best described with an example. Suppose we want to delegate the task of unlocking accounts of a particular OU to a helpdesk employee. In the final result, the UMRA project, created with the UMRA console application looks like this: and the corresponding form looks like this: Form project The UMRA form project contains 2 sections: 1. Form design (upper part): This section contains all the form fields that make up the form. In the example shown, the form fields include a picture, some text (Unlock account), a table (with account to become unlocked) and a button (Unlock account). 2. Script (lower part): The actions executed when the button (Unlock account) is pressed. In this case, the action is Edit user logon. The script of an UMRA form project is equal to the script of an UMRA mass project. See Project operations - Manage script actions for more information. Form design The form of an UMRA form project is comletely configurable. A number of different types of form fields are available to make up the form. For each form field, you can specify formatting parameters to design the form. Form field types include: 258
Reference static text input text table checkbox button picture vertical space While you design the form by managing form fields, you can see the results immediately with the form preview. To show the form preview, right click in the form design area of a form project window and select menu option Toggle auto preview. Form - script When the form is submitted, the script of the form project can be executed. To relate the form and the script, variables are used. Certain form fields are used to specify a value for a variable that can be used in the script of the same form. For instance, in the example shown, the column Username of the table with user accounts, is used to specify the value of variable %UserName% that is used in the script action Edit user logon to identify the user. For more information, see Form project - Form fields. For more general information on variables, see Variables. More information: Form project - Form fields 259
User Management Resource Administrator 7.2 Form project - Form fields The form fields make up a form. Different types of form fields are available to design a form. The form fields have several functions: explain the form to the user (static text, picture) let the user specify input data for the form project (input text, table, checkbox) initiate the execution of form actions - submit (button) make the form look appealing (pictuire, vertical space, statis text) To pass the form information to the script of a form project, variables are used. By specifying the value of a form field, the user set the value of a variable. Further, with some type of form fields, actions can be associated. Actions include the execution of the script of a form project, setting a variable to a specific value etc. The following table summarizes the usage of the different types of form fields. The column Variable indicates if a form fields of the corresponding type can be used to setup a variable. The column Actions shows if form actions can be executed by activating or configuring the corresponding field type. Form field type Variable Actions Description static text No No Use to describe the form and form fields. input text Yes No Used to specify a text. Examples: first, middle and last name, passwords, description fields, phone number etc. When the form is submitted, the text entered is stored as the value of the field variable. This variable can be used in the script of the form project. table Yes No Used to select an entry from a list. Examples of table contents: user accounts of an OU, domain or group, departments. Each column of the table can correspond with a variable. When the form is submitted, the column values of the selected tables entries is stored as the variable value. These variable can be used in the script of the form project. checkbox No Yes Used to enable or disable a specific function. Examples: disable an account, create and Exchange mailbox. The action Form action - Set variable value can be used to pass to state of the checkbox to the form script. button No Yes Used to submit or reset the form. When a form us submitted, a number of actions can be executed. See Form action - General for more information. picture No No Any picture can be embedded in the form to clarify the purpose of the form, make the form according to the company standards etc. vertical space No No Used to create some vertical spacing between form fields. 260
Reference Form project - Manage form projects All UMRA Form projects are maintained on the UMRA Service. To manage form projects, an UMRA Service needs to be installed and the UMRA Console application must be connected to the UMRA Service. See UMRA service - Introduction and UMRA service installation - Server for more information. Once connected, you can manage the form projects on the UMRA Service. Select menu option UMRA Service, Manage service projects... or File, Open form project... or press the open form button on the toolbar. The following window is shown: To manage the form projects, the following options are available: 261
User Management Resource Administrator 7.2 New Start a new empty form project. You will need to specify a name for the project before the project window is opened. Open Open the select form project. Rename Rename an existing form project. Copy Copy the selected form project. The application proposes a new unique name for the copy of the project. Next, the new copied form project is opened. Delete Delete the selected form project. Note that when you select this option, the form projects are completely removed and you cannot undo this operation. Import Import form project(s) from file(s). You need to specify the file(s) that contain the form project you want to import. If you import a form project and the form project already exists, you will be asked to either replace the existing or create a new form project. You can use the Import and Export options for restore and backup purposes. Export Export the selected form project to a specified directory. You can use the Import and Export options for restore and backup purposes. Close Exit this window. 262
Reference Form fields Static text form field A static text form field is used to explain the form, form fields and form usage. In the form shown below, the text Unlock account is a static text field. To add a static text form field, activate the form and select menu option Add form field... Select form field type Static field text and press OK. 263
User Management Resource Administrator 7.2 Text Specify any text you would like to show in the form in this field. According to the display settings of the form field, the text will be shown automatically on multiple lines. Variables Enter any variable name (examples: %Domain%, %CallThisNumber%) in the field Text. When the form is shown, the values of the variables instead of the variable names will be shown. (If no variable with the name exists, the name of the variable is shown). For more information on how to setup variables to be used in form fields, see Form properties - Variable info. 264
Reference Input text form field The Input text form field is used to let the user of the form specify a text value. Examples: first, middle and last name, password, phone number, description of a user account, extra SMTP E-mail address. In the screenshot below the fields next to the text New password and Confirm password are input text fields. To add an input text field field, activate the form and select menu option Add form field... Select form field type Input text field and press OK. 265
User Management Resource Administrator 7.2 Text Specify the text that is initially displayed in the input text field. When you tab through the form and the form field gets the focus, all of the content of the input field is selected. When you start typing the input text, the selection is removed. Variables Select a variable from the list and press the Insert button to insert the variable name at the current position in the Text field. At runtime, when the form is shown, the value of the variable is shown. Text field support multiple lines with... visible lines Select this option to make the text field a multi-line input field. In this case, the form user can specify a number of input lines for the input field. When the user enters the text, the form field will wrap to the next line automatically. If you do not select this option, the field height is limited to a single line of text. Margin between field border and text of... pixels The specified margin is used to draw a border around the input text field when specified. Password style, all characters shown as an asterisk (*) When the user enters text in the input text field, each character is represented as an *-character. This style is normally used to specify passwords. Draw border of input field Draw a border around the input text field. The border clearly indicates the position of the input text field. Accept carriage return (<Enter>) characters When selected, the text in the input field can be entered using <Enter> characters. Such a character moves the cursor to the next line in a multi-line input text field. Variable - On submit, store contents in variable... Specify the name of the variable that is used to pass information entered in the input text field, to for instance the script of the form project. When a submit button is pressed, the entered text is stored as the value of the specified variable. If you do not specify a variable name in this field, the input text field cannot be stored. The list shows the names of the variables 266
Reference found in the various project components. Instead of selecting a variable from the list, you can also simply enter the name of a (new) variable. 267
User Management Resource Administrator 7.2 Table form field Table form field - Type The table form field is an important form field. A form table field allows the end-user to select an item from a predefined list or data obtained from the network. In the screenshot shown below, the table showing the Common name and Username of user accounts is an example of a table. Depending on the type contents, three table types exist: 1. Network data table: The table contains items obtained from the network. Examples: User accounts of an OU, domain or group. The network data is collected automatically. The contents of the table dynamically changes when the network is updated. See Table form field - Network data type for more information. 2. Fixed data table: The table contents is fixed and specified by the designer of the form. 3. Generic table: A table containing data from a file, a darabase or network query, or fixed data. See Table form field - Generic table for more information. To start creating a table form field, activate the form and select menu option Add form field... Select form field type Table and press OK. The Specify table content type window is presented. 268
Reference Network data Select this option to setup a table containing network data (examples: User accounts from an OU, group, domain). Press Configure... to continue setting up the table. Note that when you are editing an existing Fixed data table the fixed data items are lost by changing the table type. Fixed data Select this option to setup a table containing fixed data (examples: names of departments, divisions, classes. countries, groups, OU's, domains etc.) Press Configure... to continue setting up the table. Note that when you are editing an exisintg Network data table, the network data type and call parameters are lost by changing the table type. 269
User Management Resource Administrator 7.2 Table form field - Network data type The contents of a network data table is collected from the network. Examples: User accounts of an OU, domain or group. The network data is collected automatically. The contents of the table dynamically changes when the network is updated. When the form is designed, the type of the network data and the network call arguments are setup. At run-time, when the form is shown, the contents of the table is determined by accessing the network. Results are presented in the table. To prevent excessive network load, the table contents is stored for some period of time. In the screenshot shown below, the table showing the Common name and Username of user accounts is an example of a network data table showing user accouns from an OU. A network data type can have multiple columns, depending on the type of network data shown. Each column of the table can be associated with a variable. At run-time, when the user selects an item in the table and presses a submit button, the values of the selected item are stored in the corresponding values of the variables. The variables can then be used in a project script. In the screenshot shown above, the column Username can be associated with variable %UserName%. Then if the Unlock account button is pressed, tle selected value is stored in the variable: %Username%=limedeca. To start setting up or edit an existing network data table, see Table form field - Type. The network data table is configured using several windows. The first one, network data type determines the type of the network data. If this parameter is changed, the contents of other configuration settings is lost. 270
Reference The following network data types are available: Network data type User accounts of an organizational unit (OU) User accounts of a global group User accounts of a domain User accounts maintained on a computer Description Show all user accounts of one or more OU's. Optionally, you can include the user accounts of child OU's of the configured OU's (Active Directory only). Show all user accounts that are a member of one or more groups. Show all user accounts that exist in a domain. Show all user accounts that are maintained on a computer, not necessarily a domain controller. Note that the Network data type does not determine the data that must be collected from the network. It only determines the type of network data. Once the network data type is determined, you must specify the actual parameters or arguments that are used to collect the network data. Example: the network data type User accounts of an organizational unit (OU) specifies that the type of network data equals user accounts that are collected from an OU. But the specification of the data type alone does not include the name of the OU from the user accounts must be collected. The specification of the network data type determines the type of calls that will be executed by UMRA and the columns that can be shown in the corresponding network data table. But additional information is required to complete the network data table configuration. See Table form field - Network call parameters for more information. 271
User Management Resource Administrator 7.2 Table form field - Fixed data table A fixed data table always has the same contents. The contents is determined at design time. This type of table is used to let an end-user select a class, division, department, OU, domain etc. in a form. The selected item of the table is stored in a variable when the form is submitted. This variable can be used in a UMRA script. By using the script action Script_Action: Map variable the variable can be used to determine the value of other variables. A fixed data table has one column. The number of items (rows) is not limited. To setup the height of the table as shown in the form, see Table form field - Options. To start setting up a fixed table or editing an existing table, see Table form field - Type. Table data The contents of the fixed data table. The field shows the current contents of the fixed data table. Add Press the Add button to add new items to the table. Note that you can specify multiple items with one add operation. Edit Edit the currently selected item of the table data. A single item must be selected to activate this button. Delete Delete all of the selected entries from the table. Import Import the contents of a text file to the table. Each line of the text file is imported as a new item in the table. Variable Specify the name of the variable used to pass the selected item to for instance a script when the form is submitted. At runtime, when the form is submitted, the selected table item is determined. If an item is selected, the item is stored in the 272
Reference value of the specified variable. The variable can be used in subsequent actions performed by UMRA. If you do not specify a variable name in this field, the table selection can not be used in any subsequent action performed. You can select a variable from the list, or simply enter the name of a (new) variable. Sort table contents When checked, the table contents is sorted in ascending order when shown in the form. If not checked, the table contents is shown in the form as entered in the field Table data. In this case, you can use the up and down arrows to setup the ordero table items. 273
User Management Resource Administrator 7.2 Table form field - Generic table A generic table can contain data from an LDAP or database query (MS Access). You will use this option to present a list of objects to the user and attach actions to the user selection (e.g. adding group memberships for all selected users in an OU). Filling a table with data from an LDAP query Using an LDAP query, you can specify which objects you would like to retrieve from the Active Directory (list of users, list of groups, last logon, etc.). For a query to work properly, you need to define the LDAP binding, an LDAP filter and the LDAP attributes. The examples below will show you how to configure a generic table using an LDAP query. For more detailed information on the individual steps, please see the topics mentioned above. Example 1: Creating a table listing all users 1. Create a new UMRA form. 2. Right-click in the Form Design window and select Table from the Select form field type list. 3. Select Generic table in the Configure form field window. 4. Click the Configure... button. 274
Reference 5. Click the Configure... button. The dialog box Setup generic table will appear. 275
User Management Resource Administrator 7.2 6. Select the option LDAP query. Several additional tabs will now become available in the Setup generic table dialog box: LDAP binding, LDAP filter, Attributes, Options, Variable and Run test. 276
Reference 7. Select the LDAP binding tab and choose the Global catalog binding. This will be the data source for your LDAP query. 277
User Management Resource Administrator 7.2 8. Click the LDAP filter tab and select the predefined option All users from the list Example LDAP search filters. Then click the Insert button. This will insert the LDAP search string in the LDAP search filter window. To list all users, the LDAP search string becomes (objectclass=user) 278
Reference 9. Select the Attributes tab and select the predefined attribute Users - full details from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 279
User Management Resource Administrator 7.2 10. Click the Run test tab (for this example we will ignore the Options and Variable tabs and continue to the Run test tab to check if the filter returns the desired result). The resullt should be similar to the following screen: 280
Reference Example 2: Creating a wildcard search for a user In the following example we will create a form in which we ask the user to enter part of the user name. The first part will ask the user to enter part of the user name to search for, the second part will return a table listing all the users who meet the search criteria. 1. Create a new UMRA form with the name "List Users". 2. Right-click in the Form Design window and select Static text field from the Select form field type list. 281
User Management Resource Administrator 7.2 3. Enter the text "Please enter the first three letters of the user:" in the text field and click OK. 4. Right-click in the Form Design window and select Input text field from the Select form field type list. 5. Enter "%User_Partname%" in the variable field. The user input will be stored in this variable. Click OK. 6. Right-click in the Form Design window and select Button from the Select form field type list. Type in "Search now" as the displayed text for this button and change the fixed width to 100 pixels. 282
Reference 7. Click the Manage actions... button and add the actions "Check the input fields of the submitted form" and "Return the form of project "List Users". Click OK twice to return to the design window. 283
User Management Resource Administrator 7.2 8. Right-click in the Form Design window and select Table from the Select form field type list. 9. Select Generic table in the Configure form field window. 10. Click the Configure... button. 11. Click the Configure... button. The dialog box Setup generic table will appear. 12. Select the option LDAP query. 13. Click the LDAP filter tab and select the predefined option All entries with the string 'Bert' somewhere in the name from the list Example LDAP search filters. Then click the Insert button. 14. In the LDAP search filter window, replace *bert* with the variable *%User_Partname%* and click the Apply button. 284
Reference 15. Select the Attributes tab and select the predefined attribute Users - general information from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 16. Click OK twice to return to the Form Design window. 17. Finally, you need to set the security for this form. Right-click in the Form Design window and select the Form properties command. In the Configure form properties dialog box which appears, click the Security tab. 285
User Management Resource Administrator 7.2 18. Add the user who is authorized to execute this form. In the example shown above, this is the Administrator account for the domain T4EDOC. 19. Save the form. 20. Right-click in the Form Design window and choose the command Toggle Auto preview to see the runtime version of your form. 21. Type in the first three letters of the user name you want to search for, as shown in the screenshot below. 22. Press the Search now button to retrieve all the matching user names. In our example, only one user name meets the search criteria. 286
Reference Example 3: Showing a list of users who have not used their account since it was created 1. Create a new UMRA form. 2. Right-click in the Form Design window and select Table from the Select form field type list. 3. Select Generic table in the Configure form field window. 4. Click Configure.. twice and select LDAP query as your table type. 5. Select the LDAP binding tab and choose the option Active Directory Root. Note: To retrieve all users who have not logged in since their account was created, we need to use the attribute lastlogon in our search filter. By default, this property is not included in the Global Catalog. If you wish to change this, you can add this attribute to the Global Catalog using the Active Directory Schema snap-in. Please refer to the Microsoft Help for more information on this topic. 6. Select the LDAP filter tab and enter the string "(&(objectclass=user)(lastlogon=0)" 287
User Management Resource Administrator 7.2 7. Select the Attributes tab and select the predefined attribute Users - general information from the Default attribute settings list.. Then click the Set button to make this selection the default attribute setting and click Apply. 8. Select the Run test tab to test your LDAP query. Filling a table with data from an MS Access database Many user related data are stored outside the Active Directory, possibly in another information system (e.g. a list of departments). Using a generic table, you can access these data and combine it with the information in your Active Directory. Suppose we have a company X where the administrator would like to see the relation between user groups and departments. Based on this information he wants to perform certain actions such as removing group memberships, adding group memberships, etc. The user group data are stored in the Active Directory, but the relation between user groups and departments is stored in an MS Access database. Using a generic table in UMRA, these data can be accessed and queried. To work with an MS Access database, you need to set up the database, specify the database name and compile a database query. The example below will show you how to configure a generic table using an LDAP query. For more detailed information on the individual steps, please see the topics mentioned above. Example 1: <Example text here> See also: Table form field - Fixed data table 288
Reference Table form field - Network data type 289
User Management Resource Administrator 7.2 Table form field - Arguments The network arguments complete the specification of the network data table. The network call parameters depend on the specified network data type. If you change the network data type, you must also change the the network arguments. In the example shown below, the specification is as follows: 1. Network data type: User accounts of an organizational unit (OU) 2. Network arguments: LDAP://SPRING/OU=USA,OU=Sales,DC=seasons,DC=tools4ever,DC=local and LDAP://SPRING/OU=Schools,DC=seasons,DC=tools4ever,DC=local+ The network data table show the user accounts obtained from the specified OU's. For each network data type, the syntax of the network call parameter is different. To specify the network call parameters, start the Configure table window. See Table form field - Type for more information. Once a Network data type is selected, select the tab Arguments. The following window is presented: 290
Reference Network data collection parameters The list shows the arguments used to collect the network data. For each type of network data, you can specify multiple entries. The results of all entries will be presented in the network data table. If an argument can have child objects (for instance an OU having child OU's) specify + at the end of the argument parameter specification to include the items from the child objects as well. If different arguments share resulting items, these will be filtered out automatically. Note that each entry can contain variables. For such an argument, the exact network data that must be collected is determined when the form is generated. Add, Add (browse), Edit, Delete Use the buttons to manage the contents of the list with Network data collection parameters. Note that each entry can contain variables. For such an argument, the exact network data that must be collected is determined when the form is generated. Network data type The type of network data for this table. See Table form field - Network data type for more information. Syntax The syntax used to specify a single argument parameter. Note that the syntax is different for each network data type. Multiple different syntaxes can be supported for a particular network data type. Examples Some examples according to the syntax specified for the network data type. 291
User Management Resource Administrator 7.2 Table form field - Exclusions In some circumstances you might want to exclude certain accounts from a network table. For instance, in a Windows NT4 environment a table contains all users of a domain. The table is used in a form to reset passwords. In this case, you probably want to exclude the administrator accounts from the table. Use the Add, add (browse), Edit and Delete buttons to configure the list with items that must be excluded. At this moment, you can exclude members of one or more global groups. At runtime, UMRA resolves the items of the exclusion list. If an error occurs, all items will be excluded. Example: in the example shown above, the member of group SEASONS\Domain Admins are determined when the content of the table is setup. If this fails for whatever reason, the table will be empty. 292
Reference Table form field - Columns A network data table can contain multiple columns. For different network data types, different columns can be shown. In the screenshot below the table with user accounts shows 2 columns: Common name and Username. With each column, you can associate a variable. At run-time when the form is shown and the user selects an entry from the table and presses a submit button, the content of the selected table entry column is stored as the value of the variable. In the example shown, a variable %UserName% can be linked to column Username. Now, when the item is selected and the button Unlock account is pressed, the selected column item is stored in the value of the variable: %UserName%=limedeca. To setup the columns for a network data table, start the Configure table window. See Table form field - Type for more information. Once a Network data type is selected, select the tab Columns. The following window is presented: 293
User Management Resource Administrator 7.2 With this window you can setup the columns, sorting and variables: Available columns The list with available columns for each network data type. The available columns are predefined for each network data type. In the network data table, you cannot show other columns for each item as the columns shown in the list with available columns. Use the --> and <-- buttons to add and remove columns to the list Current column configuration. Current column configuration The list contains the columns that are shown in the network data table. From top to bottom in this list, the columns are shown from left to right in the form. Use the --> and <-- buttons to add and remove columns to the list Current column configuration. When you select a column in the list Current column configuration, the controls in the bottom of the window show the detailed information of the selected item. At the bottom section, Column specification (selected column) you can setup the selected column. Name The name of the column. The name is predefined and cannot be changed. Variable The name of the variable linked to this column. At run-time when the form is shown and the user selects an entry from the table and presses a submit button, the content of the selected table entry column is stored as the value of the variable. In the example shown at the top of this topic, a variable %UserName% can be linked to column Username. Now, when the item is selected and the button Unlock account is pressed, the selected column item is stored in the value of the variable: %UserName%=limedeca. Note that using the Variable is the only way of passing information from a network table in a form, to for instance the script of the project. The specification of the variable should contain sufficient information for a script to execute its actions. Example: In the example shown at the top of the window, 2 columns are shown: Common name and Username. The Username is unique in the domain. The Common name is unique in the OU only. If a variable %CommonName% would be linked to the column Common name, problems can occur: In the project, the table is used to select an account that must be unlocked. Suppose the table shows user accounts of multiple OU's. Now, by using a variable for column Common name a user account is identified by its Common name which is not necessarily unique for multiple OU's. In the table, 2 294
Reference entries could be shown with the same Common name but with different Usernames. When the user is selected in the network data table, the end-user selects the user account based on both columns. But since the table selection is passed in variable %CommonName% that information is partially lost. Once the script is executed, the exact user account cannot be identified based on the Common name only. In this case the problem is solved by using a variable %UserName%, linked to column Username. As an alternative, you could also add a column showing the OU and add a variable for that column too. Column width The width of the column, specified as an percentage of the total column width. Note that you can specify a column with zero width if you do need a variable linked to the column, but do not want to show the column. Sort on this column You can sort an each column in a network table and the sorting can be based on multiple columns. Normally the specification of a 1st criterion only is sufficient. Depending on the interface that is used to show the form, the end-user can change the sorting when the table is shown. Note that you can sort only on columns that are actually shown in the form. For specific reasons, you might want to sort on a column with zero width. Sort direction Specify the sort direction of the selected column. Alignment Specify the horizontal alignment of a table column item. 295
User Management Resource Administrator 7.2 Table form field - Data refresh To improve performance and limit network traffic the actual contents of a network data table is stored by the UMRA service. To do this, the UMRA service uses a local internal database in RAM that is completely self managed. The first time the information is collected, the database is empty and it might take some time to collect the data and present the form. Typically, this can take from 1 to 30 seconds. Once the data is collected and stored, the response is much faster. The data of the internal database is shared by all forms. Because of this mechanism, the data can be out of date. Therefore, you can specify a maximum age of the data: the network data refresh period. When the form is generated, the database is checked for its contents. If it contains the network data, and that data is not older then the specified number of seconds, the data is loaded from the database. In all other cases, the data is collected from the network and the database is updated. The default value used for the network data refreh period is 900 seconds (15 minutes). If you specify a value of 0 seconds, the data is always collected from the network. This makes the data very accurate but increases network traffic and slows down performance. Note that user management actions executed by the UMRA service itself, will update the internal database automatically. Example: if you have a form to delete user accounts from an OU, the users of the OU are probably shown in a table. The contents of this table is stored in the internal database. Now, if you select a user from the table, and the user is removed by the UMRA service, the data of the internal database is updated and no longer shown in the form table. You can configure the network data refreh period for each form table individually. To do so, start the Configure table window. See Table form field - Type for more information. Once a Network data type is selected, select the tab Data reresh band follow the instructions. 296
Reference Table form field - Row icon image For a form table, you can configure an icon to be shown in front of eacrh row. The icon is the same for all rows of the table but can be different for different tables. To select the icon, start the Configure table window. See Table form field - Type for more information. Select the tab Row icon image. The following window is shown: The available icons are preconfigured and cannot be shown. If you want to present a different icon, please contact your UMRA reseller. In the window, the index of the current row icon image is selected. To change the selection, select another icon and click Apply or OK. 297
User Management Resource Administrator 7.2 Table form field - Options For the form table, additional options are available. To setup these options, start the Configure table window. See Table form field - Type for more information. Select the tab Options. The following window is presented: Table height specification - Specify the table height in numbers of rows shown A table in a form can contain any number of rows. The number of rows shown at a single point in time can be specified in this field. If the table contains more rows then the number specified, vertical scrolling is automatically enabled. Multiple selection - Enable multiple selection Allow multiple items in the table to be selected. In this case, the UMRA Form will return a multi-value variable to the UMRA Service when the form is submitted. User input state restore settings In this field, you can specify the items that define the user input state of the table. When a form is submitted by an enduser, the same form can be shown again. The contents of the form fields can be: 1. Reset to the initial value(s): The field is shown as if the form is presented for the first time. 2. Restored from the previous form: The field state (selection, entered text) is copied from the form that was submitted. See Form action - Return current form for more information. Selection of table item(s) When a submit button is pressed and the same form is shown again, the selection of the table is not changed if you select this option and if the user input state is restored for this table. See Form action - Return current form on how to do this. 298
Reference Table scroll position When a submit button is pressed and the same form is shown again, the table scroll position is not changed if you select this option and if the user input state is restored for this table. See Form action - Return current form on how to do this. 299
User Management Resource Administrator 7.2 Checkbox form field The Checkbox form field is used to enable or disable a specific feature in a form. In the screenshot below, a checkbox form field is used for option User must change password at next logon. With a checkbox form field, you can associate form actions that are executed when the form is submitted. The actions differ dependent on the checkbox being check or unchecked. In most cases, the actions executed for a checkbox is the Set variable action when the checkbox is checked. To add an checkbox form field field, activate the form and select menu option Add form field... Select form field type Checkbox and press OK. The Configure form field - Checkbox window is shown. 300
Reference Appearance - Text Enter the text shown next to checkbox. Appearance - Set checkbox to checked state when form is loaded Select this option if the checkbox must initially be checked. Configure actions when form is submitted - Actions when checked Press the Configure button to setup the actions that must be executed when the form is submitted and the checkbox is checked. See Form action - General for more information on form actions. Configure actions when form is submitted - Actions when unchecked Press the Configure button to setup the actions that must be executed when the form is submitted and the checkbox is unchecked. See Form action - General for more information on form actions. 301
User Management Resource Administrator 7.2 Button form field The Button form field is used to let the user sumit or reset a form. In the screenshot below the last field Unlock account is a button form field. To add an button form field field, activate the form and select menu option Add form field... Select form field type Button and press OK. The Configure form field - Button window is shown. Button type - Reset button Select this option make the button a reset button. When a reset button is pressed, the form is re-initialized, e.g. all fields of the form are reset to their original values. No other actions are executed. 302
Reference Button type - Action button Select this option to make the button an action button. With an action button, the form is submitted and send to the UMRA service. The contents of the form fields are stored as variables values to be used in scripts by the UMRA service. A number of form actions can be executed by pressing an action button. Examples: run script of the form, set variable value. etc. Button type - Manage actions... Click this button to configure the actions for the button. Note that different buttons can have different actions. See Form action - General for more information on form actions. Appearance - Button text The text displayed on the button.... Fixed button width of... pixels When selected, the width of the button is fixed and specified as a nuimber of pixeks. 303
User Management Resource Administrator 7.2 Picture form field The Picture form field is used to clarify a form, design the form according to your company standards and mae a form more easy to use. A form can contain multiple pictures of any size. The most common image standards, e.g. jpg, gif, and bmp are supported. At design time, the picture are selected from image files and then embedded into the form. To add an picture form field field, activate the form and select menu option Add form field... Select form field type Picture and press OK. The Configure form field - Picture window is shown. Image file name The original name of the file that contains the image. An image is selected by specifying the file that stores the image. Click the browse (...) button to select an image file. Once the picture field is created, the file name no longer has a meaning: The image itself is embedded into the form. Once a form is designed, you can even delete the image files of corresponding picture without changing the form. Scale (form) You can scale the image with respect to its size in the form. A scale factor of 1.0 does not change the size of the image in the form relative to the original image size. A factor of 2 enlarges the image both in the horizontal and vertical direction. Preview (scaled to fit) Once an image file name is selected, the preview shows the image. If the total image does not fit into the window, it is scaled to make it fit. Note that in the form, the image is scale by specifying the Scale. 304
Reference Vertical space form field By default, UMRA places all form fields just below each other with no margin. In most cases, you probably want to separate the fields in a vertical direction. With the Vertical space form field you can create some vertical spacing between form fields. To add a vertical space form field, activate the form and select menu option Add form field... Select form field type Vertical space and press OK. In the window shown, specify the vertical space as the number of pixels. A default value of 10 pixels is used. For more options on formatting the display of a form, see Form fields - Display 305
User Management Resource Administrator 7.2 Form fields - Display When designing a form, you can configure a number of display characters for each form field. These display characteristics determine how the form fields are presented on the form. With the display characteristics, you can also configure the position of form fields rlative to each other. To configure the display characteristics, select a form field from the list of form fields. Right clich the mouse and select menu option Edit form field... Select the Display tab. You're presented the following window: Horizontal alignment With this option you specify the horizontal alignment of the form field. If the width of the form field does not exceed the with of the area used to draw the field in the form, this specification has no meaning (for instance for an picture form field, or vertical space form field). Font style The font used to draw the text of a form field. For each form field, you can use a different font. For more information on fonts in forms, see Form properties - Fonts. Left margin Specify the left margin of the form field in percentages of the total form. The left margin is used to shift form fields to the right on a form. By default, form fields are drawn below each other with a fixed left margin. By specifying a non-zero left margin, the form field shifts to the right. If the cursor position is not increased when the previous form field was drawn, the left margin is relative to the right side of the previously drawn form field. See the option Positiont control further in this topic. Since the left margin is specified as a percentage of the total form width, the actual margin varies if the size of the form window changes. Field width - Limit width to... % of form By default, a form field can use all horizontal space from the current horizontal position to the right margin of the form window. By limiting the width of the form field, you can control the area of the form used to draw the form field. 306
Reference Vertical offset To align form fields better, you can shift individual form fields in vertical direction by specifying this field. Position control - Move cursor to next line for next field This is an important field, used to place form fields next to each other. By default, form fields are drawn below each other with a fixed left margin. If you unselect this option, the current form field is drawn and the next form field will be drawn next to it. If you select this option, you must specify the option Field width and limit the width of the current form field. Tab control - Activated when pressing tab characters In a form with multiple fields, the focus jumps to the next field if you press the TAB character. If you press the TAB character with the SHIFT key pressed, the focus moves back to the previous form field. By checking this option, the current form field becomes part of the loop. If the option is unchecked, pressing the TAB character cannot bring the focus to this form field. Text - foreground color The specification of the foreground color, usually the text of a form field. Press the Edit button to change the current color. By default, the foreground color is black. Background color The specification of the background color. Press the Edit button to change the current color. By default, the background color is white. 307
User Management Resource Administrator 7.2 Form fields - Name Each form field can have a name. The name is used to refer to the form field. The name of a form field is optional if no other item refers to the form field. If a form field is referred to, the form field must have a name. The form field name can be any text. It is recommended to use a short descriptive name for a form field. At the moment of this writing, only the form action return current form can refer to other form fields. To specify the Name of a form field, select a form field from the list of form fields. Right click the mouse and select menu option Edit form field... Select the Name tab. Specify the name and press Apply or OK. The name should be unique within the form. 308
Reference Form actions Form action - General When a form is submitted, it is sent to the UMRA service for further processing, for example: the script of the form project is executed. In UMRA, a number of form actions exist. A form action is an action that is executed by the UMRA service (or UMRA console application for local form projects) as part of the processing of a form that was submitted. Form actions can be associated with various form fields: 1. Button form field: For each action button, a number of form actions can be specified. 2. Checkbox form field: For a checkbox you can define form actions for both the checked and unchecked state. When an action button is pressed, the form is submitted. The contents of various form fields is stored in variables and send to the UMRA service. Note that the form actions are not directly related to the form. Instead, form actions are defined for form fields. For different submit buttons (example: disable account, enable account, unlock account) you can (and should) define different form actions. Important: Form actions are very different from script actions. Script actions are part of a project script. An example of a script action is the creation of an user account in Active Directory. See Manage script actionsfor more information onf script actions. A form action is an action executed by the UMRA service as a result of an end-user submitting a form. To setup the form actions for an action button, select the form field button specification and select menu option Actions, Edit form field... The Configure form field - Button window is shown. Press the Manage actions... button. The Configure form actions window is shown: The list Form actions shows all the form actions currently defined for the form field. Use the Add, Edit and Delete buttons to configure the form actions. Use the up and down keyts to change the order of the form actions. 309
User Management Resource Administrator 7.2 To setup the form actions for a Checkbox form field, the procedure is very similar. Normally, you only want to configure the Set variable action for a checkbox form field. 310
Reference Form action - Check form input The Check form input function is used to check the input of the submitted form. If the input is not correct, a message is shown to the end-user of the form. This action is always executed as the first action when a form is submitted. Suppose the following form shown below is used: The column Username of the table with user accounts is defined as variable %UserName%. When the user selects a user account and clicks on the button Unlock account the value of the variable is set: %UserName%=limedeca. Now suppose the end-user of the form does not select an user account and clicks on the Unlock account button. Now, the value of the variable is not changed: %UserName%=%UserName%. The UMRA service processes the submitted form. With the Check form input action, the service can check the %UserName% variable: 311
User Management Resource Administrator 7.2 The upper section of the window shows all the variables of the form project. By checking the variable name in the list, you can check the value of the variable when it is submitted. When a variable is selected in the upper list, you can specify how the variable must be checked. Variable name Name of the variable to be checked. The name of the variable cannot be changed. Variable check value The value used to compare the value of the variable with. If the value of the variable equals the variable check value, the check fails. In this case, all other form actions are not executed. Instead a message is shown to the end-user describing the error. Note: for form tables, the value of a variable defined for a column equals the name of the variable when no item is selected in the table. For input text form fields, the value of the variable defined for the field equals the default text shown for the field. Message text shown when variable equals check value The contents of the message shown to the end-user: 312
Reference Form action - Execute script of form A form project contains the design of a form and a script. See Form project - Principle of operation for more information. With this action, the script of the form project is executed. This action has not additional parameters to be configured. To setup the script, see Manage script actions for more information. When the script is executed, you can show a messagebox to the end-user of for instance the UMRA forms application. This is done by using the variable %ScriptMessage%. If a variable with the name %ScriptMessage% is found, a message is shown to the end-user. 313
User Management Resource Administrator 7.2 Form action - Iteratively execute project script This form action is used to execute the script of the project multiple times when the form is submitted. The action is used for multiple-select tables and the script is executed for each selected table item. Example: suppose a form contains a table with user accounts. In the table, multiple user accounts can be selected. When the submit button is pressed, some user account property must be updated for each of the selected user accounts. In such a scenario, this action is used. The iteration of the script execution is controlled by a form field, normally a multiple-select table. The variables associated with the specified form field contain multi-values when the form is submitted. The script is executed for each of the values of the variable(s). Example: In a form, a multiple select table with user accounts is shown. The account names are stored in variable %UserName%. In the script a variable %Domain% is set to DOMAIN_A. The user selects 2 account names (John and Fred) and presses the submit button. Now the script is executed twice with the following variable settings: Iteration 1: %Domain%=DOMAIN_A %UserName%=John Iteration 2: %Domain%=DOMAIN_A %UserName%=Fred See also: Table form field - Options 314
Reference Form action - Return current form This form action is always executed as the last action. With this action the same form is returned to the application that submitted the form. With this form you can also configure how the different form fields must be returned: at their current values or as if the form is shown for the first time. In the Specify form fields restore options window, all form fields that have a name are shown. By checking a form field, the current state of the form field is restored when the form is shown. Example: suppose you have a fixed table with departments: Sales, Marketing, Support, Development. If you use the form to create multiple account one by one in the same department you select the department, the other form fields and presses a submit button. A user account is now created and the same form is shown. Now you have 2 choices regarding how the table must be shown: 1. Input restored: the selected item in the table is still selected. In this case, you do not need to select the item from the table. Instead, it is still selected. 2. Re-initialized: The table is shown as if the form was presented for the first time: no items is selected. To specify the name of a form field, see Form fields - Name 315
User Management Resource Administrator 7.2 Form action - Return other form This form action is always executed as the last action. With this action a form is returned to the application that submitted the form. This action can be used to setup a wizard with UMRA Forms. As response to a form submit button (Next), a script is executed and the next form is returned. Form project name The name of the form project that must be returned. Reset variables By default, all variables that exist when the project script is executed are returned. The values of these variables can be used in the returned form. You can control this with Script Action: Delete variable. To reset all variables, select this option. 316
Reference Form action - Set variable value With this action, you can setup the value of a variable. In most cases this action is used for a checkbox or when a form has multiple submit buttons. To configure this action you need to specify the name and the value of the variable. 317
User Management Resource Administrator 7.2 Form properties Form properties - General The Configure form properties - General window is used to show basic form project information. The Type of project equals Server project. Server projects are maintained by the UMRA service and can be used for delegation. The Project id is a unique identification number generated by the UMRA service. The Project file shows the name of the file that stores the form project for local projects. For server projects, the name includes the name of the UMRA server. The UMRA server shows the name of the computer that maintains the form project. For local projects, this field is not used. 318
Reference Form properties - Description The description of a form project show additional project information. The description field is a free text field and can contain any text. 319
User Management Resource Administrator 7.2 Form properties - Variable info In a form project you can use variables in the form fields. At run-time, when the form is shown to the end-user, the variables are resolved and replaced by their actual values. With this window you can manage these variables. 320
Reference Form properties - Format For a form you can configure the display and formatting settings for individual form fields and the overall form. With this window, the display formatting parameters are specified for the form. 321
User Management Resource Administrator 7.2 Form properties - Fonts In UMRA forms, you can use multiple fonts. All form elements that show text can have a font configured to show the text. UMRA works with font styles. A number of predefined font styles are used to draw all of the text. For each applicable form field, you can specify the font style that must be used for the form field text. With UMRA, a form project can have its own specfication of all font styles or use the global font styles. 322
Reference Form properties - Options Specify the options that apply to the form. Options - Show form in projects in available forms' bar of UMRA forms If this option is checked (default) the form is shown in the UMRA forms application if the UMRA forms user has sufficient access rights to use e.g. run the form. This option is used with UMRA forms when multiple forms are used as a type of wizard. In this scenario, the UMRA forms end-user should be able to select the first form of the wizard from the list shown in UMRA forms. Subsequent forms of the wizard should not be accessible from this list. Popup message options - Status information stored in the %ScriptMessage% variable Select this option if a popup message must be shown in the UMRA forms application when a form is submitted. Note that the script of the form project must set this variable (example: %ScriptMessage% = Creating user account %UserName%). If the variable is not set, no popup message will be shown. Popup message options - Error message Select this option if a popup message must be shown when an error occurs when a form is submitted. 323
User Management Resource Administrator 7.2 Form properties - Security When an UMRA form project is maintained by the UMRA service you can specify the user accounts that are allowed to see and submit the form. The security settings for a form are simple. 1. A user has access to a form. The user can see the form and submit the form. 2. A user has no access to a form. The user cannot see the form and cannot submit the form. In the Form properties - Security window you must specify the users that are allowed to see and submit the form. By default, no one has access to a form. Use the Add, Edit and Delete buttons to setup the user accounts that have access to the form. You can specify individual user account names, names of groups and well-known names (Everyone). Important: The security of UMRA is specified with the Form properties - Security window. All user accounts that are specified in the list can see, submit and execute the form. If the form project contains a script, these users can initiate script execution. For more information, see UMRA Delegation - Access and security for more information. 324
Reference Delegation UMRA Delegation - General With UMRA you can delegate tasks to other users. These users do not need to have administrative privileges, but they are able to submit UMRA forms. The functionality of an UMRA form ranges from very simple tasks to complex operations: reset password unlock account set user account properties set Active Directory attribute create user account (+groupmemberships, mailbox and home-directories) move a user account to another OU delete a user account and all associated resources For each UMRA form project, you can define the user accounts that are allowed to executed the form and script of the project. To setup delegation with UMRA, you need to fullfill the following steps: 1. Create form projects with UMRA console. The form projects include the definition of the form, the script and the security settings. 2. End-users start UMRA forms and connect to the UMRA service. The UMRA service determines the access rights of the connecting users and shows the forms the user is allowed to submit. 325
User Management Resource Administrator 7.2 UMRA Delegation - Access and security With UMRA you can delegate tasks to other users. For an introduction on this subject, see UMRA Delegation - General. The security settings are controlled by the UMRA service. The UMRA recognizes three types of user accounts: 1. User accounts with full control: These user have access to push forms to the UMRA service, setup, delete, manage all forms, scripts and security settings. The number of user accounts with this type of access should be very limited. See UMRA service - Service Access on how to configure these accounts. 2. User accounts with form access: These users can see and submit a form. When such a user connects to the UMRA service, the form is presented to them. The user can then specify the various fields of the form and let the UMRA service execute the script of the form project. The accounts can be configured for each individual form. 3. All other users have no access. The users can connect to the UMRA service but no forms will be shown. The UMRA software uses Windows 2003/2000/NT security for its security functions. When the UMRA service executes the script of a form project, the script is executes with the access rights and administrative privileges of the UMRA service user account. By limiting the privileges of this account, you can further limit the access rights of all delegated user accounts. 326
Reference UMRA Console Installation Installing UMRA Console is simple and straightforward. The whole installation and configuration process takes less then 5 minutes. System Requirements The following table shows all of the requirements to run the User Management Resource Administrator application. Description Required Recommended Operating system to run the application on: Supported network operating system: Required privileges of logged on user: Windows XP, Windows 2003 (all versions), Windows 2000 (all versions) Windows 2003 (all modes), Windows 2000 (all modes), Windows NT4 (SP6) Administrative access to Active Directory and/or all computers and domains with managed user accounts Available hard disk space: 10 MB 20 MB or more Required processor: Pentium III, 600 MHz, AMD 900 MHz Pentium IV, > 1 GHz or AMD > 1.6 GHz System memory: 256 MB 512 MB or more Exchange 2003/2000 requirements In order to use the Exchange 2003/2000 features within User Management Resource Administrator, you must have a functional Exchange server in your network. Additionally, it is required to have the Exchange system Management tools installed on the local machine that runs the User Management Resource Administrator application. To install the Exchange system management tools for Exchange 2003, do the following: 1. Insert the CD containing the Microsoft Exchange 2003 Software (standard or enterprise edition), and run setup.exe. 2. Under Deployment select Exchange deployment tools. 3. Choose the option Install Exchange System Management Tools Only. 4. Follow the instructions presented for your specific operating system. For Exchange 2000, the procedure is similar. Installing UMRA Console To start, download the most recent version of the User Management Resource Administrator software from www.tools4ever.com. All of the User Management Resource Administrator software is contained in a single executable file: SETUPUSERMANAGEMENT.EXE. Run the file. When asked, you can setup both the UMRA Console, UMRA Forms and UMRA Automation software. This will setup the UMRA software on the local computer. The User Management Resource Administrator setup procedure is straightforward and takes less then 1 minute. If User Management Resource Administrator is already installed on the computer, you can upgrade to the latest version by running the same file. Configuring User Management Resource Administrator Once User Management Resource Administrator is installed, no specific options need to be configured. To continue you can run a project using the wizard or start a new mass or form project. More information: Principle of operation 327
User Management Resource Administrator 7.2 Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 328
Reference UMRA console - Command line options To support automatic execution of UMRA mass projects, the UMRA console application supports automatic startup command line options. When the UMRA console application is started using these options, the UMRA console application loads a projects when started and automatically starts the execution of the project. The command line options can be specified directly on the command line, or in a command line option file: UMgui.exe [options] UMgui.exe -commandfile=g:\umra\commandfile.txt In the command line option file, each line must contain a single option. Each option has a name. Some option have a value. Options can be specified using the following format. -option_name=option_value /option_name:option_value option_name=option_value -option_name /option_name option_name The following table shows the available options: Option name Option value Example Description -AUTOSTART -AUTOSTART Option must be specified to enable automatic execution. If not specified, all other options are ignored. -Project -Inputfile -Separator -Textqualifier - IgnoreFirstLine file name of the mass project file name of the.csv,.txt file that contains the input data for the project specification of input data separator characters specification of the textqualifier used to read the input data from the input file. - project="g:\umra\createuser.upj" -inputfile=g:\umra\students.txt The name of the mass project file that must be started. The project file can contain input data or the input data can be loaded from another file with option -inputfile. The name of the file that contains the input data for the project. When not specified, the input data from the project is used.,; Optional: the specification of input data separators. If not specified, the comma (,) - character is used. " (double quote) Optional: the specification of the input data text qualifier. -IgnoreFirstLine Optional: if specified, the first line of data of the input file is ignored. -AutoQuit -autoquit Terminate the application automatically when ready. 329
User Management Resource Administrator 7.2 Window types 330
Reference Network bar Network bar - Introduction The network bar is used to navigate through your network environment. 331
User Management Resource Administrator 7.2 Network bar- Mass project input data You can use the network bar to generate input data for a User Management Resource Administrator project. This might be convenient if a User Management Resource Administrator script must be executed for a number of network resources. To generate the input data, simply right-click the parent item of the network resources in the network bar and select the menu option Display... The parent item of a network resource is the item that contains the network resource. Example: for a local group member, the parent item is a local group. When the menu item is selected, the application accesses the network to find the data. Next the data is shown in a User Management Resource Administrator project window. If a window is already open, you have several options: 332
Reference When you select the option to Merge the data, the data contained in the project is not deleted or overwritten. Instead, the new data is added to the current input data of the project. This option is available only if the input data is of the same type. To configure the default settings for these options, select Tools, Options, Network data. More information: Principle of operation Project operations - Network input data Project operations - Manage script actions Project operations - Variables Help on help 333
User Management Resource Administrator 7.2 Actions bar Actions bar - Introduction The action bar contains all action available to create the script. You can drag and drop the actions in the script or you can use the menu. 334
Reference Project Assistant bar Project Assistant bar The Project Assistant bar is a window that shows information to help you using User Management Resource Administrator projects. The contents of the Project Assistant changes when new projects are opened. The Project Assistant shows an HTML-file that is stored as part of the UMRA installation. Each UMRA project, can have its own file. 335
User Management Resource Administrator 7.2 Log Log Bar The log bar shows every action performed by User Management Resource Administrator. Here you can see what the script did and what went wrong. 336
Reference Log information User Management Resource Administrator logs extensive project information to the log window and log file. Each time a project is run, a new log file is generated. In the log window, at the bottom of the screen, the same log information is written. To setup the various log options, select Tools, Options, Log settings. The window contains the following fields: Automatically show the log window when a job is started With menu option View, Log Bar, you can toggle the log bar on and off. When this option is selected, the log bar is shown automatically when a job is started. Reset the log window when a job is started Select this option if you want to clear the content of the log window each time a new job is started. Store log information in files - Log file directory When selected, the information is logged to files. For each User Management Resource Administrator session, a new log file id generated in the specified log directory. The name of the file has the following syntax: UMLOG_mm_dd_yyyy.txt where mm,dd and yyyy represent the current month, day and year respectively. More information: Principle of operation Project operations - Input data Project operations - Manage script actions Project operations - Variables Help on help 337
User Management Resource Administrator 7.2 Wizard Wizard - Introduction The User Management Resource Administrator wizard will assist you in using this software based on several best practice sample projects. The wizard is automatically started each time you startup the UMRA Console application, unless you uncheck the option Start this wizard on application startup. 338
Reference Wizard - Questions To determine the sample project that best meets your requirements, you are asked to answer some questions. 339
User Management Resource Administrator 7.2 Wizard - Project The wizard shows your selected option and selects the project that is the closest match to your selection. Once the sample project is configured, you can easily extent it in case it does not exactly what you would like to do. 340
Reference Wizard - Mass project You have selected a sample mass project. The project contains predefined variables you need to specify. If you press Finish, the project is opened and a window is shown that lets you specify the predefined variables. 341
User Management Resource Administrator 7.2 Wizard - Form project You have selected a sample form project. To use form projects, the UMRA Service is required. The UMRA Service can be installed from within this UMRA Console application. Once installed, the sample form project will be installed on the UMRA Service. Next, the sample project is opened. The UMRA Service can be installed on a local or remote computer. In an operational environment, it is advised to install the UMRA Service on or close to a domain controller of the domains you would like to manage with User Management Resource Administrator. Once installed, you can easily remove the UMRA Service with the UMRA Console application. 342
Reference UMRA Service UMRA service - Introduction The UMRA service is the central component when using the delegation functions of User Management Resource Administrator. The UMRA service maintains the UMRA form projects that can be access by UMRA form clients. When a request is received, the UMRA service checks the access rights. When access rights are granted, the service executed the script of the form project. The UMRA service is completely controlled by the UMRA console application. With the UMRA console application the UMRA service is installed, deleted, configured and the UMRA console application is also used to setup all UMRA form projects maintained on the UMRA service. For more information on delegation, see UMRA Delegation - General and UMRA Delegation - Access and security. For an introduction on form projects, see Form project - Principle of operation. 343
User Management Resource Administrator 7.2 UMRA service - Service Access A limited number of users should have full control to manage the UMRA service. These user accounts have full access to: configure the UMRA service add, manage and delete all form projects maintained by the UMRA service setup the security for each form project maintained by the UMRA service setup the security for the UMRA service itself To configure the user accounts that have full access to the UMRA service, connect to the UMRA service. Select menu option UMRA Service, Connect. Once connected, select menu option UMRA Service, Service properties... and select Service Access to setup the UMRA Service access rights. For more information on security with UMRA, see Form properties - Security and UMRA Delegation - Access and security. 344
Reference UMRA service - license A UMRA service license is enabled by configuring one or more license codes for the UMRA service. A license code for the UMRA service can be obtained from your UMRA reseller. To install the UMRA license code, connect to the UMRA service. Select menu option UMRA Service, Connect... When connected, select UMRA Service, Service properties... and select window Service License. With the Configure service - Service license window you can: 1. Configure UMRA service licenses: Add and delete license codes to the UMRA service. 2. Copy to service: Copy the service license codes installed for the UMRA console application to the UMRA service. You should only do this, if the installed license code enable the service functions. 3. Console: View and configure the UMRA console licenses. This option is available to manage and setup the UMRA console licenses. You can choose the main menu option Help, License... to setup the UMRA console licenses. When the UMRA service is installed for the first time, a demo license is installed automatically. The demo license will run for 30 days. For more information on UMRA licensing, see License model. 345
User Management Resource Administrator 7.2 UMRA service - Advanced options The UMRA Service maintains a cache with network data. When a UMRA form project contains network data, for instance a table with user accounts and the UMRA Service is requested to produce the contents of a form, the UMRA Service accesses the cache to find the data. The purpose of the cache is to minimize network traffic. By using the cache with network data, the amount of network traffic caused by the UMRA Service is greatly reduced. The drawback is that the data is less accurate. Example: if the user account is deleted with another application, the deleted user account might show up in an UMRA form because the cache is not up-to-date. The data in the cache is valid for a certain period of time. Once expired, the data is refreshed. The refresh period is specify in seconds. The default is 900 seconds (15 minutes). An additional option is available to empty the cache completely. When selected, the cache is automatically rebuild when form data is requested from the UMRA Service. 346
Reference UMRA service - logging The UMRA service generates log information. The log information is written to several destionations: 1. The Application log of the computer that runs the UMRA service. Only a limited number of messages is written to the application log. All form execution and script progress log information is written to the UMRA service log. 2. The UMRA service log files. The UMRA service create a series of 10 log files, each with a maximum of 10 MB. The logfiles are stored in the log directory of the UMRA service. The files are named UmraSvcLog1.txt, UmraSvcLog2.txt,...,UmraSvcLog10.txt. When a log files reaches the limit of 10 MB, the next log file is created. When all log files are created, the cycle starts over again. The UMRA service log files contain detailed information on all forms and scripts executed by the UMRA service. 3. The form execution log file UmraSvcFormLog.txt: This file is a.csv file with a fixed format: <date>,<time>,<user>,<action>,<status>,<description>. Example: 01/24/2005,16:21:52,"Domain\UserName","Form submit",ok,"unlock account". For each major form action, a line is written to this log file. 347
User Management Resource Administrator 7.2 UMRA service - Installation UMRA service installation - Server The UMRA service is setup from with the UMRA console application using a wizard. To start, select menu option UMRA Service, Install or Upgrade service...select option Install or upgrade the service and press Next. Enter the name of the server on which you want to install the UMRA service. This can be any computer running Windows 2003/2000. It is recommended to install the UMRA service on a server that is close to a domain controller or on the domain controller itself. Click Next to continue. 348
Reference UMRA service installation - Port The UMRA service communicates with the UMRA console and UMRA forms client using the TCP/IP protocol. For this communication a port must be specified. By default, port number 56814 is used by the UMRA service to communicate but you can specify any other port. When starting up the communication with the UMRA service, the UMRA console and UMRA forms applications will try to connect using the default port number first. If this fails, the port can be configured differently. It is recommended to use the default port. 349
User Management Resource Administrator 7.2 UMRA service installation - Service directory Before the UMRA service is created on the remote machine, the UMRA service executable files are copied to the computer in a particular directory. The UMRA service installation wizard automatically determines the target directory but you can specify any other directory. Note that the name of the directory is specified relative to the target computer, e.g. G:\UmraService means the the directory UmraService on the local drive G:\ of the computer on which the UMRA service is installed. 350
Reference UMRA service installation - Service account The UMRA service uses an Windows 2003/2000 account to run. If the account does not exist already, it is created by the UMRA service installation wizard. It is recommended to use an Active Directory domain account, not a server local account. All scripts executed by the UMRA service are executed by this account with respect to the Active Directory - Window 2003/2000 security settings. Therefor, this account must have sufficient administrative privileges. In the next step of the wizard, the group can be added to an administrative group. By default, the UMRA service installation wizard specifies the following name for the service account: DOMAIN\UmraSvcAccount. Further, a random strong password is generated. This password is not known to anyone. If the account does not exist, the account is created with the generated password. If the account does already exist, the password will be incorrect. In this case, you must specify the correct password or change the name of the service account to a non-existing name. 351
User Management Resource Administrator 7.2 UMRA service installation - Admin group The UMRA service must have sufficient administrative privileges to execute its tasks. These privileges are determined by the service account used by the UMRA service. By adding the service account to one or more administrative groups, the account can be granted sufficient access rights. 352
Reference UMRA service deletion - Delete all files When the UMRA Service is running, the service will create a number of files directories. For instance, all logging information and UMRA form projects are stored in files. When the service is deleted, you have two options: 1. Delete all files found in the UMRA Service directory and the directory itself: This will delete all the files originally installed when the service was installed and all files created in the UMRA Service directory. 2. Delete the files that were originally installed only. 353
User Management Resource Administrator 7.2 UMRA Forms UMRA forms - Introduction The UMRA forms application is used by helpdesk employees. The users can connect to an UMRA service and see the forms they are allowed to execute. When a form is selected, it is opened. The form fields are specified and the form is submitted to the UMRA service for further processing. 354
Reference UMRA forms - installation The UMRA forms application is installed by running file SETUPUSERMANAGEMENT.EXE. See Installation of UMRA Console, section Installing UMRA console for more information. Note: the UMRA forms application can run over a network share. It is not required to install the UMRA forms application on the computer that runs the application. Access to execute the file UMpro.exe is sufficient to run UMRA forms. Command line options The UMRA forms application supports the followin opstart options: Syntax Examples Description UMpro.exe UMpro.exe No command line options UMpro.exe [connection_string] UMpro.exe SERVER_A UMpro.exe SERVER_A:544 Start UMRA forms and connect to the specified computer:port. The computer should run the UMRA service. UMRA forms initialization files Optionally, an initialization files can be used to connect to the UMRA service automatically and show a default form. The name of the file must be UmraW32.ini and the file must be located in the UMRA forms directory (containing UMpro.exe) The initialization file can contain the following entries: [Connection] ServerPort=[connection_string] [Forms] Intro=[form_file_name] The entries contain the following items: [connection_string]: the connection string used to connect to the UMRA service. Examples: SERVER_A, SERVER_A:544 [form_file_name]: the name of the exported form (.ufo). This form is shown as the default form in the UMRA forms client when no other form is shown. Example of file UmraW32.ini: [Connection] ServerPort=SERVER_A:5122 [Forms] Intro="\\SERVER_A\UmraForms\FormDefault.ufo" 355
User Management Resource Administrator 7.2 UMRA forms - service connection In order to run and submit forms, the UMRA forms application must connect to an UMRA service. To setup the connection, select menu option Tools, Connect... and specify the name of the computer that runs the UMRA service and optionally the port number. When you check option Save specification the connection information is stored in initialization file UmraW32.ini and used the next time UMRA forms is started. Note that you must have write access to the initialization file to update it. See UMRA forms - installation for more information. 356
Reference UMRA Automation UMRA Automation - Introduction UMRA can be integrated with other employee management systems to automate Active Directory user account management tasks. For instance: When an employee leaves an organization and is excluded from an employee information system, Active Directory needs to be updated, by disabling or removal of the associated user account and network resources. The UMRA service can execute these tasks automatically when the employee information system is updated. To accomplish these tasks, the UMRA Automation software can be activated by the employee information system. UMRA Automation supports multiple interfaces to setup this configuration. Of these interfaces, the UMRA COM implementation and the UMRA command-line-interfaces are the most important. With the UMRA Automation modules, the complete UMRA functionality can be accessed from all applications that can access COM objects or can activate a command line. The UMRA Automation module can for instance be used in all of the Microsoft Office applications (Word, Excel, Access) and the Microsoft Internet site development environments (IIS, ASP, ASPX). Due to the client-service architecture, the UMRA Automation software is completely secure. See also: UMRA forms - Introduction UMRA Automation - Principle UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 357
User Management Resource Administrator 7.2 UMRA Automation - Principle User Management Resource Administrator supports 3 methods to integrate the functions of UMRA with other applications. Together, these methods form the UMRA Automation module. Tu use UMRA Automation, the other application must be configured to access User Management Resource Administrator. This can be done using several methods, described below: Method UMRA component Implementation UMRA Console Command Line Interface UMRA Console Command Line Interface UMRA COM UMRA Automation Command Line Interface UMRA Automation UMRA Service UMRA Console (configuration only) UMRA Automation (run) UMRA Service UMRA Console (configuration only) COM object Command Line Interface 1. UMRA Console Command Line Interface: With this method, the UMRA Console is application is activated directly from the command line. The application can execute any mass project and read the input data from a text (.csv) file. This method is mainly used to update Active Directory with account request changes that are stored in a text file. The method can be scheduled to run automatically with for instance Microsoft's AT command. See UMRA console - Command line options for more information. 2. UMRA COM: With this method, the main functions of UMRA can be accessed using the Component Object Model (COM). Any application that supports COM can integrate with UMRA using this method. Most application from Microsoft, including the Microsoft's Office applications and Internet Information Services (IIS) do support COM. This method is the recommended method to integrate UMRA functionality with other applications. See UMRA Automation - COM object for more information. 3. UMRA Automation Command Line Interface: This method is used to let the UMRA Service execute scripts from a command line. From the command line, the UMRA Service, form script name and variable values are specified. This method is used when UMRA COM cannot be used or when the functions of UMRA COM are not required. The functions of this method are a subset of UMRA COM. See UMRA Automation - Command Line Interface for more information. See also: UMRA forms - Introduction UMRA Automation - Principle UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 358
Reference UMRA Automation - COM object The UMRA COM object implements the main functions to access the UMRA Service, execute form scripts and collect form data. Using UMRA COM, the functionality of User Management Administrator can be integrated with other applications (Microsoft Office, Microsoft Internet Information Services, Microsoft scripting languages, Microsoft SQL Server etc.) The UMRA COM object software is installed on a computer when the UMRA Automation option is selected during the installation of UMRA. The COM object software does not need to be installed on the computer that runs the UMRA Service. The interface of the UMRA COM object is described in topic UMRA Automation - COM interface. The following steps describe the principle of operation when an application accesses the COM object to activate an UMRA Script. 1.... 2. The application must execute a script of a form project maintained on the UMRA Service 3. The application creates an instance of the UMRA COM Object. Depending on the type of the application, the UMRA COM software must be referenced (Visual Basic, Visual Basic Scripting). 4. The application calls the UMRA COM object interface function Connect to setup a connection with the UMRA Service. 5. The application initializes all of the variables and values that are used and configured in the UMRA script. To do this, the interface function SetVariableText is used. 6. Finally, the interface function ExecuteProjectScript is called to let the service execute the script of the project. 7.... When the UMRA Service is accessed by the UMRA COM object, the credentials of the user that runs the application are used. This is not the case if the application changes the credentials while running. See also: UMRA forms - Introduction UMRA Automation - Principle UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 359
User Management Resource Administrator 7.2 UMRA Automation - COM interface The UMRA COM object supports interface functions to: 1. Execute form scripts on the UMRA Service 2. Retrieve information from form scripts, for instance tables, maintained on the UMRA Service. The UMRA COM object software is contained in a single DLL installed as part of the UMRA Automation module. The DLL is called UmraCom.dll. The DLL is a so called type library and contains the code that implements the COM objects and interfaces. The DLL is referenced in script environments as UMRAcom 1.0 Type Library. The UMRA COM software consists of 3 objects, all contained in UmraCom.dll. These objects are used in script- and programming languages. The objects are described below: COM object name Type library Description Umra UMRAcom Base object, used to connect to the UMRA Service, execute form project scripts, setup variable values and access forms. UmraFormProject UMRAcom Form project object. Used to access the contents of form fields of form projects. UmraFormTable UMRAcom Form table object. Used to access the fields of a table contained in form project. Each of the UMRA COM software objects supports a number of methods and properties that define the interface of the object. A summary of the form object interfaces is shown in the table below: COM object Interface method Description Umra GetVersionInfo Get the version information and build number of the interface Umra Connect Connect to an UMRA Service Umra GetHostName Get the name of the connected UMRA Service Umra GetHostPortNumber Get the port number of the connected UMRA Service Umra GetLogMsg Get the log message last generated Umra SetVariableText Set the variable name and variable value of a text variable Umra SetVariableLong Set the variable name and variable value of a numeric variable Umra SetVariableBool Set the variable name and variable value of a boolean variable Umra ClearVariables Clear all variables maintained by the interface Umra ClearVariable Clear (delete) a variable with the specified name Umra ExecuteProjectScript Execute the specificed script at the connected UMRA Service Umra GetVariableText Get the text value of the specified variable Umra LoadFormProject Load the specified form project from the connected UMRA Service. Umra GetConnectionInfo Get the host name and port number of the connected UMRA Service Umra GetScriptExecutionInfo Get the status information of the executed script UmraFormProject GetFormTable Access the specified table UmraFormTable GetCellText Retrieve the text of the specified row-column from the table See also: UMRA forms - Introduction UMRA Automation - Principle 360
Reference UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 361
User Management Resource Administrator 7.2 UMRA Automation - COM interface Umra COM - Umra.GetVersionInfo This topic describes an interface method that is part of the UMRA Automation software. Syntax: void GetVersion( [out] long* VersionMajor, [out] long* VersionMinor, [out] long* BuildNumber) Method COM object: Description: GetVersionInfo Umra Returns the version information of the UMRA COM interface. To ensure proper operation, the build numbers of the UMRA COM interface and the connected UMRA Service should correspond. VersionMajor OUT: The major version number (example: 7) VersionMinor OUT: The minor version number (example: 1) BuildNumber OUT: The build number (example: 1136) 362
Reference Umra COM - Umra.Connect This topic describes an interface method that is part of the UMRA Automation software. Syntax: long Connect(in] BSTR Host, [in] long PortNumber) Method COM object: Description: Connect Umra Connects to the specified UMRA Service. The connection is required to call any of the other methods to execute a script or load a form project. Host IN: The name of the computer that runs the UMRA Service. The name must be specified using the NETBIOS (example: SPRING) or DNS (example: spring.seasons.tools4ever.com) syntax. PortNumber IN: The port number of the UMRA Service. Default value: 56814. Return value 0: Succes Other: Error, use GetLogMsg to get more information. 363
User Management Resource Administrator 7.2 Umra COM - Umra.GetHostName This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetHostName([out] VARIANT* HostName) Method COM object: Description: GetHostName UMRA Retrieve the name of the connected host. HostName Return value OUT: The name of the computer to which the interface is connected that runs the UMRA Service. 0: Succes 364
Reference Umra COM - Umra.GetHostPortNumber This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetHostPortNumber(long* PortNumber) Method: COM object: Description: GetHostPortNumber Umra Retrieve the number of the communication port of the UMRA Service to which the interface is connected. PortNumber OUT: The number of the port (default: 56814) Return value 0: Succes 365
User Management Resource Administrator 7.2 Umra COM - Umra.GetLogMsg This topic describes an interface method that is part of the UMRA Automation software. Syntax: void GetLogMsg([out] VARIANT* Msg) Method: COM object: Description: GetLogMsg UMRA Get the log information stored by the interface. The log information is refreshed when the the interface communicates with the UMRA Service. The log information describes the success or failure of the request that was last executed. When a new method is called that involves communication with the UMRA Service, the contents is always reset. Msg OUT: The log information. 366
Reference Umra COM - Umra.SetVariableText This topic describes an interface method that is part of the UMRA Automation software. Syntax: void SetVariableText([in] BSTR VariableName, [in] BSTR ValueText) Method: COM object: Description: SetVariableText UMRA Set a text variable name and value. The object maintains a list of variables. The list is used for instance when a script is executed. With this method, a variable with the specified name and text value is added to the list. If a variable with the same name already exists, the value is overwritten. VariableName ValueText IN: The name of the variable. The variable name must be enclosed with %-characters. Example: "%FirstName%". IN: The text value of the variable. Example: "William" 367
User Management Resource Administrator 7.2 Umra COM - Umra.SetVariableLong This topic describes an interface method that is part of the UMRA Automation software. Syntax: void SetVariableLong([in] BSTR VariableName, [in] long ValueLong) Method: COM object: Description: SetVariableLong UMRA Set a numeric variable name and value. The object maintains a list of variables. The list is used for instance when a script is executed. With this method, a variable with the specified name and numeric value is added to the list. If a variable with the same name already exists, the value is overwritten. VariableName IN: The name of the variable. The variable name must be enclosed with %-characters. Example: "%MaxLogons%". ValueLong IN: The numeric value of the variable. Example: 6 368
Reference Umra COM - Umra.SetVariableBool This topic describes an interface method that is part of the UMRA Automation software. Syntax: void SetVariableBool([in] BSTR VariableName, [in] VARIANT_BOOL ValueBool) Method: COM object: Description: SetVariableBool UMRA Set a boolean (yes/no, true/false) variable name and value. The object maintains a list of variables. The list is used for instance when a script is executed. With this method, a variable with the specified name and boolean value is added to the list. If a variable with the same name already exists, the value is overwritten. VariableName IN: The name of the variable. The variable name must be enclosed with %-characters. Example: "%CreateMailboxFlag%". ValueLong IN: The boolean value of the variable. Example: 1 369
User Management Resource Administrator 7.2 Umra COM - Umra.ClearVariables This topic describes an interface method that is part of the UMRA Automation software. Syntax: void ClearVariables() Method: COM object: Description: ClearVariables UMRA The object maintains a list of variables. The list is used for instance when a script is executed. With this method, all variables are removed from the list. Upon execution of this method, the list with variables is empty, e.g. contains no variables. 370
Reference Umra COM - Umra.ClearVariable This topic describes an interface method that is part of the UMRA Automation software. Syntax: void ClearVariable([in] BSTR VariableName) Method: COM object: Description: ClearVariable UMRA The object maintains a list of variables. The list is used for instance when a script is executed. With this method, the list is searched for a variable with the specified name. When found, the variable is removed from the list. VariableName IN: The name of the variable. The variable name must be enclosed with %-characters. Example: "%UserName%". 371
User Management Resource Administrator 7.2 Umra COM - Umra.ExecuteProjectScript This topic describes an interface method that is part of the UMRA Automation software. Syntax: long ExecuteProjectScript([in] BSTR ProjectName) Method: COM object: Description: ExecuteProjectScript UMRA The object maintains a list of variables. The list is used for instance when a script is executed. With this method, the list is searched for a variable with the specified name. When found, the variable is removed from the list. ProjectName Return value IN: The name of the project. Example: "CreateUserAccount". 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 372
Reference Umra COM - Umra.GetVariableText This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetVariableText([in] BSTR VariableName, [out] VARIANT* ValueText) Method: COM object: Description: GetVariableText UMRA The object maintains a list of variables. With this method, the text value of variable contained in the list can be obtained. The method is used mainly to present the values of script output variables. VariableName ValueText Return value IN: The name of the variable. OUT: The text value of the variable. 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 373
User Management Resource Administrator 7.2 Umra COM - Umra.LoadFormProject This topic describes an interface method that is part of the UMRA Automation software. Syntax: long LoadFormProject([in] BSTR FormProjectName, [in] IUnknown* pformproject) Method: COM object: Description: LoadFormProject UMRA The method is used to load a form maintained on the UMRA Service. The method returns an UmraFormProject object. An application can load a form to present information that is part of the form. FormProjectName pformproject Return value IN: The name of the form project. IN/OUT: An UmraFormProject object. When successfully executed, the object can be used to access the form fields of the form. 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 374
Reference Umra COM - Umra.GetConnectionInfo This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetConnectionInfo([out] VARIANT* ServerName, [out] unsigned long* PortNumber, [out] unsigned long* RpcHandle) Method: COM object: Description: GetConnectionInfo Umra The method is used for debugging purposes only. When connected to an UMRA Service, the method returns detailed information of the connection. ServerName PortNumber RpcHandle Return value OUT: The name of the computer to which the interface is connected. OUT: The service communications port number. OUT: A handle used for the communications between the interface and UMRA Service. 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 375
User Management Resource Administrator 7.2 Umra COM - Umra.GetScriptExecutionInfo This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetScriptExecutionInfo([out] long* ScriptErrorCount, [out] VARIANT* ScriptMessage) Method: COM object: Description: GetScriptExecutionInfo UMRA The method must be called after method ExecuteProjectScript and returns detailed status information. ScriptErrorCount ScriptMessage Return value OUT: The number of script execution errors. OUT: The value of the %ScriptMessage% variable as generated by the script. 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 376
Reference Umra COM - UmraFormProject.GetFormTable This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetFormTable([in] BSTR FormTableName, [in] IUnknown* pformtable) Method: COM object: Description: GetFormTable UmraFormProject The method is used to access a table of a form obtained with method LoadFormProject. Once the table object is obtained, the data of the table can be accessed with GetCellText. FormTableName pformtable Return value IN: The name of the form table. IN/OUT: The UmraFormTable object that can be used for further processing. 0: Success <> 0 : Some error occured. More information is available using Umra COM - Umra.GetLogMsg 377
User Management Resource Administrator 7.2 Umra COM - UmraFormTable.GetCellText This topic describes an interface method that is part of the UMRA Automation software. Syntax: long GetCellText([in] long RowIndex, [in] long ColumnIndex, [out] VARIANT* CellText) Method: COM object: Description: GetCellText UmraFormTable The method is used to obtain the text value of a specific row-column of a table. RowIndex ColumnIndex CellText Return value IN: The row index of the table (0,...,MaxRow-1). IN: The column index of the table (0,...,MaxColumn-1). OUT: The text value of the table cell found at the specified row-column 0: Success <> 0 : The specified cell at (row,column) does not exist. 378
Reference UMRA Automation - Executing a project script The UMRA Automation software can be used to execute a script on the UMRA Service. This topic describes the main procedure to setup this configuration. Create form project With the UMRA Console application, create a form project and setup the script. It is recommended to use a descriptive name for the project, for example: AutomationCreateUserAccount. The form project does not need to have a form, e.g. no form fields are required. Setup access rights of form project Setup the delegation access rights for the form project so that the application that accesses the form project is allowed to executed the script. Setup the UMRA Automation script The form project is accessed using the name of the form project, and a list with variables (name-value) that are passed to the form project. The syntax that must be used to access UMRA Automation COM objects depends on the scriptprogramming environment. The principle is the same for each environment. In this example, the Microsoft Visual Basic 6 syntax is used. The script is a subroutine executed when a button in a Microsoft Word document is pressed. The complete project is available from the UMRA Console subdirectory Example projects\automation\createuseraccount - MS Office Word 2003 - Visual Basic 6. The next section describes in detail how to this script works and how to setup such a script. In this example, the following environment is used: 1. Windows 2000 Server or Windows XP system with UMRA installed. 2. Microsoft Office Word 2003. For the macro that is used for the UMRA Automation script, Visual Basic 6.3 is used, part of the Office installation. Microsoft Office Word 2003 is configured to support Visual Basic macro's. 3. To enable accessing the UMRA COM object, the UMRA Type library must be referenced in Visual Basic. In Visual Basic 6, this is accomplished with menu option Tools, References. In the references project window, scroll to UMRAcom 1.x Type Library. Select the library and press OK. The script is listed below. Private Sub CreateAccount_Click() Dim UmraSvc As New Umra Dim AccountUserName As Variant Dim AccountPassword As Variant Dim LogMessage As Variant Dim RetVal As Integer RetVal = UmraSvc.Connect("SPRING", 56814) If (RetVal <> 0) Then GoTo UmraError End If UmraSvc.SetVariableText "%FirstName%", FirstName UmraSvc.SetVariableText "%MiddleName%", MiddleName UmraSvc.SetVariableText "%LastName%", LastName RetVal = UmraSvc.ExecuteProjectScript("AutomationCreateUser") If (RetVal <> 0) Then GoTo UmraError End If RetVal = UmraSvc.GetVariableText("%UserName%", AccountUserName) RetVal = UmraSvc.GetVariableText("%Password%", AccountPassword) UserName.Text = AccountUserName PasswordField.Text = AccountPassword GoTo Ready 379
User Management Resource Administrator 7.2 UmraError: UmraSvc.GetLogMsg LogMessage MsgBox LogMessage Ready: End Sub In the same script listed below, comments are added in bold to explain the script: Private Sub CreateAccount_Click() The UmraSvc object is created as an Umra COM object Dim UmraSvc As New Umra Dim AccountUserName As Variant Dim AccountPassword As Variant Dim LogMessage As Variant Dim RetVal As Integer The Umra COM object connects to the computer SPRING, port 56814, to initialize the communication with the UMRA Service. The service must be running on the computer. Port 56814 is the default port. The computer name must be changed to the actual environment. RetVal = UmraSvc.Connect("SPRING", 56814) If (RetVal <> 0) Then GoTo UmraError End If The interface contains a list with variables. Each variable has a name and a value. Before the project is executed, the variables that are used in the script of the project must be initialized. In this example, a user account is created by specifying the first, middle and last name. The variables are called %FirstName%, %MiddleName% and %LastName%. These name are copied from the Word document that contains some Visual Basic edit boxes: FirstName, MiddleName and LastName. UmraSvc.SetVariableText "%FirstName%", FirstName UmraSvc.SetVariableText "%MiddleName%", MiddleName UmraSvc.SetVariableText "%LastName%", LastName All variables are now initialized. The object is connected to the UMRA Service and the variable list is initialized. The project can now be executed. The project is called AutomationCreateUser. RetVal = UmraSvc.ExecuteProjectScript("AutomationCreateUser") If (RetVal <> 0) Then GoTo UmraError End If The script is successfully executed. According to the script project, variables are returned that can be displayed in the Word document. In this example, the %UserName% and %Password% variable are filled with the user name of the created user account (as determined by the name generation algorithm) and the password. The values of these variables are shown in the text boxes UserName and PasswordField of the Word document. RetVal = UmraSvc.GetVariableText("%UserName%", AccountUserName) RetVal = UmraSvc.GetVariableText("%Password%", AccountPassword) 380
Reference UserName.Text = AccountUserName PasswordField.Text = AccountPassword GoTo Ready UmraError: If something goes wrong, a message box is shown describing the errors. UmraSvc.GetLogMsg LogMessage MsgBox LogMessage Ready: End Sub See also: UMRA forms - Introduction UMRA Automation - Principle UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 381
User Management Resource Administrator 7.2 UMRA Automation - Command Line Interface UMRA Automation supports a command line interface that uses the UMRA COM object to execute project script on the UMRA Service. The command line interface is installed as part of UMRA Automation and can be found in the UMRA base directory. The application is called UmraCmd.exe. The options of the command line interface can be specified on the command line or in a text file. UMRA Automation Command Line Interface User Management Resource Administrator (UMRA) Version 7.0 (build 1131) - www.tools4ever.com (c) Tools4ever 1995-2005. All rights reserved. Options: -srv=<server> : Name of computer running UMRA Service. -port=<port> : Port of UMRA Service (optional, default=56814). -project=<name> : Name of the project to be executed. -commandfile=<name> : Filename containing options. %Var_1% = Value_1 : Specification of script variable 1 %Var_2% = Value_2 : Specification of script variable 2 %Var_N% = Value_N : Specification of script variable N Examples of script variables %FirstName%=John %LastName%=Smith With the -commandfile option, all options can be specified in a text file instead of on the command line. Examples: UmraCmd.exe -srv:spring -project:createuseraccount %FirstName%=John %LastName%=Williams UmraCmd.exe -srv:spring -port:56816 -project:deleteuseraccount -commandfile:"d:\umra\umraautocmd\commandoptions.txt" where the command file D:\UMRA\UmraAutoCmd\CommandOptions.txt contains the variables: %Domain%=SEASONS %DomainController%=SPRING %OU%=USA/Sales %UserName%=SmithJ See also: UMRA forms - Introduction UMRA Automation - Principle UMRA console - Command line options UMRA Automation - COM object UMRA Automation - COM interface UMRA service - Introduction UMRA Automation - Command Line Interface 382
Reference Licensing Introduction To setup a licensed version of User Management Resource Administrator you need to have one or more valid license codes. You can obtain a license code for UMRA from your reseller. Note that the license codes of UserManagemeNT 5.x (UserManagemeNT Professional, Delegation and Import) cannot be used for User Management Resource Administrator. Licensing model User Management Resource Administrator supports three licensing models: 1. Demo license: A demo license has a limited lifetime. The default demo period is 30 days. During the demo period, script execution is limited to 5 times per session, which can be reset by restarting the application. The demo license supports all function modules for the Console Interface Module (see further). When started for the first time, a demo license is automatically installed. 2. Domain - Organizational Unit license: This is default license model when purchased. The license is related to a domain or organizational unit (and all child organizational units). This type of license grants access to the functions of User Management Resource Administrator as long as the managed user accounts are a member of the licensed domain or organizational unit. A Domain - Organizational Unit license is further based on the maximum number of user accounts that exist in the domain (organizational unit) and all child organizational units. If the actual number of users exceeds the maximum number of the license, the license is no longer valid and User Management Resource Administrator will not execute any script or project. (For more complex scenario's, additional licensing options are available. Contact your reseller for more information). 3. Site license: A site license grants access to the functions of User Management Resource Administrator, regardless of the number of user accounts managed with User Management Resource Administrator. Once a license is installed, you can always change to another licensing model if you have a valid license code. All configuration settings are preserved in this procedure. Function and Interface modules All features and functions of User Management Resource Administrator are divided into modules. Each module has its own specific feature set. Two types of modules are defined for UMRA: 1. Function modules: A function module contains a number of script actions. The script actions can be regarded as the instruction set of UMRA. Each script action belongs to a specific function module. For an overview of script actions and functions modules, see Function modules for more information. For more general information on script actions, see Manage script actions for more information. 2. Interface modules: An interface module contains one or more UMRA applications that are used to run the UMRA scripts. The currently available interface modules are: (1) UMRA Mass Module (2) UMRA Forms Module and (3) UMRA Automation Module. License code An UMRA license is installed by the configuration of a license code. A license code contains information regarding the licensing model and the function and interface modules. When the demo version is expired, you need to install a license code in order to continue working with UMRA. A license code can be obtained from your UMRA reseller. For more information, see License code. More information: Interface modules Function modules License code 383
User Management Resource Administrator 7.2 Interface modules An interface module specifies the User Management Resource Administrator interface that can be used to execute projects and scripts. At this moment, 3 interface modules exist: 1. UMRA Mass module: Mass projects to create-update-delete user accounts and resources in Active Directory and NT4-local computer networks in bulk. Mass projects are executed using the graphical UMRA Console application. 2. UMRA Forms Module: Form projects to execute any script to create-update-delete user accounts and resources in Active Directory and NT4-local computer networks. Form projects are executed by the UMRA Service. The forms are shown in the UMRA Forms application and managed using the UMRA Console application. 3. UMRA Automation Module: Supports the execution of UMRA Form and UMRA Mass projects throught command-line interfaces for mass and the COM object model. More information: License model Interface modules Function modules License code 384
Reference Function modules All features and functions of User Management are divided into function modules and interface modules. The function modules are used to group related script actions. Each function module contains a number of script actions. Vice versa, each script actions belongs to one of the function modules. The following table shows all of the available script actions, and the corresponding function module for each of them. Script action Base Function Module Exchange Function Module Advanced Function Module User - Active Directory Create user (AD) V Create contact (AD) V Get user (AD) V Edit user (AD) V Edit user logon V Delete user (AD) V Set user group memberships (AD) V Remove user group memberships (AD) V Move - rename user (AD) V Create Exchange mailbox (2000/2003) V Edit Exchange mailbox (2000/2003) V Modify Exchange mailbox permissions (2000/2003) V Delete Exchange mailbox (2000/2003) V Manage Exchange recipient mail addresses (2000/2003) V User - non Active Directory Create user (no AD) V Edit user (no AD) V Edit user logon V Delete user (no AD) V Setup user global group memberships V Add account to local group V Remove group member V User - General user actions Edit user logon V Terminal Services user settings V Dial-in user settings V Active Directory Create object (AD) V Get attribute (AD) V Set attribute (AD) V Set group memberships (AD) V Remove specific groupmemberships (AD) V Create group (AD) V Get object (AD) V 385
User Management Resource Administrator 7.2 Search object (AD) Get primary group (AD) Set primary group (AD) File system Create directory Copy directory Rename file or directory Delete directory Create share Delete share Other actions Execute command line Variable actions Set variable Split variable Format variable value Update numeric variable Generate generic table Manage table data Generate name(s) Convert text to date/time Convert to multi-value value variable Manage multi-text value variable Merge multi-text variable value Map variable Export variable Go to label If-Then-Else For-Each Delete variable Delay No operation Generate random number Send mail message Log variables V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V More information: License model Interface modules Function modules License code 386
Reference License matrix UMRA consists of the following software applications: 1. UMRA Console: The main application that is primarily used to manage all UMRA projects and manage the UMRA service. To use UMRA, you always start with the UMRA Console application. 2. UMRA Service: The UMRA service is used to execute delegated tasks. The UMRA Service is accessed through the UMRA Console, UMRA Forms and UMRA Automation software. You only need to install the UMRA Service application if you want to execute forms projects. See UMRA Delegation - General or more information. 3. UMRA Forms: The Windows interface to show and submit delegated forms. The UMRA Forms application is most often used by helpdesk employees. The UMRA Forms application interfaces with the UMRA Service application directly. See UMRA forms - Introduction for more information. 4. UMRA Automation: UMRA can be integrated with other employee management systems to automate Active Directory user account management tasks. For instance: When an employee leaves an organization and is excluded from an employee information system, Active Directory needs to be updated, by disabling or removal of the associated user account and network resources. With UMRA, the UMRA service can execute these tasks automatically when the employee information system is updated. See UMRA Automation - Introduction for more information. The combination of supported functions and required interface modules of User Management Resource Administrator is shown in the license matrix table below. Function UMRA software Required Interface Modules license Function Module license Run mass projects with the graphical UMRA Console user interface Run mass projects with the command line options of the UMRA Console application. Run form projects with UMRA Forms Run form projects from a command line Run form projects using COM objects (ASP, Office, etc.) UMRA Console UMRA Mass Module Base Function Module Exchange Function Module Advanced Function Module UMRA Console UMRA Automation UMRA Console UMRA Service UMRA Forms UMRA Console UMRA Service UMRA Automation UMRA Console UMRA Service UMRA Automation UMRA Automation Module UMRA Forms Module UMRA Automation Module UMRA Automation Module Base Function Module Exchange Function Module Advanced Function Module Base Function Module Exchange Function Module Advanced Function Module Base Function Module Exchange Function Module Advanced Function Module Base Function Module Exchange Function Module Advanced Function Module 387
User Management Resource Administrator 7.2 License code A UMRA license code contains the following information: 1. The licensing model: demo, domain/ou or site; 2. Name of the domain/ou or site; 3. Maximum number of users (domain/ou license only) 4. Function modules 5. Interface modules Dependent on the UMRA installation, UMRA license codes must be installed for one or more UMRA components: Feature UMRA applications used UMRA license codes installed for... Run mass projects UMRA console UMRA console Run delegated forms 1. UMRA console to setup form projects and manage the UMRA service UMRA console and UMRA service 2. UMRA forms used by helpdesk employees to view and submit forms 3. UMRA service to execute submitted forms Note: A single license code can contain any combination of function and interface modules. Required information to obtain a license To obtain a license code for User Management Resource Administrator, you need to contact your UMRA reseller. Please note that you are required to pass some network specific information in order to obtain a valid license code. In most cases, you will need a license code for either an entire domain or an organizational unit. Note that such a code is also valid for all child organizational units in the domain - organizational unit. If you want to manage user accounts in multiple domains or organizational units that do not have a parent-child relationship, you will also need multiple license codes. The following information is required in order to generate a license code: 1. The name of the domain or organizational unit. If you need a license for a domain (and all child organizational units), you can specify the domain name either in NETBIOS format (example: TOOLS4EVER) or use the DNS name (example: tools4ever.com). In order to license a organizational unit (and all child organizational units) you need to specify the name of the organizational units in the following form: [domain DNS name]/[name of organizational unit]. Examples: tools4ever.com/development, tools4ever.com/development/usermanagementteam. 2. The maximum number of user accounts of the domain or organizational unit. You need to include all user accounts of child organizational units as well. The number should be specified as one of the available tier levels: 100, 200, 250, 500, 750, 1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 9000, 10000 (10k), 20k, 30k, 40k, 50k, 60k, 70k, 80k, 90k, 100k, 110k, 120k, 130k, 140k, 150k, 200k, 250k, unlimited. Select the nearest tier level that exceeds the expected maximum number of user accounts (examples: 180 -> 200, 4560 -> 5000, 37000 -> 40000). 3. The function and interface modules that must be supported by the license code. Specification of a license code A license code looks like this: BEGIN_CODE Ni4m6jZkCD-4kDG33rASG-SWF15Ym7em SWFsjY5dMm-x85WWny7ny-Efdm3D3mQF 745kFn77ny-B6EZQj8kyD-pXDs2fDXmQ Tools4ever END_CODE 388
Reference The code contains 6 lines of text, begins with BEGIN_CODE and ends with END_CODE. Lines 2,3 and 4 contain the actual license code with a total of 90 characters, split over 3 lines with 30 characters per line ( [10 chars] - [10 chars] - [10 chars] ). Line 5 contains the registered license name. This can be the domain name, name of the organizational unit or the name of the site. The syntax of the license code is: BEGIN_CODE [10-chars] - [10 chars] - [10 chars] [10-chars] - [10 chars] - [10 chars] [10-chars] - [10 chars] - [10 chars] [registered name] END_CODE To configure a license code for UMRA console, start the application and selection menu option Help, License. The presented window shows all installed licenses. Press Add. Although not required, it is most convenient to copy-paste a license code into the section License code. If the license code is already in the clipboard (press Ctrl-C when the license code is selected in a text editor as notepad) you only need to press Paste. Once the license code is specified, press OK. The license code is now installed. Once the code is installed, press OK. When you no longer need a license code, it is advised to remove the license code. For more information on how to setup a license code for UMRA service, see UMRA service - license. More information: License model Interface modules Function modules License code 389
Index 0 0,.,MaxColumn-1 378 0,.,MaxRow-1 378 1 1,.,M 127 1,.,N 127 1.0 factor 304 1.0 304 1.6 GHz 15, 327 10 value 305 10 305 10 347 10 388 10 MB limit 347 10 MB 347 100k 388 10-chars 388 10k 388 110k 388 120k 388 130k 388 140k 388 1st 293 2 2000,XP 72 200k 388 20k 388 250k 388 2v>`<J 171 3 30 run 345 30 130, 296 30 345 30 383 30 388 30k 388 3aca9i>4H8Q 171 4 40k 388 5 5.x 12 50k 388 52, 347 6 600 MHz 15, 327 60k 388 150k 388 391
User Management Resource Administrator 7.2 7 70k 388 745kFn77ny-B6EZQj8kyD-pXDs2fDXmQ 388 8 80k 388 9 90 total 388 90 388 90k 388 A access Active Directory 15, 62, 327 binding string 105 COM 359 UMRA 344 UMRA COM 379 access 1, 3, 7 access 15 access 17 access 35 access 42 access 46 access 48 access 56 access 60 access 62 access 66 access 91 access 101 access 104 access 105 access 109 access 112 access 115 access 164 access 167 access 238 access 239 access 241 access 254 access 270 access 324 access 326 access 327 access 332 access 343 access 344 access 346 access 352 access 355 access 356 access 357 access 358 access 359 access 360 392
Index access 374 access 377 access 379 access 383 access 387 Access Control Settings 238, 239, 241 Access Control Settings window open 241 use 239 Access Control Settings window 239 Access Control Settings window 241 access rights directories 112, 115 access rights 109 access rights 112 access rights 115 access rights 326 access rights 379 according Exchange 62, 70 RFC 2254 105 according 62 according 70 according 105 accouns 270 account according 13 account becomes member 56 account becomes 56 Account Disabled 35, 48, 72, 76 Account Expiration 35, 48, 72, 76, 130 account groupmemberships 13 account represents computer 72 account represents 72 account_name@domain.com 35, 48 AccountPassword 379 Accounts list shows 236 MS Windows NT Workstation/Windows 2000 Professional 35, 72 Accounts 1, 3, 7, 12, 13, 15, 17, 20, 22, 25, 30 Accounts 35 Accounts 42 Accounts 46 Accounts 48 Accounts 55 Accounts 56 Accounts 58 Accounts 60 Accounts 62 Accounts 64 Accounts 66 Accounts 69 Accounts 70 Accounts 72 Accounts 76 393
User Management Resource Administrator 7.2 Accounts 80 Accounts 81 Accounts 83 Accounts 88 Accounts 91 Accounts 95 Accounts 97 Accounts 101 Accounts 105 Accounts 109 Accounts 112 Accounts 115 Accounts 117 Accounts 118 Accounts 119 Accounts 127 Accounts 130 Accounts 132 Accounts 135 Accounts 137 Accounts 149 Accounts 155 Accounts 171 Accounts 236 Accounts 238 Accounts 239 Accounts 241 Accounts 244 Accounts 258 Accounts 260 Accounts 263 Accounts 265 Accounts 268 Accounts 270 Accounts 290 Accounts 292 Accounts 293 Accounts 296 Accounts 302 Accounts 309 Accounts 311 Accounts 314 Accounts 315 Accounts 323 Accounts 324 Accounts 325 Accounts 326 Accounts 327 Accounts 344 Accounts 346 Accounts 347 Accounts 351 Accounts 352 Accounts 357 Accounts 358 Accounts 379 394
Index Accounts 383 Accounts 384 Accounts 387 Accounts 388 AccountUserName 379 Action - Add 7, 20 Action - Create 7, 25, 48, 72, 76, 236, 239, 244 Action - Delete 7, 20 Action - Edit 7, 60, 309 Action - Export Variables 7 Action - Export Variables The 7 Action - Format 7, 164 Action - Get 7, 48, 55, 58, 60, 95, 97 Action - Get User 7, 48, 55, 58, 60, 95, 97 Action - Modify Exchange 7 Action - Move 7 Action - Set 7, 20 Action - Set User Group Memberships 7 Action - Set Variable 7 Action - Setup 7 Action button 302, 309 action contains 48 action stores 130 action.1140 7 Actions scripts contains 20 Actions 1, 5, 7 Actions 20 Actions 22 Actions 25 Actions 31 Actions 35 Actions 42 Actions 46 Actions 48 Actions 55 Actions 56 Actions 58 Actions 60 Actions 62 Actions 64 Actions 66 Actions 69 Actions 70 Actions 72 Actions 76 Actions 80 Actions 81 Actions 83 Actions 88 Actions 91 Actions 95 Actions 97 Actions 99 Actions 101 Actions 104 395
User Management Resource Administrator 7.2 Actions 105 Actions 109 Actions 112 Actions 115 Actions 117 Actions 118 Actions 119 Actions 120 Actions 121 Actions 123 Actions 127 Actions 130 Actions 132 Actions 135 Actions 139 Actions 149 Actions 150 Actions 151 Actions 152 Actions 154 Actions 164 Actions 170 Actions 171 Actions 236 Actions 239 Actions 244 Actions 250 Actions 254 Actions 258 Actions 260 Actions 272 Actions 293 Actions 296 Actions 300 Actions 302 Actions 309 Actions 311 Actions 313 Actions 314 Actions 315 Actions 316 Actions 317 Actions 334 Actions 336 Actions 385 Actions bar 20, 334 Actions include 260 actions require 46 actions.1117 7 activate UMRA Script 359 activate 7, 260, 272, 306, 357, 358 activate 359 Active 1, 3, 7, 13, 15, 22, 35, 42, 46, 48, 55, 56, 58, 60, 62, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 118, 119, 155, 158, 238, 244, 270, 309, 325, 327, 351, 357, 358, 384, 385, 387 Active Directory 396
Index access 15, 62, 327 attribute 48, 95, 97 binds 105 catalogue 105 corresponding 48 Creates 42 existing 104 find 105 list 99 Make 56, 81, 99 name 35, 42, 48, 99, 101, 105 representing 70, 95 requery 35, 42, 101 respect 351 select 97 Set 7 specify 95, 97 Active Directory 1, 3 Active Directory 7 Active Directory 13 Active Directory 15 Active Directory 22 Active Directory 35 Active Directory 42 Active Directory 46 Active Directory 48 Active Directory 55 Active Directory 56 Active Directory 58 Active Directory 60 Active Directory 62 Active Directory 70 Active Directory 72 Active Directory 76 Active Directory 80 Active Directory 81 Active Directory 83 Active Directory 88 Active Directory 91 Active Directory 95 Active Directory 97 Active Directory 99 Active Directory 101 Active Directory 104 Active Directory 105 Active Directory 109 Active Directory 118 Active Directory 119 Active Directory 155 Active Directory 238 Active Directory 244 Active Directory 270 Active Directory 309 Active Directory 325 Active Directory 327 Active Directory 351 397
User Management Resource Administrator 7.2 Active Directory 357 Active Directory 358 Active Directory 384 Active Directory 385 Active Directory 387 Active Directory domains.contacts 42 Active Directory Object identify 104 representing 97 Active Directory Object 7, 42, 70, 95 Active Directory Object 97 Active Directory Object 99 Active Directory Object 101 Active Directory Object 104 Active Directory Object msut 95 Active Directory Organizational name 35, 42, 101 Active Directory Organizational 35 Active Directory Organizational 42 Active Directory Organizational 101 Active Directory query 35, 42, 101 Active Directory Windows 2003/2000 attributes 13 Active Directory Windows 2003/2000 13 Active Directory Windows 2003/2000 351 ActiveDirectoryObject 97, 99, 104 AD 7, 22, 25, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 70, 72, 76, 80, 95, 97, 99, 101, 104, 105, 120, 149, 244, 385 AD Object 70 Add checkbox 300 Iteration 161 Press 31 Use 169, 292, 309, 324 Add 1, 7, 17, 20, 22, 25 Add 31 Add 48 Add 56 Add 66 Add 76 Add 81 Add 83 Add 99 Add 101 Add 109 Add 117 Add 155 Add 158 Add 161 Add 164 Add 167 Add 169 Add 236 Add 238 Add 241 Add 250 398
Index Add 254 Add 263 Add 265 Add 268 Add 272 Add 290 Add 292 Add 293 Add 300 Add 302 Add 304 Add 305 Add 309 Add 324 Add 332 Add 344 Add 345 Add 351 Add 352 Add 367 Add 368 Add 369 Add 379 Add 385 Add button Press 31, 158, 161, 164, 238, 272 Add button 31 Add button 158 Add button 161 Add button 164 Add button 238 Add button 272 Add, Add 290, 292 Adding accounts 83, 238, 385 Address - City 35, 42, 48 Address - P.O. 35, 42, 48 Address - State/province 35, 42, 48 Address - Street 35, 42, 48 Address - Zip/Postal Code 35, 42, 48 Address -Country/region 35, 42, 48 addresses Exchange 2003/2000 7 addresses 7 addresses 35 addresses 42 addresses 48 addresses 62 addresses 64 addresses 70 addresses 265 addresses 385 addresses according Exchange 62, 70 addresses according 62 addresses according 70 Admin group 352 399
User Management Resource Administrator 7.2 Administrators 3, 35, 48, 56, 72, 76, 83, 238, 292 AdObject 70 Advanced 25, 56, 161, 169, 236, 239, 252, 346, 385, 387 Advanced button press 239 pressing 161 Advanced button 161 Advanced button 239 Advanced Function Module 385, 387 Advanced settings 252 al 120 Algorithm 7, 13, 35, 42, 72, 127, 155, 158, 161, 169, 170 algorithm continues 155 algorithms according 155 Alias specifies 62, 64, 70 Alias 62 Alias 64 Alias 70 Allow check 236 Allow 7, 17, 35, 48, 72, 76, 88, 91, 101 Allow 236 Allow 239 Allow 241 Allow 247 Allow 250 Allow 254 Allow 268 Allow 298 Allow 324 Allow 325 Allow 354 Allow 379 als 247 Always 1, 7, 17, 22, 25, 46, 56, 58, 60, 62, 91, 95, 97, 104, 109, 115, 117, 123, 167, 247, 272, 296, 311, 315, 316, 366, 383, 387 Always Callback 91 AMD 15, 327 AMD 900 MHz 15, 327 Appearance - Button 302 Appearance - Set checkbox 300 Appearance - Text 300 Apple 35, 48 application Cancel 7 user running 109 application 1, 3 application 7 application 13 application 15 application 17 application 25 application 35 application 42 400
Index application 56 application 60 application 72 application 88 application 95 application 101 application 105 application 109 application 244 application 250 application 252 application 254 application 261 application 315 application 316 application 327 application 329 application 332 application 338 application 346 application 347 application 355 application 357 application 358 application 359 application 374 application 379 application 382 application 383 application 387 application 388 application proposes new 261 application proposes 261 application replaces 244 application stores 252 application.1117 7 Apply 25, 35, 48, 60, 72, 88, 91, 109, 112, 115, 117, 123, 161, 236, 241, 297, 308, 323 April 29 7 argumenin 120 Arguments list shows 290 Arguments 7, 119, 164, 270 Arguments 290 arguments complete 290 ASCII 7 ASP 357, 387 ASPX 357 Associated 1, 7, 13, 17, 22, 55, 66, 76, 115, 135, 260, 270, 293, 300, 309, 314, 325, 357, 387 attirbutes 95 attribute Active Directory 48, 95, 97 Active Directory Windows 2003/2000 13 value found 95 Windows NT4 SAM 13 401
User Management Resource Administrator 7.2 attribute 7 attribute 13 attribute 22 attribute 35 attribute 42 attribute 46 attribute 48 attribute 64 attribute 72 attribute 76 attribute 95 attribute 97 attribute 105 attribute 115 attribute 137 attribute 244 attribute 325 attribute 385 AttributeValue 95 automaticlly 7 automaticlly updated.1140 7 AutomationCreateUser 379 AutomationCreateUserAccount 379 AutoQuit 329 AUTOSTART 329 Auto-update E-mail 62, 64, 70 avaialble 17 B Backup 83, 112, 115, 261 Base Function Module 385, 387 BAT file 48, 76 BEGIN_CODE 388 Besides Active Directory 1 binding string access 105 binding string 105 binds Active Directory 105 binds 35, 42, 46, 88, 101 binds 105 binds 149 bmp 304 boolean,numeric 120 BSTR FormProjectName 374 BSTR FormTableName 377 BSTR Host 363 BSTR ProjectName 372 BSTR ValueText 367 BSTR VariableName 367, 368, 369, 371, 373 build User Management Resource Administrator 7 build 7 build 12 build 35 build 42 402
Index build 48 build 101 build 360 build 362 build 382 Build 1030, July 7 Build 1065, September 17 7 Build 1135, April 22 7 BuildNumber 362 Built-in variables 30 buit 236 Button window 302, 309 C c 88, 112, 117, 382 call back 91 Callback 88, 91 Callback - Always Callback 91 Callback - Set 91 called during 127 Caller 91 calls UMRA COM 359 calls 91, 120, 121, 127, 132, 155, 167, 236, 239, 252, 270, 290 calls 359 calls 360 calls 363 calls 366 calls 376 calls 379 calls 382 Cancel application 7 Cancel 7 Cancel button 7 catalogue Active Directory 105 catalogue 105 CD Insert 15, 327 CD 15 CD 327 CD containing 15, 327 CellText 378 Change 7, 20, 22, 25, 35, 48, 60, 66, 72, 76, 97, 101, 135, 158, 161, 164, 167, 171, 244, 247, 250, 268, 270, 290, 293, 297, 298, 300, 304, 306, 309, 311, 335, 351, 358, 359, 379, 383 changed.1140 7 characteristics 22, 306 Check Allow 236 Check 127, 137 Check 236 Check 272 Check 296 Check 300 Check 306 Check 309 403
User Management Resource Administrator 7.2 Check 311 Check 315 Check 323 Check 343 Check 356 Check form input 311 checkbox add 300 checkbox 260 checkbox 300 checkbox 309 checkbox 317 Checkbox form field 300, 309 Checkbox window 300 Citrix ICA-based 88 ClearVariables 370, 371 Close 3, 7, 261, 342, 348 close operation.1140 7 CMD file 48, 76 cn 35, 42, 46, 99, 101, 104, 137 column index table 378 column index 378 column showing OU 293 column showing 293 column Username table 258, 311 column Username 258 column Username 270 column Username 293 column Username 311 ColumnIndex 378 Columns input data contains 25, 244 list contains 293 Columns 7, 22 Columns 25 Columns 35 Columns 42 Columns 48 Columns 109 Columns 120 Columns 130 Columns 244 Columns 247 Columns 253 Columns 258 Columns 260 Columns 270 Columns 272 Columns 293 Columns 311 Columns 378 columns.1117 7 COM 404
Index accesses 359 implements 360 COM 357, 358 COM 359 COM 360 COM 362 COM 363 COM 364 COM 365 COM 366 COM 367 COM 368 COM 369 COM 370 COM 371 COM 372 COM 373 COM 374 COM 375 COM 376 COM 377 COM 378 COM 387 COM interface 360 COM object 357, 358, 359, 360, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 387 comletely 258 Command Line 7, 13, 119, 329, 355, 357, 358, 382, 387 Command Line Interface 13, 358, 382 Command line options 329, 355, 387 commandfile 329, 382 Common showing 268, 270 Common 35, 42, 46, 48, 56, 60, 72, 95, 97, 158 Common 268 Common 270 Common 293 Common 304 CommonName 35, 42, 101, 293 Common-Name 60 communicatie 42 Component Object Model 358 compose LDAP 35, 42, 46, 101 compose 1 compose 35 compose 42 compose 46 compose 101 compose 105 compose 155 compose 158 compose 161 compose 169 Computer account represents 72 405
User Management Resource Administrator 7.2 Computer 3, 7, 13, 15, 35, 48, 55 Computer 72 Computer 76 Computer 80 Computer 83 Computer 88 Computer 105 Computer 109 Computer 112 Computer 115 Computer 117 Computer 118 Computer 119 Computer 270 Computer 318 Computer 327 Computer 342 Computer 347 Computer 348 Computer 350 Computer 355 Computer 356 Computer 359 Computer 363 Computer 364 Computer 375 Computer 379 Computer 382 Computer 384 computer running 348, 382 COMPUTER//DRIVE 115 COMPUTER//Share//Directory_To_Delete 115 COMPUTER//Shared_Dir_To_Delete 115 Computer/Parent 109 computer>//<share>//<directory>//<directory 112 computer>/<share>/<directory>/<directory 117 Configure start 290, 293, 296, 297, 298 User Management Resource Administrator 15, 327 Configure 3, 7, 12 Configure 15 Configure 25 Configure 35 Configure 42 Configure 64 Configure 72 Configure 112 Configure 115 Configure 120 Configure 121 Configure 123 Configure 127 Configure 130 Configure 132 Configure 158 Configure 161 406
Index Configure 164 Configure 167 Configure 169 Configure 170 Configure 171 Configure 236 Configure 252 Configure 253 Configure 260 Configure 270 Configure 290 Configure 292 Configure 293 Configure 296 Configure 297 Configure 298 Configure 300 Configure 302 Configure 304 Configure 306 Configure 309 Configure 313 Configure 315 Configure 317 Configure 318 Configure 321 Configure 322 Configure 326 Configure 327 Configure 332 Configure 340 Configure 343 Configure 344 Configure 345 Configure 349 Configure 358 Configure 359 Configure 379 Configure 388 Configure button Press 300 Configure button 300 Configure UMRA 345 Confirm 250, 265 connects UMRA 325, 326, 344, 345, 354, 355, 356, 384 UMRA Service 360 connects 17, 35, 42, 48, 72, 88, 109, 117, 261 connects 325 connects 326 connects 344 connects 345 connects 349 connects 354 connects 355 connects 356 407
User Management Resource Administrator 7.2 connects 360 connects 362 connects 363 connects 364 connects 365 connects 375 connects 379 connects 384 Console Interface Module 383 Constant 22, 25, 120, 171, 244, 253, 254 Contact Object 42 ContactObject 42 Container 35, 42, 46, 48, 60, 72, 101, 105, 241 containing First 155 lastname 244 pre-windows 2000 56 SID 109 UMpro.exe 355 UMRA 1 User Object 48 containing 1 containing 48 containing 56 containing 109 containing 155 containing 244 containing 355 control helpdesk 3, 7 non-administrator 384 control 1 control 3 control 7 control 13 control 17 control 20 control 35 control 48 control 66 control 88 control 109 control 117 control 127 control 243 control 244 control 293 control 306 control 314 control 316 control 326 control 343 control 344 control 384 Convert 7, 46, 81, 95, 130, 132, 133, 155, 161, 164, 238, 385 Copy 408
Index variable contains 121 Copy 7, 20, 35, 48, 56, 112, 119 Copy 121 Copy 149 Copy 155 Copy 161 Copy 236 Copy 239 Copy 261 Copy 298 Copy 345 Copy 350 Copy 379 Copy 385 correct.1140 7 corresponding Active Directory 48 corresponding 48 create Active Directory 42 directorie 117 Exchange 1, 7, 20, 46, 62 start point 158 create 1 create 3 create 7 create 13 create 17 create 20 create 22 create 25 create 35 create 42 create 46 create 48 create 56 create 62 create 64 create 66 create 70 create 72 create 76 create 81 create 83 create 88 create 91 create 99 create 101 create 109 create 112 create 117 create 119 create 120 create 121 create 127 create 130 409
User Management Resource Administrator 7.2 create 132 create 133 create 135 create 137 create 139 create 152 create 155 create 158 create 161 create 164 create 167 create 171 create 236 create 238 create 239 create 244 create 258 create 260 create 261 create 268 create 304 create 305 create 315 create 323 create 325 create 334 create 347 create 350 create 351 create 353 create 359 create 379 create 385 Create Directory 35, 48, 72, 76, 109, 244, 385 Create Exchange 62, 244, 385 Create Exchange Mailbox 62, 244, 385 Create User 1, 7, 13, 22, 25, 35, 42, 56, 62, 64, 66, 70, 72, 83, 99, 109, 120, 127, 137, 155, 244, 323, 325, 379, 385 CreateMailboxFlag 369 create-update-delete 384 CreateUserAccount 372, 382 csv 1, 17, 329, 347, 358 CSV file 1, 7, 347 Ctrl key 20 Ctrl+S 7 Ctrl-C 388 Current field shows 272 generated according 171 yyyy represent 337 Current 20, 25, 30, 31, 48, 76, 97, 137, 154, 161 Current 171 Current 250 Current 265 Current 272 Current 293 410
Index Current 297 Current 306 Current 315 Current 332 Current 337 current state 315 customizing User Management 154 customizing 154 D D 382 data Exporting 251 first line 329 data 13, 17, 31, 35, 46, 48, 55, 58, 60, 64, 66, 69, 70, 95, 97, 99, 101, 104, 117, 121, 127, 132, 133, 137, 244, 247 data 251 data 252 data 268 data 270 data 272 data 290 data 293 data 296 data 329 data 332 data 346 data 359 data 377 Data Encryption Standard support 35, 48 Data Encryption Standard 35 Data Encryption Standard 48 Data refresh 296 Data reresh 296 Data specification 31 data string 133 date>,<time>,<user>,<action>,<status>,<description 347 dc 35, 42, 46, 60, 101, 104, 137 Default 3, 20, 22, 25, 35, 42, 46, 48, 55, 56, 60, 62, 64, 66, 69, 70, 72, 76, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 112, 115, 117, 130, 135, 169, 170, 171, 238, 244, 250, 252, 254, 296, 305, 306, 311, 316, 323, 324, 332, 346, 349, 351, 355, 363, 365, 379, 382, 383 default fill 56, 62 defined UMRA 383 defined 7, 58, 120, 121, 132, 155, 236, 254, 298, 309, 311, 360 defined 383 Del key press 20 Del key 20 Delegation 7, 17, 35, 48, 318, 325, 343, 383 Delete Exchange 2003 69 Delete 1, 3, 7, 13, 17, 20, 31, 46, 48, 55, 58, 66 Delete 69 411
User Management Resource Administrator 7.2 Delete 80 Delete 104 Delete 115 Delete 118 Delete 133 Delete 149 Delete 155 Delete 161 Delete 169 Delete 254 Delete 261 Delete 272 Delete 292 Delete 296 Delete 304 Delete 309 Delete 324 Delete 325 Delete 326 Delete 332 Delete 343 Delete 344 Delete 345 Delete 346 Delete 353 Delete 360 Delete 385 Delete all files 353 Delete button 31, 169, 254, 292, 309, 324 Delete Exchange 69, 385 delete existing 46, 104 DeleteUserAccount 382 Deny 66, 91, 101, 236, 241 Deployment See 56 Deployment 15, 35, 42, 46, 48, 55 Deployment 56 Deployment 58 Deployment 60 Deployment 62 Deployment 64 Deployment 66 Deployment 69 Deployment 70 Deployment 72 Deployment 76 Deployment 80 Deployment 81 Deployment 83 Deployment 88 Deployment 91 Deployment 95 Deployment 97 Deployment 99 Deployment 101 Deployment 104 412
Index Deployment 105 Deployment 109 Deployment 112 Deployment 115 Deployment 117 Deployment 118 Deployment 119 Deployment 120 Deployment 121 Deployment 123 Deployment 127 Deployment 130 Deployment 132 Deployment 133 Deployment 135 Deployment 137 Deployment 139 Deployment 149 Deployment 150 Deployment 151 Deployment 152 Deployment 154 Deployment 327 DES 35, 48 Description field contains 254 Description 15, 17, 20, 22, 30, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 112, 115, 117, 118, 119, 120, 121, 123, 127, 132, 133, 135, 137, 139, 149, 150, 151, 152, 164, 244, 253 Description 254 Description 260 Description 265 Description 270 Description 319 Description 327 Description 329 Description 355 Description 360 Description 362 Description 363 Description 364 Description 365 Description 366 Description 367 Description 368 Description 369 Description 370 Description 371 Description 372 Description 373 Description 374 Description 375 Description 376 Description 377 Description 378 desgined 3 destionations 347 413
User Management Resource Administrator 7.2 Detailed permissions settings 239, 241 Development 315, 357 Dial-in 7, 91, 385 dialog property shows 123 Different project types 17 Dim AccountPassword As Variant 379 Dim AccountUserName As Variant 379 Dim LogMessage As Variant 379 Dim RetVal As Integer 379 Dim UmraSvc As New Umra 379 directorie Create 117 directorie 117 Directory access rights 112, 115 Directory 1, 3, 7, 13, 17, 35, 42, 48, 55, 72, 76, 88, 101, 109 Directory 112 Directory 115 Directory 117 Directory 118 Directory 121 Directory 149 Directory 236 Directory 238 Directory 239 Directory 241 Directory 243 Directory 261 Directory 337 Directory 347 Directory 350 Directory 353 Directory 355 Directory 382 Directory 385 directory determine 112 Directory//Directory_To_Delete 115 Disable 1, 3, 35, 48, 70, 72, 76, 88, 127, 260, 300, 309, 357, 387 Display Select 306 Display 7, 35, 42, 48, 56, 64, 72, 95, 97, 169, 263, 265, 302, 305 Display 306 Display 321 Display 332 Display 379 display string 56 DisplayName 35, 42, 48 Distribution 13, 56, 58, 81, 101 DLL 360 DNS part 72 use 388 DNS 35, 42, 46, 60 DNS 72 414
Index DNS 76 DNS 80 DNS 83 DNS 88 DNS 91 DNS 101 DNS 105 DNS 363 DNS 388 DNS-style NETBIOS 109 DNS-style 62, 81 DNS-style 109 DNS-style 118 Domain name 62 User Manager 72 Domain 3, 7, 15, 17, 22, 25, 35, 42, 46, 48, 55, 56, 58, 60 Domain 62 Domain 72 Domain 76 Domain 80 Domain 81 Domain 83 Domain 88 Domain 91 Domain 99 Domain 101 Domain 105 Domain 109 Domain 112 Domain 115 Domain 118 Domain 119 Domain 120 Domain 121 Domain 135 Domain 137 Domain 149 Domain 155 Domain 238 Domain 244 Domain 253 Domain 260 Domain 263 Domain 268 Domain 270 Domain 272 Domain 292 Domain 293 Domain 314 Domain 327 Domain 342 Domain 348 Domain 351 Domain 382 415
User Management Resource Administrator 7.2 Domain 383 Domain 388 Domain - Organizational Unit 105, 383, 388 Domain / OU 17, 25, 35, 42, 101 Domain And Organization Unit-Container 35, 42, 101 Domain Controller 35, 42, 46, 53, 60, 62, 72, 76, 78, 80, 81, 83, 86, 88, 91, 101, 105, 112, 115, 238, 270, 342, 348 Domain Controller Security 112, 115 domain This 72 Domain%, %CallThisNumber 263 Domain%, %FirstName 244 Domain%/Administrators 238 Domain%/Users 238 Domain, Organizational Unit-Container 35, 42, 46, 101 Domain, Username 46 domain,dc 105 DOMAIN//MEMBER 83 domain/computer 35, 48, 72 Domain/GroupName 56 domain/ou Name 388 domain/ou 388 domain/ou/container specify 35, 42, 48, 101 domain/ou/container 35 domain/ou/container 42 domain/ou/container 48 domain/ou/container 101 DOMAIN/UmraSvcAccount 351 Domain/UserName 46 Domain/Administrators;Domain/Backup Operators 132 DOMAIN_A 314 Domain_A/WillliamsJ 30 DomainController 88, 91, 382 domaincontroller/ou 60, 105 domains running 80 Drive 35, 48, 72, 76, 88, 109, 115, 350 drive>//<directory>//<directory 112 during UMRA 359 during 359 E eacrh 297 Edit exisintg 268 Use 127 Edit 1, 3, 7, 25, 31, 46, 48, 60, 64, 76, 104 Edit 127 Edit 130 Edit 155 Edit 158 Edit 161 Edit 164 Edit 167 Edit 169 Edit 171 416
Index Edit 236 Edit 239 Edit 241 Edit 254 Edit 258 Edit 268 Edit 270 Edit 272 Edit 290 Edit 292 Edit 306 Edit 308 Edit 309 Edit 324 Edit 379 Edit 385 Edit button Press 158, 171, 236, 239, 306 Edit button 158 Edit button 171 Edit button 236 Edit button 239 Edit button 306 Edit Exchange 64, 385 edit existing scripts 1 Edit, Delete 155, 290 E-mail occurs 62, 64, 70 Specify 62, 64, 70 E-mail 35, 42, 48 E-mail 62 E-mail 64 E-mail 70 E-mail-Address 62, 64, 70 E-mail-type 62, 64, 70 Enable 298 End If 379 End Sub 379 END_CODE 388 Enter 31, 81, 158, 161, 171, 238, 260, 263, 265, 272, 298, 300, 348 equals SAM 76 equals 25, 48 equals 76 equals 88 equals 91 equals 152 equals 161 equals 244 equals 247 equals 258 equals 270 equals 311 equals 318 Error script actions encounters 20 417
User Management Resource Administrator 7.2 Error 7, 13 Error 20 Error 60 Error 81 Error 83 Error 88 Error 95 Error 101 Error 105 Error 112 Error 115 Error 118 Error 139 Error 292 Error 311 Error 323 Error 363 Error 372 Error 373 Error 374 Error 375 Error 376 Error 377 Error 379 error handling 13, 20 Example user homedirectory 117 Example 1, 7, 17, 20, 22, 25, 30, 35, 42, 46, 48, 56, 58, 60, 62, 64, 70, 72, 88, 95, 97, 99, 101, 104, 105, 109, 112 Example 117 Example 118 Example 121 Example 123 Example 130 Example 132 Example 135 Example 137 Example 149 Example 155 Example 158 Example 161 Example 167 Example 170 Example 171 Example 238 Example 244 Example 247 Example 253 Example 254 Example 258 Example 260 Example 263 Example 265 Example 268 Example 270 418
Index Example 290 Example 292 Example 293 Example 296 Example 302 Example 309 Example 314 Example 315 Example 323 Example 329 Example 332 Example 346 Example 347 Example 355 Example 362 Example 363 Example 367 Example 368 Example 369 Example 371 Example 372 Example 379 Example 382 Example 388 Example projects/automation/createuseraccount 379 example skip 97 examples according 290 Exchange according 62, 70 addresses according 62, 70 create 1, 7, 20, 46, 62 install 15, 327 Manage 70 name 7, 62, 244 specified 64 Exchange 1 Exchange 3 Exchange 7 Exchange 15 Exchange 17 Exchange 20 Exchange 46 Exchange 62 Exchange 64 Exchange 66 Exchange 69 Exchange 70 Exchange 244 Exchange 260 Exchange 327 Exchange 385 Exchange 387 Exchange 2000 15, 69, 327 Exchange 2003 Delete 69 Exchange 2003 15 419
User Management Resource Administrator 7.2 Exchange 2003 69 Exchange 2003 327 Exchange 2003/2000 addresses 7 existing 7, 66 Exchange 2003/2000 7 Exchange 2003/2000 15 Exchange 2003/2000 64 Exchange 2003/2000 66 Exchange 2003/2000 327 Exchange Function Module 385, 387 ExchangeServer 62, 244 Exclusions 292 exe 119 EXE file 48, 76 Execute project script 379 specificed 360 Windows 119 Execute 1, 7, 13, 17, 20, 22, 25, 30, 35, 42, 46, 48, 55, 56, 60, 64, 66, 69, 72, 76, 91, 104, 112 Execute 119 Execute 127 Execute 139 Execute 151 Execute 154 Execute 158 Execute 164 Execute 244 Execute 247 Execute 250 Execute 253 Execute 254 Execute 258 Execute 260 Execute 270 Execute 293 Execute 296 Execute 300 Execute 302 Execute 309 Execute 311 Execute 313 Execute 314 Execute 315 Execute 316 Execute 324 Execute 325 Execute 326 Execute 332 Execute 343 Execute 347 Execute 351 Execute 352 Execute 354 Execute 355 Execute 357 420
Index Execute 358 Execute 359 Execute 360 Execute 363 Execute 366 Execute 367 Execute 368 Execute 369 Execute 370 Execute 371 Execute 372 Execute 374 Execute 379 Execute 382 Execute 383 Execute 384 Execute 385 Execute 387 Execute 388 Execute Command Line 7, 119, 385 Execute script form 313 Execute script 313 Execute script 358 Execute script 360 ExecuteProjectScript 372 exisintg editing 268 exisintg 268 existing Active Directory 104 Exchange 2003/2000 7, 66 existing 7 existing 66 existing 104 Export 251 Export file 7, 137, 251 Export Variables 13, 99, 137, 385 Exporting data 251 memberof 137 Exporting 137 Exporting 251 Exporting 261 extended.1140 7 F F1 7 factor 1.0 304 factor 304 Features 1, 7, 13, 15, 155, 167, 250, 300, 327, 383, 385, 388 Features include 1 feeded 7, 244 Field 1, 13, 35, 42, 48, 72, 76, 81, 83, 101, 105, 109, 121, 127, 130, 132, 137, 161, 164, 167, 247, 254, 260, 263, 265, 268, 272, 298, 300, 302, 304, 305, 306, 311, 318, 319, 326, 337, 360 field contains 421
User Management Resource Administrator 7.2 description 254 field contains 254 field describing variable 254 field describing 254 field shows current 272 field shows 272 File System 35, 109, 385 Filter 58, 105, 290 filter according 105 find Active Directory 105 find 5, 31, 35, 42, 46, 48, 55, 56, 58, 60, 64, 66, 69, 83, 95, 97, 101 find 105 find 135 find 332 find 346 Finish 119 First contains 155 First 5, 7, 25, 35, 42, 48, 55, 56, 72, 81, 88, 91, 101, 105, 115, 121, 127 First 155 First 158 First 161 First 167 First 169 First 238 First 241 First 244 First 247 First 250 First 260 First 265 First 270 First 296 First 298 First 311 First 315 First 323 First 329 First 345 First 349 First 379 First 383 first determines 105 first line data 329 first line 244 first line 329 FirstName 25, 35, 42, 72, 127, 155, 161, 244, 367, 379, 382 Fixed 22, 25, 88, 120, 243, 247, 268, 272, 302, 315, 347 Fixed data table 272 fixed.1117 7 422
Index fixed.1140 7 flag Yes 66 flag 22 flag 66 flag 95 flag 97 flag 112 flag 115 flag 118 flag 135 flag 244 flag indicating 22, 66, 112, 115, 244 fo 7 followin opstart supports 355 followin opstart 355 following tabel 12 following 12 Fonts 7, 306, 322 Form Execute script 313 UMRA 258, 326 UMRA Automation 358 Form 1, 3, 7, 17, 30, 35, 48, 72, 88, 109, 118, 121, 127, 244 Form 258 Form 260 Form 261 Form 263 Form 265 Form 268 Form 270 Form 272 Form 290 Form 292 Form 293 Form 296 Form 297 Form 298 Form 300 Form 302 Form 304 Form 305 Form 306 Form 308 Form 309 Form 311 Form 313 Form 314 Form 315 Form 316 Form 317 Form 318 Form 319 Form 320 423
User Management Resource Administrator 7.2 Form 321 Form 322 Form 323 Form 324 Form 325 Form 326 Form 342 Form 343 Form 344 Form 346 Form 347 Form 354 Form 355 Form 356 Form 358 Form 359 Form 360 Form 363 Form 374 Form 377 Form 379 Form 384 Form 387 Form 388 form according 260, 304 Form action 7, 260, 300, 302, 308, 309, 311, 313, 314, 315, 316, 317, 347 form field shifts 306 Form fields 1, 7, 258, 260, 263, 265, 268, 298, 300, 302, 304, 305, 306, 308, 309, 314, 315, 320, 321, 322, 354, 360, 374, 379 form fields include picture 258 form fields include 258 Form project 1, 7, 17, 127, 258, 260, 261, 265, 309, 311, 313, 316, 318, 319, 320, 322, 323, 324, 325, 326, 342, 343, 344, 359, 360, 363, 374, 379, 384, 387, 388 form project contains script 324 form project contains 313 form project contains 324 form projects include 325 form projects.1140 7 Form properties 318, 319, 320, 321, 322, 323, 324 form stopping 118 form.1140 7 Format Number 123 Select 123 Specifying 123 Format 7, 13, 31, 35, 42, 46, 48, 56, 62, 64, 70, 72, 101, 105, 109, 121 Format 123 Format 130 Format 132 Format 137 Format 161 Format 164 Format 244 424
Index Format 247 Format 258 Format 305 Format 321 Format 329 Format 347 Format 385 Format 388 Format string 130 Format Variable Value 123, 385 FormProjectName 374 FormTableName 377 fragement 7 Fred 314 Full 7, 35, 42, 46, 48, 56, 60, 66, 72, 76, 97, 99, 101, 104, 105, 109, 112, 117, 127, 155, 161, 326, 344 fullfill need 325 fullfill 325 FullName 35, 42, 46, 72, 127 function module contains number 383, 385 function module contains 383 function module contains 385 Function modules 383, 385, 387 functions UMRA 358 UMRA COM 358 User Management 385 User Management Resource Administrator 7, 343, 383 functions 1 functions 7 functions 13 functions 17 functions 35 functions 42 functions 46 functions 48 functions 55 functions 56 functions 58 functions 60 functions 62 functions 64 functions 66 functions 69 functions 70 functions 72 functions 76 functions 80 functions 81 functions 83 functions 88 functions 91 functions 95 functions 97 functions 99 425
User Management Resource Administrator 7.2 functions 101 functions 104 functions 105 functions 109 functions 112 functions 115 functions 117 functions 118 functions 119 functions 120 functions 121 functions 123 functions 127 functions 130 functions 132 functions 133 functions 135 functions 137 functions 139 functions 149 functions 150 functions 151 functions 152 functions 154 functions 161 functions 164 functions 260 functions 326 functions 343 functions 345 functions 358 functions 359 functions 360 functions 383 functions 385 functions 387 functions 388 G G 35, 48, 72, 109, 329, 350 G$/Users 109 G/0unOY 171 GC 105 General 7, 20, 35, 42, 48, 258, 309, 318, 325, 383 General - E-mail 35, 42, 48 General - Office 35, 42, 48 General - TelephoneNumber 35, 42, 48 General - Web-Page 35, 42, 48 General window 318 Generate 7, 13, 20, 25, 30, 35, 42, 46, 48, 60, 62, 64, 66, 69, 70, 72, 76, 81, 83, 95, 101, 105, 112, 118, 127, 149, 152, 155, 158, 161, 167, 171, 243, 290, 296, 318, 332, 337, 347, 351, 360, 376, 385, 388 generated according current 171 generated according 64, 127 generated according 171 functions 311 426
Index Get 5, 7, 22, 25, 46, 48, 55, 58, 60, 64, 66, 69, 70, 95, 97, 99, 104, 120, 121, 135, 149, 244, 265, 360, 363, 366, 385 Get Object 70, 99, 104, 385 Get User 46, 48, 55, 64, 66, 69, 70, 99, 149, 385 GetCellText 378 GetConnectionInfo 375 GetFormTable 377 GetHostName 364 GetHostPortNumber 365 GetLogMsg 363, 366 GetScriptExecutionInfo 376 GetVariableText 373 GetVersion 362 GetVersionInfo 362 GHz 15, 327 gif 304 Given-Name 35, 42, 48, 244 Given-name, SurName 244 Global 7, 13, 31, 56, 58, 81, 83, 99, 101, 105, 270, 292, 322, 385 Global Catalog 105 GlobalGroupA 31 GlobalGroupB 31 GlobalGroupC 31 GOTO 135 GoTo Ready 379 GoTo UmraError 379 Group 1, 3, 7, 13, 17, 20, 22, 31, 35, 46, 48, 55, 56, 58, 70, 72, 81, 83, 99, 101, 104, 117, 132, 137, 238, 244, 260, 268, 270, 292, 324, 332, 351, 352, 385 Group Object 101 Group1 35, 42, 101 Group1,ou 99 GroupA 137 GroupMemberships 13, 17, 132, 325 GroupName 56, 101 GroupObject 101 GroupSet 31, 56 GroupSetA 56 GroupSetB 56 GroupSetC 56 H Help 1, 5, 7, 25, 56, 60, 115, 123, 169, 250, 253, 254, 335, 345, 388 Help on help 5 helpdesk control 3, 7 OU 258 providing 3 helpdesk 1 helpdesk 3 helpdesk 7 helpdesk 17 helpdesk 258 helpdesk 354 helpdesk 387 helpdesk 388 Home 1, 3, 13, 17, 20, 22, 25, 35, 42, 46, 48, 55, 72, 76, 88, 109, 112, 117, 118, 119, 135, 149, 244 427
User Management Resource Administrator 7.2 Home Directory 17, 20, 22, 25, 35, 46, 48, 72, 76, 88, 109, 112, 117, 118, 119, 135, 149, 244 home-directories 325 HomeDirectory 117, 121, 135 HomeServer 35, 72, 109, 135 HomeServer%/students/%UserName 135 HomeServer%/students//%UserName 135 HomeServer%/users/%UserName 135 HostName 364 HTML-file Project Assistant shows 335 HTML-file 335 I ICA 88 ID 152 Identifier 35 identify Active Directory Object 104 identify 46, 48, 55, 60, 64, 66, 69, 70, 76, 81, 83, 91, 95, 97, 99, 101 identify 104 identify 117 identify 118 identify 238 identify 258 identify 293 IgnoreFirstLine 329 IIS 357, 358 implementations Kerberos 35, 48 implementations 35 implementations 42 implementations 48 implementations 72 implementations 357 implementations 358 implements COM 360 implements 112, 127, 359 implements 360 Import 7, 12, 17, 35, 42, 72, 99, 123, 127, 170, 247, 261, 272, 383 IN 363, 367, 368, 369, 371, 372, 373, 374, 377, 378 IN/OUT 374, 377 information.1065 7 information.1117 7 information.1140 7 Initials'-field 48 Input next line 20 Input 1, 7, 13, 17 Input 20 Input 22 Input 25 Input 31 Input 35 Input 42 Input 46 428
Index Input 48 Input 56 Input 72 Input 95 Input 101 Input 120 Input 121 Input 123 Input 127 Input 130 Input 132 Input 135 Input 155 Input 158 Input 161 Input 164 Input 169 Input 171 Input 238 Input 244 Input 247 Input 250 Input 251 Input 252 Input 253 Input 260 Input 265 Input 298 Input 311 Input 315 Input 329 Input 332 Input 358 Input data 1, 7, 13, 17, 20, 22, 25, 35, 42, 56, 101, 120, 121, 132, 155, 171, 244, 247, 250, 251, 252, 253, 260, 329, 332, 358 input data contains column 25, 244 input data contains 22 input data contains 25 input data contains 155 input data contains 244 input lines 265 input state table 298 input state 298 input string 121 Input text form field 265, 311 inputfile 329 Input-Output Number 135 Input-Output 135 Insert CD 15, 327 Insert 7 Insert 15 Insert 25 429
User Management Resource Administrator 7.2 Insert 120 Insert 132 Insert 137 Insert 238 Insert 254 Insert 265 Insert 327 Insert button press 265 Insert button 7 Insert button 265 Insert button.1140 7 Install Exchange 15, 327 UMRA 345, 355 UMRA Console 15, 327 Install 1, 3 Install 15 Install 62 Install 170 Install 261 Install 327 Install 342 Install 343 Install 345 Install 348 Install 350 Install 353 Install 355 Install 359 Install 360 Install 379 Install 382 Install 383 Install 387 Install 388 Install Exchange System Management Tools Only 15, 327 Install User Management Resource Administrator 3 Installation 15, 17, 327, 335, 355, 379, 388 Installing UMRA 15, 327, 355 Installing UMRA Console 15, 327, 355 Interface 1, 13, 35, 42, 101, 236, 293, 357, 359, 360, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 383, 384, 385, 387, 388 interface contains list 379 interface contains 379 Interface modules 383, 384, 385, 387, 388 Internal application 35, 42, 56, 62 Internet 35, 42, 48, 358 Internet Information Services 358 Internet-style 48 intranet site 35, 42, 48 Introduction 3, 243, 326, 331, 334, 338, 343, 354, 357, 383 IP 35, 42, 48 Iteration 430
Index add 161 Iteration 35, 127, 158 Iteration 161 Iteration 167 Iteration 314 Iteration - Use 127 Iteration button Press 167 Iteration button 158 Iteration button 167 iteration cycle 127 Iteratively 7, 314 IUnknown 374, 377 J J 88, 161 J.Smith@tools4ever.com 62, 64, 70, 88, 91 John 46, 104, 244, 314, 382 John Williams 46, 104 John@tools4ever.com 62, 64, 70 John2 158 John3 158 Jonh 161 Jonh1 158 jpg 304 JWilliams 46 K Kerberos implementations 35, 48 Kerberos 35 Kerberos 48 Kerberos preauthentication 35, 48 keyts 309 kyfd 171 L Label 7, 20, 139, 385 label refers 20 Last 7, 22, 25, 35, 42, 48, 55, 72, 109, 118, 119, 121, 127, 155, 161, 169, 260, 265, 302, 315, 316, 360, 366, 379 last char name 109, 118 last char 109 last char 118 LastName contains 244 LastName 22, 25, 35, 42, 72, 127, 155, 161 LastName 244 LastName 247 LastName 379 LastName 382 LDAP compose 35, 42, 46, 101 specify 105 LDAP 35 LDAP 42 LDAP 46 LDAP 56 431
User Management Resource Administrator 7.2 LDAP 60 LDAP 62 LDAP 95 LDAP 97 LDAP 99 LDAP 101 LDAP 104 LDAP 105 LDAP 290 LDAP Container 35, 42, 101 LDAP-Display-Name 95, 97 LDAP-name 56 let UMRA 326 UMRA Service 358 let 127, 155, 243, 260, 265, 272, 302 let 326 let 341 let 358 let 359 license 345, 383, 387, 388 License code 345, 383, 388 license code contains 388 license code enable 345 License matrix 387 limedeca 270, 293, 311 limit 10 MB 347 limit 88, 105, 109, 117, 123, 149, 150, 152, 167, 265, 272, 296, 306, 326, 344 limit 347 limit 383 list Active Directory 99 interface contains 379 property contains 56 window contains 164 window shows 31, 239 list 5, 7, 30 list 31 list 35 list 42 list 48 list 56 list 66 list 72 list 81 list 95 list 97 list 99 list 123 list 130 list 135 list 137 list 149 list 155 list 158 432
Index list 161 list 164 list 169 list 236 list 239 list 241 list 253 list 254 list 260 list 265 list 268 list 272 list 290 list 292 list 293 list 306 list 308 list 309 list 311 list 323 list 324 list 367 list 368 list 369 list 370 list 371 list 372 list 373 list 379 list contains columns 293 list contains 56, 236 list contains 293 list shows accounts 236 arguments 290 names 265 variables 254 list shows 158 list shows 236 list shows 254 list shows 265 list shows 290 LoadFormProject 374 Local specify 83 Local 3, 7, 13, 15, 17, 35, 42, 48, 55, 56, 58, 72, 76, 80 Local 83 Local 88 Local 99 Local 101 Local 105 Local 109 Local 112 Local 115 Local 117 433
User Management Resource Administrator 7.2 Local 119 Local 290 Local 296 Local 309 Local 318 Local 327 Local 332 Local 342 Local 350 Local 351 Local 385 Local Security 112, 115 Log Terminal 88 Windows 2000 88 Log 7, 13, 15, 25, 30, 35, 48, 62, 72, 76 Log 88 Log 112 Log 115 Log 154 Log 250 Log 327 Log 336 Log 337 Log 347 Log 353 Log 360 Log 366 Log 385 Log Bar 336, 337 Log file 154, 250, 337, 347 Log information 337, 347, 353, 366 log information describes 366 Log Variables 154, 385 logfiles 347 logical_drive>/<directory>/<directory 117 Logon 7, 35, 46, 48, 72, 76, 81, 88, 91, 137, 258, 300, 385 M M 127 mae 304 Mailbox 1, 3, 7, 13, 17, 20, 22, 46, 62, 64, 66, 69, 70, 244, 260, 325, 385 maintains UMRA 343 maintains 17, 76, 83, 88, 91, 118, 238, 261, 270, 318, 324 maintains 343 maintains 344 maintains 346 maintains 359 maintains 360 maintains 367 maintains 368 maintains 369 maintains 370 maintains 371 maintains 372 434
Index maintains 373 maintains 374 Make Active Directory 56, 81, 99 Make 1, 7, 42 Make 56 Make 81 Make 99 Make 117 Make 132 Make 139 Make 155 Make 158 Make 167 Make 258 Make 260 Make 265 Make 296 Make 302 Make 304 Manage Exchange 70 Press 309 UMRA 1, 388 Manage 1 Manage 3 Manage 7 Manage 12 Manage 13 Manage 15 Manage 17 Manage 20 Manage 22 Manage 31 Manage 46 Manage 48 Manage 58 Manage 60 Manage 64 Manage 66 Manage 70 Manage 76 Manage 83 Manage 91 Manage 95 Manage 97 Manage 99 Manage 104 Manage 105 Manage 112 Manage 117 Manage 133 Manage 155 Manage 158 Manage 161 Manage 169 435
User Management Resource Administrator 7.2 Manage 170 Manage 239 Manage 247 Manage 254 Manage 258 Manage 261 Manage 290 Manage 296 Manage 302 Manage 309 Manage 320 Manage 326 Manage 327 Manage 342 Manage 344 Manage 345 Manage 383 Manage 384 Manage 385 Manage 387 Manage 388 Manage button press 155, 158 Manage button 155 Manage button 158 Manage Exchange 7, 70, 385 manage existing 48, 58, 60, 64, 66, 70, 76, 91, 95, 112, 117 manage existing objects 97, 99 manage existing user 105 Manage script action properties 22 Manage script actions 13, 20, 22 Management 1, 13, 15, 327, 357, 387 Many implementations User Management 120, 121, 132 Many implementations 120 Many implementations 121 Many implementations 132 Mapping Table 135 Mapping 135 Mapping table 135 Marketing 315 Mass 1, 7, 17, 20, 127, 244, 247, 250, 258, 329, 332, 341, 358, 383, 384, 387, 388 Mass create-update-delete 1 Mass Module 383, 387 Mass project input data 7, 332 Maximum Password Age 35, 48, 72 MaxLogons 368 MB 15, 327, 347 Member account becomes 56 object becomes 99 Member 7, 35, 48 Member 56 Member 58 Member 72 436
Index Member 76 Member 80 Member 81 Member 83 Member 99 Member 101 Member 132 Member 137 Member 270 Member 292 Member 332 Member 383 Member Of 35, 48, 56, 72, 81, 83, 99, 132, 270, 292, 383 memberof exporting 137 memberof 137 Merge 332 messagebox show 313 messagebox 313 Microsoft 15, 171, 327, 357, 358, 359, 379 Microsoft Exchange 2003 Software 15, 327 Microsoft Internet Information Services 359 Microsoft Internet site 357 Microsoft Office 357, 358, 359, 379 Microsoft Office Word 2003 379 Microsoft SQL Server 359 Microsoft Visual Basic 379 Microsoft Windows 2003/2000/NT 171 Microsoft Word 379 Microsoft's AT 358 Middle 48, 127, 155, 161, 169, 260, 265, 379 MiddleName 35, 42, 72, 127, 155, 161, 379 Modify Exchange 7, 66, 385 month,day,year,year,hour,minute 130 Move 7, 17, 20, 48, 60, 112, 117, 149, 265, 306, 325, 385 moves back 306 MS Exchange 62, 64, 70 MS Office Word 2003 379 MS Windows NT Workstation/Windows 2000 Professional account 35, 72 MS Windows NT Workstation/Windows 2000 Professional 35 MS Windows NT Workstation/Windows 2000 Professional 72 Msg 366 MsgBox LogMessage 379 multiple-select table 314 multivalue 31 N N 7, 127, 382 name Active Directory 35, 42, 48, 99, 101, 105 Active Directory Organizational 35, 42, 101 Domain 62 domain/ou 388 Exchange 7, 62, 244 437
User Management Resource Administrator 7.2 last char 109, 118 list shows 265 name includes 318 NT4 81 Organizational Unit-Container 46 OU 60 Project file shows 318 Select 308 server shows 318 specify 308 window shows 22 name 7 name 13 name 22 name 25 name 30 name 31 name 35 name 42 name 46 name 48 name 56 name 60 name 62 name 64 name 66 name 70 name 72 name 76 name 80 name 81 name 83 name 88 name 91 name 95 name 97 name 99 name 101 name 104 name 105 name 109 name 112 name 115 name 117 name 118 name 119 name 120 name 121 name 123 name 127 name 130 name 135 name 137 name 139 name 149 name 152 438
Index name 155 name 158 name 161 name 164 name 167 name 169 name 170 name 171 name 236 name 238 name 241 name 243 name 244 name 247 name 252 name 254 name 260 name 261 name 263 name 265 name 268 name 270 name 272 name 293 name 304 name 308 name 311 name 313 name 314 name 315 name 316 name 317 name 318 name 324 name 329 name 337 name 348 name 350 name 351 name 355 name 356 name 358 name 360 name 363 name 364 name 367 name 368 name 369 name 371 name 372 name 373 name 374 name 375 name 377 name 379 name 382 439
User Management Resource Administrator 7.2 name 385 name 388 name containing variable 236, 238 name containing 236 name containing 238 name exists 263 Name Generation 7, 13, 35, 42, 48, 72, 127, 155, 158, 161, 164, 167, 169, 170, 379 name generation according 13 Name Generation Algorithms 7, 13, 35, 42, 48, 72, 127, 155, 158, 161, 164, 167, 169, 170, 379 name generation methods.1140 7 name includes name 318 name includes 318 name shows value 161 name shows 161 name>/<subdir1 109 names according 127, 161 need fullfill 325 need 1, 3, 7, 15, 22, 25, 35, 42, 46, 56, 60, 66, 72, 76, 88, 105, 120, 130, 155, 161, 171, 238, 247, 250, 253, 254, 261, 293, 315, 317 need 325 need 327 need 341 need 357 need 359 need 379 need 383 need 387 need 388 NETBIOS DNS-style 109 Use 72 NETBIOS 35, 42, 46, 48, 60 NETBIOS 72 NETBIOS 76 NETBIOS 80 NETBIOS 81 NETBIOS 83 NETBIOS 88 NETBIOS 91 NETBIOS 101 NETBIOS 105 NETBIOS 109 NETBIOS 118 NETBIOS 363 NETBIOS 388 Network The parent item 332 Network 1, 7, 13, 15, 17, 20, 31, 35, 42, 46, 48, 62, 72, 76, 83, 88, 91, 101, 117, 120, 121, 132, 135, 149, 150, 171, 244, 247, 250, 252, 268, 270, 290, 292, 293, 296, 327, 331 Network 332 Network 346 Network 355 440
Index Network 357 Network 384 Network 387 Network 388 Network bar 247, 331, 332 Network data type 270, 290, 293 network data type determines type 270 network data type determines 270 network operating 15, 83, 327 network traffic 296 Never 20, 35, 48, 72, 76, 115, 241 New application proposes 261 New 1, 5, 7, 12, 13, 15, 17, 20, 25, 31, 35, 42, 46, 56, 60, 62, 81, 83, 88, 91, 97, 101, 109, 112, 117, 119, 120, 121, 127, 130, 132, 135, 149, 158, 161, 164, 167, 236, 238, 239, 241, 243, 244, 250 New 261 New 265 New 272 New 327 New 332 New 335 New 337 New 366 NewName 60 Next 5, 20, 22, 25, 31, 35, 48, 72, 76, 105, 119, 127, 151, 155, 158, 164, 171, 239, 244, 247, 250, 254, 261, 265, 300, 306, 316, 332, 342, 347, 348, 356, 379 next line input 20 next line 20 next line 244 next line 250 next line 306 Ni4m6jZkCD-4kDG33rASG-SWF15Ym7em 388 No set 35, 48, 72, 135 No 7, 12, 15, 20 No 35 No 42 No 46 No 53 No 56 No 58 No 60 No 62 No 66 No 70 No 72 No 76 No 78 No 80 No 81 No 83 No 86 No 88 No 91 441
User Management Resource Administrator 7.2 No 95 No 97 No 101 No 105 No 109 No 112 No 115 No 117 No 118 No 119 No 120 No 121 No 132 No 133 No 135 No 149 No 151 No 154 No 155 No 158 No 171 No 244 No 250 No 254 No 260 No 263 No 296 No 302 No 304 No 305 No 306 No 308 No 311 No 315 No 323 No 324 No 326 No 327 No 355 No 370 No 379 No 383 No 385 No 388 no matching objects 105 no meaning 306 non-administrator control 384 non-administrator 384 Notes on User Management version 12 NowDay 7, 30, 137 NowHour 30 NowMinute 30 NowMonth 7, 30, 137 NowSecond 30 NowYear 7, 30, 137 442
Index NT 7, 72 NT Account 72 NT4 name 81 NT4 17, 35, 62, 72, 80 NT4 81 NT4 88 NT4 109 NT4 118 NT4 119 NT4 155 NT4-local 384 NT4-style 62, 72, 81 NTFS 1, 109 NT-style 46, 95, 97 nuimber pixeks 302 nuimber 302 Number Formatting 123 function module contains 383, 385 Input-Output 135 script action contains 244 UMRA COM 362 UMRA Service 363 User Management Resource Administrator project contains 254 variable holds 127 Number 1, 5, 7, 12, 13, 20, 22, 25, 31, 35, 42, 46, 48, 56, 88, 91, 95, 97, 105, 109, 112, 117, 119 Number 123 Number 127 Number 130 Number 135 Number 137 Number 149 Number 150 Number 152 Number 155 Number 158 Number 161 Number 167 Number 169 Number 170 Number 171 Number 244 Number 254 Number 258 Number 260 Number 265 Number 272 Number 296 Number 298 Number 302 Number 305 Number 306 Number 309 443
User Management Resource Administrator 7.2 Number 318 Number 322 Number 326 Number 332 Number 344 Number 347 Number 349 Number 353 Number 356 Number 360 Number 362 Number 363 Number 365 Number 375 Number 376 Number 383 Number 385 Number 388 O OAK 135 Object 7, 13, 17, 35, 42, 46, 56, 62, 95, 97, 99, 104, 105, 137, 236, 238, 239, 241, 290, 359, 360, 367, 368, 369, 370, 371, 372, 373, 374, 377, 379, 382, 385 object becomes member 99 object becomes 99 object found 105 object representing 35, 42, 56, 62 objectclass 105 occurs E-mail 62, 64, 70 occurs 7, 35, 42 occurs 62 occurs 64 occurs 70 occurs 101 occurs 112 occurs 115 occurs 292 occurs 293 occurs 323 occurs 372 occurs 373 occurs 374 occurs 375 occurs 376 occurs 377 Office part 379 Office 35, 42, 48 Office 379 Office 387 OK 31, 161, 263, 265, 268, 297, 300, 302, 304, 305, 308, 379, 388 onf 309 Open Access Control Settings window 241 Open 7, 20, 25, 123, 137, 161, 164, 167 444
Index Open 241 Open 250 Open 252 Open 261 Open 332 Open 335 Open 341 Open 342 Open 354 operation Principle 244, 258 operation 20, 35, 42, 46, 48, 60, 83, 105, 112, 137, 149, 150, 151, 158 operation 244 operation 247 operation 252 operation 258 operation 261 operation 272 operation 325 operation 359 operation 362 operation 385 option File 247, 251 Options 3, 7, 15, 17, 20, 22, 35, 46, 48, 60, 64, 88, 91, 97, 105, 112, 115, 118, 119, 127, 139, 155, 158, 161, 164, 167, 169, 170, 171, 236, 239, 241, 247, 250, 251, 252, 253, 254, 258, 261, 263, 265, 268, 298, 300, 302, 304, 305, 306, 308, 309, 315, 316, 323, 327, 329, 332, 337, 338, 344, 345, 346, 348, 353, 355, 356, 359, 379, 382, 383, 388 Options - Show 323 ordero 272 Organization - Company 35, 42, 48 Organization - Department 35, 42, 48 Organization - Title 35, 42, 48 Organizational Unit 35, 42, 46, 48, 60, 101, 244, 270, 290, 383, 388 Organizational Unit-Container name 46 Organizational Unit-Container 35, 42 Organizational Unit-Container 46 Organizational Unit-Container 60 Organizational Unit-Container 101 OrgUnit,dc 99 OU column showing 293 helpdesk 258 name 60 showing 293 OU 17, 25, 35, 42, 46, 48 OU 60 OU 101 OU 104 OU 105 OU 258 OU 260 OU 268 OU 270 OU 272 OU 290 445
User Management Resource Administrator 7.2 OU 293 OU 296 OU 325 OU 382 OU having 290 OU/ChildOU/GrandChildOU 35, 42, 48, 101 OU/domain 17 OU-Container LDAP 60 OU-name 7 OU's 17, 35, 42, 48, 101, 268, 270, 290, 293 OUT 362, 364, 365, 366, 373, 375, 376, 378 Output select 25 Output 22 Output 25 Output 31 Output 35 Output 42 Output 46 Output 48 Output 55 Output 64 Output 66 Output 69 Output 70 Output 72 Output 76 Output 95 Output 101 Output 104 Output 105 Output 121 Output 127 Output 130 Output 132 Output 135 Output 137 Output 154 Output 155 Output 158 Output 161 Output 164 Output 167 Output 169 Output 171 Output 238 Output 373 Output Properties 22, 35, 42, 46, 72, 238 output username 161 Overview 236, 383 Owner 7, 112, 243 P Parent 109, 112, 236, 239, 332 part DNS 72 Office 379 446
Index UMRA 335 UMRA Automation 360, 382 UserManagemeNT Professional 12 part 7 part 12 part 20 part 22 part 25 part 35 part 42 part 60 part 72 part 80 part 88 part 91 part 101 part 120 part 121 part 161 part 164 part 167 part 169 part 244 part 247 part 258 part 306 part 309 part 335 part 360 part 362 part 363 part 364 part 365 part 366 part 367 part 368 part 369 part 370 part 371 part 372 part 373 part 374 part 375 part 376 part 377 part 378 part 379 part 382 Password supports 171 value 35, 48, 72, 171 Password 3, 7, 13, 17, 22 Password 35 Password 42 Password 48 Password 72 447
User Management Resource Administrator 7.2 Password 76 Password 137 Password 171 Password 244 Password 260 Password 265 Password 292 Password 300 Password 325 Password 351 Password 379 Password generation 13, 171 Password% 379 PasswordField Word 379 PasswordField 379 PasswordField.Text 379 Paste 388 peft 244 Pentium III 15, 327 Pentium IV 15, 327 perform specifc 1 perform 1 perform 13 perform 20 perform 35 perform 42 perform 48 perform 56 perform 66 perform 72 perform 105 perform 119 perform 139 perform 244 perform 272 perform 336 Permission 1, 7, 13, 17, 35, 46, 66, 91, 109, 112, 117, 149, 236, 238, 239, 241, 243, 385 permissions.1140 7 pformproject 374 pformtable 377 Phone 22, 35, 42, 48, 88, 91, 244, 260, 265 pictuire 260 Picture form fields include 258 Picture 258 Picture 260 Picture 304 Picture 306 Picture form field 304, 306 Picture window 304 PIN 35, 48 pixeks nuimber 302 pixeks 302 448
Index popup type 7 popup 7 popup 25 popup 323 popup menu 25 Port 349, 355, 356, 360, 363, 365, 375, 379, 382 PortNumber 363, 365, 375 Positiont 306 practive 338 preconfigured 297 Predefined 20, 22, 30, 35, 48, 72, 130, 171, 244, 253, 254, 268, 293, 322, 341 Press Add 31 Add button 31, 158, 161, 164, 238, 272 Advanced button 239 Configure button 300 Del key 20 Edit button 158, 171, 236, 239, 306 Insert button 265 Iteration button 167 Manage 309 Manage button 155, 158 Search button 238 TAB 306 Test 158 Test button 158, 171 Press 3, 7, 17 Press 20 Press 25 Press 31 Press 155 Press 158 Press 161 Press 164 Press 167 Press 169 Press 171 Press 236 Press 238 Press 239 Press 241 Press 247 Press 261 Press 263 Press 265 Press 268 Press 272 Press 300 Press 302 Press 304 Press 305 Press 306 Press 308 Press 309 Press 341 449
User Management Resource Administrator 7.2 Press 348 Press 379 Press 388 Press Add 158, 161, 167, 236, 241, 388 Press Configure 268 Press Finish 247, 341 pressing Advanced button 161 TAB 306 pressing 161 pressing 306 Pre-W2K 7, 56 pre-windows 2000 contains 56 pre-windows 2000 35, 46, 48 pre-windows 2000 56 pre-windows 2000 81 pre-windows 2000 101 Principle operation 244, 258 Principle 244 Principle 258 Principle 358 Principle 359 Principle 379 Print 7, 13, 88, 251 Private Sub CreateAccount_Click 379 Professional, Delegation 12 program script becomes 20 Windows 20 program 13 program 20 program 46 program 88 program 244 program 360 program working directory 88 Project Running 250 Project 1, 3, 7, 12, 15, 17, 20, 22, 25, 120, 123, 127, 139, 164, 171, 236, 239, 244, 247 Project 250 Project 251 Project 252 Project 253 Project 254 Project 258 Project 261 Project 265 Project 270 Project 293 Project 309 Project 314 Project 316 Project 318 Project 319 450
Index Project 323 Project 324 Project 325 Project 327 Project 329 Project 332 Project 335 Project 337 Project 338 Project 339 Project 340 Project 341 Project 342 Project 343 Project 346 Project 353 Project 358 Project 359 Project 372 Project 379 Project 382 Project 383 Project 384 Project 387 Project 388 Project Assistant 335 Project Assistant bar 335 Project Assistant shows HTML-file 335 Project Assistant shows 335 project contains script 20 table 1 project contains 1 project contains 20 project contains 25 project contains 244 Project file 318, 329 Project file shows name 318 Project file shows 318 Project operations 22, 247 project script Executing 379 project script 7, 20, 22, 25, 244, 247, 270, 309, 314, 316 project script 379 project script 382 Project Table row 120 Project Table 120 ProjectName 372 Projects bar 7, 254 projects throught 384 Properties 7, 17, 20, 22, 25, 31, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 112, 115, 117, 118, 119, 120, 121, 123, 127, 132, 133, 135, 137, 139, 149, 150, 151, 152, 154, 158, 164, 170, 171, 236, 238, 239, 243, 244, 247, 250, 252, 254, 314, 325, 344, 345, 360 451
User Management Resource Administrator 7.2 properties including security 7 properties Username 76 Properties window 22, 25, 164, 236, 238, 239, 243 property contains list 56 property contains 56 Property Group 7, 56 property holds 31 Property Name 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 112, 115, 117, 118, 119, 120, 121, 123, 127, 132, 133, 135, 137, 139, 149, 150, 151, 152 property shows dialog 123 property shows 123 providing helpdesk 3 providing 3 Q Questions 339 Quickstart 3 R RAM 296 RAS 91 Read 1, 5, 7, 13, 25, 35, 42, 48, 66, 72, 121, 123, 132, 137, 171, 244, 247, 252, 329, 358 recieve 70 recieved 70 References 5, 20, 151, 359, 360, 379 refreh 296 Reload 7, 252 Remarks see 35, 42, 48, 101, 109 Remarks 35 Remarks 42 Remarks 46 Remarks 48 Remarks 55 Remarks 56 Remarks 58 Remarks 60 Remarks 62 Remarks 64 Remarks 66 Remarks 69 Remarks 70 Remarks 72 Remarks 76 Remarks 80 Remarks 81 Remarks 83 Remarks 88 Remarks 91 Remarks 95 Remarks 97 Remarks 99 Remarks 101 Remarks 104 Remarks 105 452
Index Remarks 109 Remarks 112 Remarks 115 Remarks 117 Remarks 118 Remarks 119 Remarks 120 Remarks 121 Remarks 123 Remarks 127 Remarks 132 Remarks 133 Remarks 135 Remarks 137 Remarks 139 Remarks 149 Remarks 150 Remarks 151 representing Active Directory 70, 95 Active Directory Object 97 representing 70 representing 95 representing 97 requery Active Directory 35, 42, 101 requery 35 requery 42 requery 101 reseller 383 Reset button 302 resolved.1140 7 respect Active Directory 351 respect 117, 304 respect 351 Restore 112, 115, 261, 298, 315 result Search 46 result 7, 20, 22, 31, 35, 42 result 46 result 48 result 56 result 72 result 105 result 109 result 121 result 123 result 127 result 130 result 135 result 137 result 152 result 155 result 158 result 161 453
User Management Resource Administrator 7.2 result 164 result 244 result 251 result 258 result 270 result 290 result 309 Return current form 315 Return other form 316 returns UmraFormProject 374 returns 7, 105, 112, 137, 265, 298, 315, 316, 362, 363, 364, 365, 372, 373 returns 374 returns 375 returns 376 returns 377 returns 378 returns 379 RetVal 379 RFC 2254 according 105 RFC 2254 105 Right clich 306 rlative 306 row Project Table 120 row 120 row 272 row 297 row 298 row 378 Row icon 297 Row icon image 297 row index table 378 row index 378 RowIndex 378 RpcHandle 375 running 30 345 project 250 UMRA 347, 355, 356, 383 UMRA Forms 30 UMRA Service 359, 363, 364, 382 User Management Resource Administrator application 15, 327 Windows 2003/2000 80, 348 running 15 running 30 running 80 running 250 running 327 running 345 running 347 running 348 running 355 running 356 454
Index running 359 running 363 running 364 running 382 running 383 running 388 S s 3, 7, 60, 121, 127, 238, 261, 298, 314, 385 Sales 109, 315 Sales, Marketing 315 Sales,DC 290 SAM equals 76 SAM 48 SAM 76 SAM 80 SAM 88 SAM 91 samaccountname 95, 97 SAM-Account-Name 35, 48, 95, 97, 101 Sample project wizard 3 Save 7, 35, 42, 72, 95, 137, 356 save projects.1140 7 sbjg 171 Scale specifying 304 Scale 304 Schools, dc 46, 60, 104 Schools,DC 290 screenshot 265, 268, 270, 293, 300, 302 Script form project contains 324 projects contain 20 specific line 154 Script 1, 5, 7, 13 Script 20 Script 22 Script 25 Script 30 Script 31 Script 35 Script 42 Script 46 Script 48 Script 55 Script 56 Script 58 Script 60 Script 62 Script 64 Script 66 Script 69 Script 70 Script 72 Script 76 Script 80 455
User Management Resource Administrator 7.2 Script 81 Script 83 Script 88 Script 91 Script 95 Script 97 Script 99 Script 101 Script 104 Script 105 Script 109 Script 112 Script 115 Script 117 Script 118 Script 119 Script 120 Script 121 Script 123 Script 127 Script 130 Script 132 Script 133 Script 135 Script 137 Script 139 Script 149 Script 150 Script 151 Script 152 Script 154 Script 158 Script 164 Script 171 Script 236 Script 238 Script 239 Script 244 Script 247 Script 250 Script 253 Script 254 Script 258 Script 260 Script 265 Script 272 Script 293 Script 302 Script 309 Script 313 Script 314 Script 316 Script 323 Script 324 Script 325 Script 326 456
Index Script 334 Script 336 Script 343 Script 347 Script 351 Script 358 Script 359 Script 360 Script 363 Script 367 Script 368 Script 369 Script 370 Script 371 Script 372 Script 373 Script 376 Script 379 Script 382 Script 383 Script 384 Script 385 Script Action 5, 7, 13, 20, 22, 25, 31, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 99, 101, 104, 105, 109, 112, 115, 117, 118, 119, 120, 121, 123, 127, 130, 132, 133, 135, 137, 139, 149, 150, 151, 152, 154, 164, 171, 236, 238, 239, 244, 250, 258, 272, 309, 383, 385 script action contains number 244 script action contains 244 script action expects 121 script action To 236 script actions encounters error 20 script actions encounters 20 script becomes program 20 script becomes 20 script debugging 154 script.1140 7 ScriptErrorCount 376 ScriptMessage 313, 323, 376 scripts containing actions 20 scripts containing 13 scripts containing 20 scripts containing 244 Search result 46 Search 31 Search 46 Search 56 Search 83 Search 88 Search 105 Search 238 Search 371 Search 372 457
User Management Resource Administrator 7.2 Search 385 Search button press 238 Search button 238 search string 105 SearchResultCount 105 SearchResults 105 SEASONS 238, 244, 382 seasons,dc 290 SEASONS/Administrators 56, 238 SEASONS/Domain Admins 292 security 7, 13, 35, 46, 56, 58, 66, 72, 81, 83, 91, 101, 109, 112, 115, 149, 171, 236, 238, 239, 241, 243, 324, 326, 344, 351 Security Identifier 7, 35, 46, 66, 83, 149, 238 Security window 324 see Deployment 56 Remarks 35, 42, 48, 101, 109 see 1, 7, 17, 20, 22, 25 see 35 see 42 see 46 see 48 see 55 see 56 see 58 see 66 see 72 see 81 see 83 see 101 see 105 see 109 see 112 see 115 see 120 see 123 see 152 see 155 see 161 see 171 see 236 see 238 see 241 see 243 see 244 see 247 see 258 see 260 see 261 see 263 see 268 see 270 see 272 see 290 see 293 458
Index see 296 see 297 see 298 see 300 see 302 see 305 see 306 see 309 see 313 see 314 see 315 see 324 see 326 see 336 see 343 see 344 see 345 see 354 see 355 see 356 see 357 see 358 see 359 see 360 see 379 see 382 see 383 see 387 see 388 See Deployment 46, 48, 55, 58, 83, 105, 112 See Permission 66 See Use 66 Select Active Directory 97 Display 306 Format 123 Name 308 Output 25 Step menu 250 Select 3, 7, 13, 15, 17, 20, 22 Select 25 Select 31 Select 35 Select 48 Select 88 Select 95 Select 97 Select 105 Select 112 Select 123 Select 127 Select 130 Select 139 Select 155 Select 158 Select 161 459
User Management Resource Administrator 7.2 Select 164 Select 167 Select 169 Select 170 Select 171 Select 236 Select 238 Select 239 Select 241 Select 243 Select 244 Select 247 Select 250 Select 251 Select 252 Select 253 Select 254 Select 258 Select 260 Select 261 Select 263 Select 265 Select 268 Select 270 Select 272 Select 290 Select 293 Select 296 Select 297 Select 298 Select 300 Select 302 Select 304 Select 305 Select 306 Select 308 Select 309 Select 311 Select 314 Select 315 Select 316 Select 323 Select 327 Select 332 Select 337 Select 340 Select 341 Select 342 Select 344 Select 345 Select 346 Select 348 Select 354 Select 356 Select 359 Select 379 460
Index Select 388 select File 250 Select option 22, 31, 236, 239, 247, 253, 340 Select option Do 22 select Run 250 selected during UMRA 359 selected during 359 selected lines 250 send UMRA 302, 309 send 70 send 302 send 309 Server 7, 15, 35, 42, 48, 56, 62, 64, 70, 72, 76, 80, 83, 88, 91, 101, 121, 135, 244, 318, 327, 348, 351, 382 server shows name 318 server shows 318 Server/GroupName 56 SERVER_1 88, 91 server_1.tools4ever.com 88, 91 SERVER_A 109, 118, 355 server_a.my_domain.com 118 Server_A//Users//%Username 88 SERVER_A//Users//Data 112 Server_A//Users//johnw 88 SERVER_A/G$/Users 109 SERVER_A/Sales 109 SERVER_A/UmraForms/FormDefault.ufo 355 SERVER_A/Users 109 SERVER_A/Users/Data 117 SERVER_A/Users/Sales 109 serverless 35, 42, 46, 101 ServerName 375 SERVERNAME/C 115 SERVERNAME/D 115 SERVERNAME/ShareName 115 ServerPort 355 Service 35, 48, 261, 311, 343, 344, 345, 348, 350, 351, 352, 353, 356, 359, 375, 379 Service Access 344 Service account 35, 48, 351, 352 service connection 356 Service directory 350 Service License 345 service running 35, 48 set Active Directory 7 No 35, 48, 72, 135 Terminal Services 88 UMRA 383 User 244 Yes 35, 48, 62, 72, 91, 112, 119, 135 YES Exchange 62 set 1 set 7 set 13 461
User Management Resource Administrator 7.2 set 20 set 22 set 25 set 31 set 35 set 42 set 46 set 48 set 55 set 56 set 58 set 60 set 62 set 64 set 66 set 69 set 70 set 72 set 76 set 80 set 81 set 83 set 88 set 91 set 95 set 97 set 99 set 101 set 104 set 105 set 109 set 112 set 115 set 117 set 118 set 119 set 120 set 121 set 123 set 127 set 130 set 132 set 133 set 135 set 137 set 139 set 149 set 150 set 151 set 152 set 155 set 171 set 236 set 238 set 244 set 247 462
Index set 254 set 260 set 268 set 270 set 272 set 302 set 309 set 311 set 314 set 317 set 323 set 325 set 360 set 367 set 368 set 369 set 383 set 385 Set User Global Group Memberships 31, 81 Set User Group Memberships 56, 385 Set Variable 120, 302, 309, 317, 385 Set variable value 302, 317 Setup 1, 3, 7, 13, 15, 17, 22, 25, 46, 48, 55, 58, 60, 62, 64, 70, 88, 95, 97, 104, 109, 112, 139, 149, 161, 169, 171, 236, 238, 239, 241, 244, 250, 252, 254, 260, 263, 268, 270, 272, 292, 293, 298, 300, 309, 313, 316, 317, 324, 325, 326, 327, 337, 343, 344, 345, 348, 356, 357, 359, 360, 379, 383, 385, 388 Setup Exchange 2003/2000 13 setup groupmemberships 17 Setup shares 13 Setup Terminal Server 13 Setup variable 263, 360 SETUPUSERMANAGEMENT.EXE 3, 15, 327, 355 SetVariableBool 369 SetVariableLong 368 SetVariableText 367 ShareName 117 SharePath 117 SHIFT key 306 SHIFT key pressed 306 showing Common 268, 270 messagebox 313 OU 293 showing 268 showing 270 showing 293 showing 313 SID contains 109 value 149 SID 7, 35, 46, 66, 83 SID 109 SID 149 SID 238 SmithJ 382 SMTP 62, 64, 70, 265 SMTP E-mail 265 463
User Management Resource Administrator 7.2 someone@microsoft.com 35, 42, 48 SP6 15, 327 specfic 236 specfication 322 Special 7, 20, 56, 66, 72, 76, 109, 137 specifc perform 1 specifc 1 specific line script 154 specific line 154 specific operating 15, 327 specificed Execute 360 specificed 15, 20, 31, 35, 42, 48, 66, 72, 105, 119, 120, 149, 154, 171, 238, 244, 260, 293, 300, 327 specificed 360 specificed 378 specificed 383 specificed 388 specified.1117 7 specified.1140 7 specify Active Directory 95, 97 Alias 62, 64, 70 domain/ou/container 35, 42, 48, 101 E-mail 62, 64, 70 Exchange 64 Formatting 123 LDAP 105 Local 83 Name 308 Scale 304 Terminal Services 88 User Management Resource Administrator 384 value according 123 specify 1, 7, 17, 20, 22, 25, 31 specify 35 specify 42 specify 46 specify 48 specify 56 specify 58 specify 60 specify 62 specify 64 specify 66 specify 69 specify 70 specify 72 specify 76 specify 80 specify 81 specify 83 specify 88 specify 91 specify 95 464
Index specify 97 specify 99 specify 101 specify 105 specify 109 specify 112 specify 115 specify 117 specify 118 specify 119 specify 120 specify 121 specify 123 specify 127 specify 130 specify 132 specify 135 specify 137 specify 139 specify 149 specify 150 specify 152 specify 155 specify 158 specify 161 specify 164 specify 167 specify 169 specify 170 specify 171 specify 236 specify 238 specify 239 specify 241 specify 243 specify 244 specify 247 specify 253 specify 254 specify 258 specify 260 specify 261 specify 263 specify 265 specify 268 specify 270 specify 272 specify 290 specify 293 specify 296 specify 298 specify 302 specify 304 specify 305 specify 306 specify 308 465
User Management Resource Administrator 7.2 specify 309 specify 311 specify 314 specify 315 specify 317 specify 321 specify 322 specify 323 specify 324 specify 326 specify 329 specify 337 specify 341 specify 346 specify 349 specify 350 specify 351 specify 354 specify 355 specify 356 specify 358 specify 360 specify 363 specify 367 specify 368 specify 369 specify 371 specify 372 specify 378 specify 379 specify 382 specify 384 specify 388 specify OU's 35, 42, 48, 101, 290 Specify Yes 35, 72, 97, 112 Split 13, 121, 132, 385, 388 Split Variable 121, 385 SPRING 363, 379, 382 spring.seasons.tools4ever.com 363 SPRING/Administrators 56 SPRING/OU 290 srv 382 Start Configure 290, 293, 296, 297, 298 User Management Resource Administrator 3 Start 1 Start 3 Start 7 Start 15 Start 17 Start 31 Start 88 Start 117 Start 119 Start 158 Start 167 466
Index Start 238 Start 239 Start 244 Start 247 Start 250 Start 254 Start 261 Start 265 Start 268 Start 270 Start 272 Start 290 Start 293 Start 296 Start 297 Start 298 Start 325 Start 327 Start 329 Start 337 Start 338 Start 347 Start 348 Start 349 Start 355 Start 356 Start 383 Start 387 Start 388 start point create 158 start point 158 Start UMRA 17, 355 start UMRA Console 17 Start User Management Resource Administrator 3 start working 3, 250 Start, Programs 3 Static 260, 263 Static text form field 263 statis 260 Status 250, 323, 360, 376 Step menu selected 250 Step menu 250 straightforward 3, 13, 15, 25, 327 Students, DC 35, 42, 101 students,dc 105 Students//Group1 46 students/group1 35, 42, 48, 60, 101 subfolders 241 Succes 363, 364, 365 sumit 302 support Data Encryption Standard 35, 48 followin opstart 355 Password 171 467
User Management Resource Administrator 7.2 support 1, 7, 13, 15, 17, 31 support 35 support 42 support 46 support 48 support 55 support 62 support 64 support 66 support 69 support 70 support 88 support 95 support 101 support 105 support 155 support 158 support 161 support 171 support 236 support 265 support 290 support 304 support 315 support 327 support 329 support 355 support 357 support 358 support 360 support 379 support 382 support 383 support 384 support 387 support 388 Supports Microsoft's COM 13 Supposre 25 SurName 22, 25, 35, 42, 48, 244 SWFsjY5dMm-x85WWny7ny-Efdm3D3mQF 388 System Requirements 15, 327 T TAB press 306 pressing 306 TAB 306 tabel following 12 tabel 12 Table column index 378 column Username 258, 311 input state 298 Mapping 135 project contains 1 row index 378 468
Index Table 1 Table 7 Table 15 Table 17 Table 109 Table 121 Table 132 Table 135 Table 258 Table 260 Table 268 Table 270 Table 272 Table 290 Table 292 Table 293 Table 296 Table 297 Table 298 Table 311 Table 314 Table 315 Table 327 Table 329 Table 346 Table 360 Table 377 Table 378 Table 385 Table 387 table containing 268 Table form field 268, 270, 272, 290, 292, 293, 296, 297, 298 table showing 268, 270, 290 Take 3, 15, 35, 42, 46, 66, 72, 99, 101, 130, 155, 161, 164, 296, 327 TCP/IP 349 Telephones - Fax 35, 42, 48 Telephones - Home 35, 42, 48 Telephones - IP 35, 42, 48 Telephones - Mobil 35, 42, 48 Telephones - Notes 35, 42, 48 Telephones - Pager 35, 42, 48 temporarly 53, 78, 86 Temporary 35, 48, 161 Terminal logging 88 Terminal 1, 7, 13 Terminal 88 Terminal 385 Terminal Server want 88 Terminal Server 13 Terminal Server 88 Terminal Services Set 88 specify 88 469
User Management Resource Administrator 7.2 Terminal Services 1, 7 Terminal Services 88 Terminal Services 385 Terminal Services Profile 88 Terminal Services Support 7 Test Press 158 Test 7, 13, 17, 123 Test 158 Test 164 Test 171 Test 250 Test button press 158, 171 Test button 158 Test button 171 test mode.1140 7 Test Name 123, 158 test1234 35, 48, 72 Text 1, 7, 13, 17, 31, 35, 42, 48, 56, 72, 76, 83, 97, 101, 105, 120, 130, 133, 137, 152, 164, 238, 247, 251, 258, 260, 263, 265, 272, 298, 300, 302, 306, 308, 311, 319, 322, 329, 358, 360, 367, 373, 378, 379, 382, 385, 388 text files 13 Text list 31 text string 35, 42, 72, 101, 105, 130 Textqualifier 329 The Configure 158, 161, 164, 167, 169, 270, 290, 293, 296, 297, 298, 300, 302, 304, 309, 318, 345 the configured OU's 270 The parent item network 332 The parent item 332 The UMRA COM 357, 359, 360, 362, 379, 382 The value 30 tle 270 To start 250 toa 95 Toggle 250, 258, 337 Tools 3, 15, 155, 158, 169, 170, 327, 332, 337, 356, 379 Tools4ever 35, 42, 46, 60, 88, 101, 104, 105, 382, 388 Tools4ever 1995-2005 382 tools4ever,dc 35, 42, 99, 101, 290 tools4ever.com 35, 42, 46, 60, 88, 101, 244, 388 tools4ever.com/development 388 tools4ever.com/development/usermanagementteam 388 TOOLS4EVER/Users 56 tooltip 7 tooltip area.1140 7 Tooltips 7 total 90 388 total 109, 293, 304, 306 total 388 TRUE 115 Tu 358 txt file 329 470
Index Type network data type determines 270 popup 7 UMRA 1 Type 1 Type 7 Type 13 Type 17 Type 25 Type 31 Type 35 Type 48 Type 62 Type 64 Type 70 Type 83 Type 88 Type 120 Type 130 Type 171 Type 238 Type 244 Type 258 Type 260 Type 263 Type 265 Type 268 Type 270 Type 272 Type 290 Type 300 Type 302 Type 304 Type 305 Type 318 Type 323 Type 326 Type 332 Type 359 Type 360 Type 383 type Button 302 U ufo 355 uga 155, 170 UMgui.exe 329 UMLOG_mm_dd_yyyy.txt 337 UMpro.exe containing 355 UMpro.exe 355 UMpro.exe SERVER_A 355 UMRA access 344 connects 325, 326, 344, 345, 354, 355, 356, 384 contains 1 defined 383 471
User Management Resource Administrator 7.2 during 359 form 258, 326 functions 358 install 345, 355 let 326 maintains 343 manage 1, 388 part 335 runs 347, 355, 356, 383 selected during 359 send 302, 309 set 383 types 1 UMRA 1 UMRA 3 UMRA 7 UMRA 12 UMRA 15 UMRA 17 UMRA 20 UMRA 30 UMRA 127 UMRA 130 UMRA 244 UMRA 247 UMRA 250 UMRA 258 UMRA 261 UMRA 270 UMRA 272 UMRA 292 UMRA 296 UMRA 297 UMRA 298 UMRA 302 UMRA 305 UMRA 309 UMRA 311 UMRA 313 UMRA 316 UMRA 318 UMRA 322 UMRA 323 UMRA 324 UMRA 325 UMRA 326 UMRA 327 UMRA 329 UMRA 335 UMRA 338 UMRA 342 UMRA 343 UMRA 344 UMRA 345 UMRA 346 UMRA 347 472
Index UMRA 348 UMRA 349 UMRA 350 UMRA 351 UMRA 352 UMRA 353 UMRA 354 UMRA 355 UMRA 356 UMRA 357 UMRA 358 UMRA 359 UMRA 360 UMRA 362 UMRA 363 UMRA 364 UMRA 365 UMRA 366 UMRA 367 UMRA 368 UMRA 369 UMRA 370 UMRA 371 UMRA 372 UMRA 373 UMRA 374 UMRA 375 UMRA 376 UMRA 379 UMRA 382 UMRA 383 UMRA 384 UMRA 387 UMRA 388 UMRA application 383, 384, 388 UMRA Automation form 358 part 360, 382 UMRA Automation 1, 7, 357 UMRA Automation 358 UMRA Automation 359 UMRA Automation 360 UMRA Automation 379 UMRA Automation 382 UMRA Automation 383 UMRA Automation 384 UMRA Automation 387 UMRA Automation COM 359, 360, 379 UMRA Automation Command Line Interface 358, 382 UMRA Automation Module 383, 384, 387 Umra COM accessing 379 calls 359 functions 358 numbers 362 uses 382 473
User Management Resource Administrator 7.2 Umra COM 357 Umra COM 358 Umra COM 359 Umra COM 360 Umra COM 362 Umra COM 363 Umra COM 364 Umra COM 365 Umra COM 366 Umra COM 367 Umra COM 368 Umra COM 369 Umra COM 370 Umra COM 371 Umra COM 372 Umra COM 373 Umra COM 374 Umra COM 375 Umra COM 376 Umra COM 377 Umra COM 378 Umra COM 379 Umra COM 382 UMRA COM Object 359 UMRA command-line-interfaces 357 UMRA Console Installing 15, 327 UMRA Service application 30 UMRA Console 1, 3, 7, 12 UMRA Console 15 UMRA Console 17 UMRA Console 30 UMRA Console 258 UMRA Console 261 UMRA Console 309 UMRA Console 327 UMRA Console 329 UMRA Console 338 UMRA Console 342 UMRA Console 343 UMRA Console 345 UMRA Console 348 UMRA Console 349 UMRA Console 358 UMRA Console 379 UMRA Console 384 UMRA Console 387 UMRA Console 388 UMRA Console application 1, 7, 17, 30, 258, 261, 309, 329, 338, 342, 343, 345, 348, 379, 384, 387 UMRA Console Command Line Interface 358 UMRA Console+Service+Forms 12 UMRA Delegation 325, 326 UMRA Forms runs 30 UMRA Forms 1, 7, 17 UMRA Forms 30 474
Index UMRA Forms 127 UMRA Forms 258 UMRA Forms 261 UMRA Forms 298 UMRA Forms 313 UMRA Forms 316 UMRA Forms 322 UMRA Forms 323 UMRA Forms 324 UMRA Forms 325 UMRA Forms 343 UMRA Forms 346 UMRA Forms 349 UMRA Forms 353 UMRA Forms 354 UMRA Forms 355 UMRA Forms 356 UMRA Forms 383 UMRA Forms 384 UMRA Forms 387 UMRA Forms 388 UMRA Forms application 1, 313, 323, 349, 354, 355, 356, 384, 387 UMRA Forms Module 383, 384, 387 UMRA Projects 1, 130, 247, 258, 335, 387 UMRA reseller 297, 345, 383, 388 UMRA resolves 292 UMRA Scripts activate 359 UMRA Scripts 1, 272 UMRA Scripts 359 UMRA Scripts 383 UMRA Service connect 360 let 358 number 363 running 382 runs 359, 363, 364 UMRA Service 1, 7, 17, 30, 261, 296, 298, 302, 309, 311, 318, 324, 325, 326, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357 UMRA Service 358 UMRA Service 359 UMRA Service 360 UMRA Service 362 UMRA Service 363 UMRA Service 364 UMRA Service 365 UMRA Service 366 UMRA Service 374 UMRA Service 375 UMRA Service 379 UMRA Service 382 UMRA Service 384 UMRA Service 387 UMRA Service 388 UMRA Service application UMRA Console 30 475
User Management Resource Administrator 7.2 UMRA Service application 1 UMRA Service application 30 UMRA Service application 387 UMRA service deletion 353 UMRA service determines 325 UMRA service installation 348, 349, 350, 351, 352 UMRA Software 1, 15, 326, 327, 387 UMRA Type 379 Umra.ClearVariables 370, 371 Umra.Connect 363 Umra.ExecuteProjectScript 372 Umra.GetConnectionInfo 375 Umra.GetHostName 364 Umra.GetHostPortNumber 365 Umra.GetLogMsg 366 Umra.GetScriptExecutionInfo 376 Umra.GetVariableText 373 Umra.GetVersionInfo 362 Umra.LoadFormProject 374 Umra.SetVariableBool 369 Umra.SetVariableLong 368 Umra.SetVariableText 367 UMRA/CommandFile.txt 329 UMRA/CreateUser.upj 329 UMRA/Students.txt 329 UMRA/UmraAutoCmd/CommandOptions.txt 382 UMRA/UmraAutoCmd/CommandOptions.txt contains variables 382 UMRA/UmraAutoCmd/CommandOptions.txt contains 382 UmraCmd.exe 382 UMRAcom 360, 379 UMRAcom 1.0 Type Library 360 UMRAcom 1.x Type Library 379 UmraCom.dll 360 UmraError 379 UmraFormProject returns 374 UmraFormProject 360 UmraFormProject 374 UmraFormProject 377 UmraFormProject.GetFormTable 377 UmraFormSubmitAccount 7, 30 UmraFormTable 360, 377, 378 UmraFormTable.GetCellText 378 UmraService 350 UmraSvc 379 UmraSvc.Connect 379 UmraSvc.ExecuteProjectScript 379 UmraSvc.GetLogMsg LogMessage 379 UmraSvc.GetVariableText 379 UmraSvc.SetVariableText 379 UmraSvcFormLog.txt 347 UmraSvcLog1.txt 347 UmraSvcLog10.txt 347 UmraSvcLog2.txt 347 UmraW32.ini 355, 356 476
Index uncheck 338 Under Deployment 15, 327 understanding User Management Resource Administrator 5 understanding 5 UNICODE 7, 137 Universal 13, 35, 42, 48, 56, 58, 99, 101 Unlock 53, 78, 86, 258, 263, 270, 293, 302, 309, 311, 325 unselect 306 updated.1140 7 Upgrade service.select 348 UPN 35, 48 UPN Prefix 35, 48 UPN-prefix 48 URL 35, 42, 48 USA,OU 290 USA/Sales 382 Use Access Control Settings window 239 Add 169, 292, 309, 324 DNS 388 Edit 127 NETBIOS 72 UMRA COM 382 user profile 88 Windows 2003/2000 351 Use 1, 5, 7, 15, 17, 22, 25, 35, 42, 46, 48, 55, 56, 58, 60, 64, 66, 69 Use 72 Use 76 Use 80 Use 83 Use 88 Use 91 Use 95 Use 97 Use 99 Use 101 Use 105 Use 109 Use 112 Use 115 Use 117 Use 118 Use 120 Use 123 Use 127 Use 130 Use 133 Use 135 Use 137 Use 154 Use 155 Use 158 Use 167 Use 169 477
User Management Resource Administrator 7.2 Use 170 Use 171 Use 236 Use 238 Use 239 Use 244 Use 254 Use 260 Use 261 Use 272 Use 290 Use 292 Use 293 Use 296 Use 304 Use 306 Use 308 Use 309 Use 315 Use 320 Use 322 Use 323 Use 324 Use 326 Use 327 Use 332 Use 334 Use 342 Use 349 Use 351 Use 358 Use 363 Use 379 Use 382 Use 387 Use 388 Use DES 35, 48 Use Remote Access Policy 91 User setting 244 User 1, 3, 5, 7, 12, 13, 15, 17, 20, 22, 25, 30, 31, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 80, 81, 83, 88, 91, 95, 97, 101, 105, 109, 112, 115, 117, 118, 119, 120, 121, 123, 127, 130, 132, 135, 137, 149, 152, 154, 155, 170, 171, 236, 238, 239 User 244 User 247 User 250 User 251 User 252 User 253 User 254 User 258 User 260 User 265 User 268 User 270 User 290 User 292 478
Index User 293 User 296 User 298 User 300 User 302 User 309 User 311 User 314 User 315 User 323 User 324 User 325 User 326 User 327 User 332 User 335 User 336 User 337 User 338 User 342 User 343 User 344 User 346 User 354 User 357 User 358 User 359 User 379 User 382 User 383 User 384 User 385 User 387 User 388 User - Active Directory 385 User - General 385 User Account Management 1, 357, 387 user homedirectory example 117 user homedirectory 117 User Management customizing 154 functions 385 Many implementations 120, 121, 132 User Management 1, 3, 5, 7, 12, 15, 20, 22, 25, 31, 35, 42, 46, 48, 60, 62, 72, 88, 101, 119 User Management 120 User Management 121 User Management 132 User Management 149 User Management 154 User Management 155 User Management 170 User Management 171 User Management 236 User Management 238 User Management 244 479
User Management Resource Administrator 7.2 User Management 247 User Management 250 User Management 251 User Management 252 User Management 253 User Management 254 User Management 296 User Management 327 User Management 332 User Management 335 User Management 336 User Management 337 User Management 338 User Management 342 User Management 343 User Management 358 User Management 359 User Management 382 User Management 383 User Management 384 User Management 385 User Management 387 User Management 388 User Management Administrator 359 User Management Resource Administrator build 7 Configuring 15, 327 functions 7, 343, 383 specifies 384 start 3 understanding 5 User Management Resource Administrator 1 User Management Resource Administrator 3 User Management Resource Administrator 5 User Management Resource Administrator 7 User Management Resource Administrator 15 User Management Resource Administrator 20 User Management Resource Administrator 22 User Management Resource Administrator 25 User Management Resource Administrator 31 User Management Resource Administrator 35 User Management Resource Administrator 42 User Management Resource Administrator 46 User Management Resource Administrator 48 User Management Resource Administrator 60 User Management Resource Administrator 62 User Management Resource Administrator 72 User Management Resource Administrator 88 User Management Resource Administrator 101 User Management Resource Administrator 155 User Management Resource Administrator 170 User Management Resource Administrator 171 User Management Resource Administrator 236 User Management Resource Administrator 238 User Management Resource Administrator 244 User Management Resource Administrator 247 480
Index User Management Resource Administrator 250 User Management Resource Administrator 251 User Management Resource Administrator 252 User Management Resource Administrator 253 User Management Resource Administrator 254 User Management Resource Administrator 327 User Management Resource Administrator 332 User Management Resource Administrator 335 User Management Resource Administrator 336 User Management Resource Administrator 337 User Management Resource Administrator 338 User Management Resource Administrator 342 User Management Resource Administrator 343 User Management Resource Administrator 358 User Management Resource Administrator 382 User Management Resource Administrator 383 User Management Resource Administrator 384 User Management Resource Administrator 387 User Management Resource Administrator 388 User Management Resource Administrator application run 15, 327 User Management Resource Administrator application 15 User Management Resource Administrator application 327 User Management Resource Administrator Project 244, 251, 252, 253, 254, 332, 335 User Management Resource Administrator project contains number 254 User Management Resource Administrator project contains 254 User Management Resource Administrator Script 35, 42, 48, 72, 101, 236, 332 User Management Resource Administrator version 7 User Management waits 119 User Manager Domains 72 User Manager 72 User Name 7, 35, 42, 48, 72, 81, 109, 127, 155, 379 User Object containing 48 User Object 35, 42, 46 User Object 48 User Object 55 User Object 56 User Object 58 User Object 60 User Object 62 User Object 64 User Object 66 User Object 69 User Object 95 User Object 97 User Object 105 user possesses 35, 48 User Principal Name 35 user profile use 88 481
User Management Resource Administrator 7.2 user profile 88 User Rights Assignment 112, 115 user running application 109 user running 109 User Security Identifier 35, 46 User%ID 152 User47 152 UserData//Marketing 112 UserData/<user 35, 48, 72 UserData/Marketing 117 UserID 152 UserManagemeNT 7, 12, 244, 383 UserManagemeNT 5.4 12 UserManagemeNT 5.x 383 UserManagemeNT Delegation 12 UserManagemeNT Import 12 UserManagemeNT Lite 12 UserManagemeNT Professional part 12 UserManagemeNT Professional 12 UserManagemeNT Professional 383 UserName value 25 UserName 25 UserName 35 UserName 42 UserName 46 UserName 48 UserName 72 UserName 76 UserName 80 UserName 81 UserName 88 UserName 91 UserName 109 UserName 117 UserName 127 UserName 137 UserName 155 UserName 161 UserName 169 UserName 170 UserName 258 UserName 268 UserName 270 UserName 293 UserName 311 UserName 314 UserName 323 UserName 371 UserName 379 UserName 382 UserName%.bat 35, 72 UserName.Text 379 Usernames 155, 293 482
Index UserObject 35, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 95, 97, 149 User-Principal-Name 35, 48 users exceeds 383 Users//%Username 88 Users/Sales 109 users/students/2004 109 User-Security Identifier 35 UserSid 35, 46, 83, 109, 149, 238 Using UMRA COM 359 V v`ts 171 value 10 305 name shows 161 Password 35, 48, 72, 171 SID 149 username 25 YES 72 value 7, 13, 22 value 25 value 30 value 31 value 35 value 42 value 46 value 48 value 55 value 58 value 62 value 64 value 66 value 69 value 70 value 72 value 76 value 81 value 83 value 88 value 91 value 95 value 97 value 99 value 101 value 105 value 112 value 115 value 120 value 121 value 123 value 127 value 130 value 132 value 133 value 135 value 137 value 139 483
User Management Resource Administrator 7.2 value 149 value 152 value 154 value 155 value 161 value 164 value 167 value 169 value 171 value 236 value 238 value 239 value 244 value 247 value 253 value 254 value 258 value 260 value 263 value 265 value 270 value 272 value 293 value 296 value 298 value 302 value 305 value 311 value 314 value 315 value 316 value 317 value 320 value 329 value 358 value 359 value 360 value 363 value 364 value 365 value 367 value 368 value 369 value 372 value 373 value 374 value 375 value 376 value 377 value 378 value 379 value according specified 123 value according 123 value contains 97 value found 484
Index attribute 95 value found 95 Value Type 120, 130 value.1117 7 Value_1 382 Value_2 382 Value_N 382 ValueLong 368, 369 ValueText 367, 373 Var_1 382 Var_2 382 Var_N 382 Variable field describing 254 list shows 254 name containing 236, 238 UMRA/UmraAutoCmd/CommandOptions.txt contains 382 window describes 253 Variable 5, 7, 13, 20, 22, 25, 30, 31, 35, 42, 46, 48, 55, 56, 58, 60, 62, 64, 66, 69, 70, 72, 76, 81, 83, 95, 97, 99, 101, 104, 105, 109, 119, 120, 121, 123, 127, 130, 132, 133, 135, 137, 139, 149, 152, 154, 155, 158, 161, 164, 169, 171 Variable 236 Variable 238 Variable 241 Variable 243 Variable 244 Variable 247 Variable 253 Variable 254 Variable 258 Variable 260 Variable 263 Variable 265 Variable 270 Variable 272 Variable 293 Variable 298 Variable 302 Variable 309 Variable 311 Variable 313 Variable 314 Variable 316 Variable 317 Variable 320 Variable 323 Variable 341 Variable 358 Variable 359 Variable 360 Variable 367 Variable 368 Variable 369 Variable 370 Variable 371 Variable 372 485
User Management Resource Administrator 7.2 Variable 373 Variable 376 Variable 379 Variable 382 Variable 385 Variable - On 265 Variable %GroupSet 31, 56 variable containing copy 121 variable containing 7, 48, 55, 56 variable containing 121 variable holding number 127 variable holding 83 variable holding 127 Variable info 254, 320 variable matches 135 Variable Name 7, 20, 22, 25, 30, 35, 42, 72, 120, 130, 137, 152, 158, 161, 236, 238, 244, 253, 263, 265, 272, 311, 360, 367, 368, 369, 371 variable names.1140 7 variable stores 130 VariableName 367, 368, 369, 371, 373 Variables list 25, 238, 379 VARIANT 364, 366, 373, 375, 376, 378 VARIANT_BOOL ValueBool 369 VersionMajor 362 VersionMinor 362 Vertical 7, 260, 298, 304, 305, 306 vertical scrolling 298 Vertical space form field 305, 306 vertical spacing 260, 305 View 20, 25, 170, 252, 337, 345, 388 View, Properties 25, 252 Visual Basic 359, 379 Visual Basic 6.3 379 Visual Basic Scripting 359 VPN 7, 91 W want Terminal Server 88 want 1, 3, 7, 22, 25, 31, 35, 42, 53, 56, 60, 66, 70, 78, 86 want 88 want 91 want 95 want 97 want 99 want 101 want 112 want 117 want 132 want 135 want 149 want 150 want 154 want 158 want 167 486
Index want 238 want 241 want 244 want 250 want 252 want 254 want 258 want 261 want 292 want 293 want 297 want 305 want 309 want 337 want 348 want 387 want 388 What's This tooltips 7 Williams -> SurName 244 window contains list 164 window contains 164 window contains 254 window contains 337 window describes variable 253 window describes 253 window show list 31, 239 name 22 window show 22 window show 31 window show 239 window show 293 Windows Execute 119 program 20 Windows 1, 3, 7, 13, 15 Windows 20 Windows 22 Windows 25 Windows 31 Windows 35 Windows 42 Windows 48 Windows 55 Windows 56 Windows 62 Windows 72 Windows 76 Windows 80 Windows 83 Windows 88 Windows 91 Windows 95 Windows 97 487
User Management Resource Administrator 7.2 Windows 101 Windows 119 Windows 137 Windows 139 Windows 155 Windows 158 Windows 161 Windows 164 Windows 167 Windows 169 Windows 171 Windows 236 Windows 238 Windows 239 Windows 241 Windows 244 Windows 247 Windows 250 Windows 252 Windows 253 Windows 254 Windows 258 Windows 261 Windows 268 Windows 270 Windows 290 Windows 292 Windows 293 Windows 296 Windows 297 Windows 298 Windows 304 Windows 305 Windows 306 Windows 309 Windows 311 Windows 315 Windows 320 Windows 321 Windows 326 Windows 327 Windows 332 Windows 335 Windows 337 Windows 341 Windows 345 Windows 348 Windows 351 Windows 379 Windows 387 Windows 388 Windows 2000 logging 88 Windows 2000 15, 48 Windows 2000 88 Windows 2000 327 488
Index Windows 2000 379 Windows 2000 Server 379 Windows 2003 15, 327 Windows 2003/2000 running 80, 348 uses 351 Windows 2003/2000 62 Windows 2003/2000 80 Windows 2003/2000 95 Windows 2003/2000 97 Windows 2003/2000 236 Windows 2003/2000 348 Windows 2003/2000 351 Windows 2003/2000/NT 13, 236, 238, 239, 326 Windows 2003/2000/NT Security Identifier 238 Windows 2003/2000/NT window 236 Windows NT 3, 35, 56, 72, 76, 83 Windows NT naming 56 Windows NT Server/Windows 2000 Server 35, 72 Windows NT4 3, 13, 15, 55, 83, 88, 91, 292, 327 Windows NT4 SAM attributes 13 Windows NT4 SAM 13 Windows NT4/2000/2003 76, 80 Windows XP 15, 327, 379 Windows XP/2003/2000 3 Wizard 3, 7, 13, 247, 250, 254, 316, 323, 338, 339, 340, 341, 342, 348, 350, 351 Word PasswordField 379 Word 105, 357 Word 379 Word, Excel 357 www.tools4ever.com 382 X X400 62, 64, 70 xxxx 20 Y Yes flag 66 set 35, 48, 62, 72, 91, 112, 119, 135 value 72 Yes 35 Yes 48 Yes 58 Yes 62 Yes 66 Yes 70 Yes 72 Yes 88 Yes 91 Yes 95 Yes 97 Yes 101 Yes 105 Yes 109 Yes 112 489
User Management Resource Administrator 7.2 Yes 115 Yes 118 Yes 119 Yes 120 Yes 132 Yes 133 Yes 135 Yes 260 YES allows 72 YES Exchange set 62 YES Exchange 62 yyyy 337 yyyy represent current 337 yyyy represent 337 490