Enable ID via scheduled Task

Devilsbane

We have high access ID's that remain disabled unless needed. Normally I just open ADUC and uncheck disabled to enable it. The only trouble with this is when it is an offshore user who needs it enabled at 4:00 AM on Saturday morning.

Today I decided to create a scheduled task to do this, and try as I might I couldn't get it to work. Sticking the following command in the Run: box in the scheduled task doesn't work. The issue is with mutiple quotes.

"dsmod user "CN=First Last,OU=General,OU=Org,OU=Users and Groups,DC=child,DC=company,DC=com" -disabled no"

This command doesn't even run. I expect because it is only trying to run the "dsmod user " command and forgets the rest.

dsmod user "CN=First Last,OU=General,OU=Org,OU=Users and Groups,DC=child,DC=company,DC=com" -disabled no

This command also won't run

"dsmod user CN=First Last,OU=General,OU=Org,OU=Users and Groups,DC=child,DC=company,DC=com -disabled no"

This task will execute, but the account doesn't become enabled.

RobertKaucher

Do I even have to tell you what I am going to suggest?

Use the active roles extension from QuestSoftware.

Add-PSSnapin Quest.ActiveRoles*
Import-Csv C:\VIPUsers.csv | foreach { Enable-QADUser $_.Name }

Your CSV should have a column called Name. The CSV will hold all the user IDs to be enabled/disabled. To disable, just use Disable-QADUser

Devilsbane

Thinking of other options here, I could probably create a series of batch files (one for each ID) and then my task just needs to execute the correct batch which will enable it. But there are 20+ accounts and I'd prefer a solution that is more flexible. (A year down the road I might forget about this and then wonder why a new user can't get enabled)

RobertKaucher

Learn PowerShell. You are a Windows Admin!

Devilsbane

RobertKaucher wrote: »

Do I even have to tell you what I am going to suggest?

Use the active roles extension from QuestSoftware.

Apparently you do, I've never heard of this...

Devilsbane

RobertKaucher wrote: »

Learn PowerShell. You are a Windows Admin!

I was introduced to PowerShell a year or so ago. And I'm not a Windows Admin. I am a lowly help desk person with some admin training.

RobertKaucher

Devilsbane wrote: »

I was introduced to PowerShell a year or so ago. And I'm not a Windows Admin. I am a lowly help desk person with some admin training.

That's what they call you!!! Based on your posts you do enough admin stuff.

The Quest ActiveRoles extensions are commands for PowerShell that make managing AD objects very easy. This is from the same people who do PowerGUI Script Editor.

Everyone

The Quest PowerShell snap-ins are great.

However I don't think you need a script for this at all. Why not set logon hours? If you know they're going to need the account between say 4 AM and 4 PM every Saturday, set the logon hours to only allow logon during that window of time. You're over complicating it by trying to run scripts off a scheduled task to do the same thing.

RobertKaucher

Everyone wrote: »

The Quest PowerShell snap-ins are great.

However I don't think you need a script for this at all. Why not set logon hours? If you know they're going to need the account between say 4 AM and 4 PM every Saturday, set the logon hours to only allow logon during that window of time. You're over complicating it by trying to run scripts off a scheduled task to do the same thing.

What if the account needs to be used outside of those hours? Then the logon hours need to be modified and there is a good chance the person who changed them will forget to change them back.

Devilsbane

Everyone wrote: »

The Quest PowerShell snap-ins are great.

However I don't think you need a script for this at all. Why not set logon hours? If you know they're going to need the account between say 4 AM and 4 PM every Saturday, set the logon hours to only allow logon during that window of time. You're over complicating it by trying to run scripts off a scheduled task to do the same thing.

Again, I'm not an admin. I'm just here to do the process asked. And like Robert pointed out, there is no schedule. It could be possible for the account to remain disabled for 2 months. Or it might need enabled every day one week.

RobertKaucher

Devilsbane wrote: »

Again, I'm not an admin. I'm just here to do the process asked. And like Robert pointed out, there is no schedule. It could be possible for the account to remain disabled for 2 months. Or it might need enabled every day one week.

Did you understand my suggestion?

Devilsbane

RobertKaucher wrote: »

Did you understand my suggestion?

1. Go to Amazon.com
2. Buy Powershell for Dummies
3. Read book
4. ?
5. Profit!


Here is what I wrote (with a couple irrelevant changes), seems to work just fine.

@echo off
REM Written by Me 
Title Setup ID enable
echo Enter the Username. 
SET /P NameUser=[Username:] 
echo.
echo Enter the month to enable (1-12)
SET /P Month=[Month:] 
echo.
echo Enter the day to enable (1-31)
SET /P Day=[Day:] 
echo.
echo Enter the hour to enable (1-12)
SET /P Hour=[Hour:] 
echo.
echo Is that (1)AM or (2)PM
SET /P AMPM=[1AM/2PM:] 
if /i %AMPM%==A (set /a AMPM=1)
if /i %AMPM%==AM (set /a AMPM=1)
if /i %AMPM%==P (set /a AMPM=2)
if /i %AMPM%==PM (set /a AMPM=2)
cls
if %AMPM%==2 (set /a hour=%hour%+12)
if %hour%==12 (Set /a hour=0)
if %hour%==24 (set /a hour=12)
if %Month%==1 (Set Month=01)
if %Month%==2 (Set Month=02)
if %Month%==3 (Set Month=03)
if %Month%==4 (Set Month=04)
if %Month%==5 (Set Month=05)
if %Month%==6 (Set Month=06)
if %Month%==7 (Set Month=07)
if %Month%==8 (Set Month=0[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
if %Month%==9 (Set Month=09)
if %Day%==1 (Set Day=01)
if %Day%==2 (Set Day=02)
if %Day%==3 (Set Day=03)
if %Day%==4 (Set Day=04)
if %Day%==5 (Set Day=05)
if %Day%==6 (Set Day=06)
if %Day%==7 (Set Day=07)
if %Day%==8 (Set Day=0[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
if %Day%==9 (Set Day=09)
dsquery user -samid %NameUser% > tmpFile
Set /p UserDN= < tmpFile
del tmpFile
if %DAY% gtr 31 (goto Error)
if %Hour% gtr 23 (goto Error)
if %Month% gtr 12 (goto Error)
Echo You want to enable %NameUser% on %Month%/%Day%/2011 at %Hour%:00
Echo Is this correct? Select Y or N to confirm
SET /P Answer=[Y/N] 
if /i %Answer%==N (goto END)
Title Enable %NameUser% on %Month%/%Day%/2011 at %Hour%:00
if not exist "C:\Program Files\ID" mkdir C:\Program Files\ID
echo dsmod user %UserDN% -disabled no > "C:\Program Files\ID\%NameUser%.bat"
:END
if /i %Answer%==Y (schtasks /create /RU %username% /SC ONCE /ST %HOUR%:00:00 /SD %Month%/%Day%/2011 /TN Enable_%NameUser% /TR "\"C:\Program Files\ProductionID\%NameUser%.bat\"") else echo You have chosen to not confirm this. ID will not be enabled.
echo.
if /i %Answer%==Y (Confirmation: %NameUser% will be enabled on %Month%/%Day%/2011 at %Hour%:00. Please ensure this is correct, ID's set for 2/31/2011 will never be enabled.)
if /i %Answer%==Y (echo.)
Echo Press any key to exit.
pause >NUL
exit
:Error
Echo.
echo Error! Your Months, Days, or Hours are not possible. Please revivise and start over.
echo Press any key to exit.
pause > NUL

I could write it better, but I don't really care. It works. I can use this to schedule the task for me, and more importantly my coworkers can also use it to schedule tasks despite never creating one before. My mother should be able to use this to enable an ID.

Everyone

I still say your over complicating a very simple task.

If you don't know when or for how long an account will need to be enabled, how does this script help you? You still have to remember to disable the account when it is no longer in use, but since you don't know when that will be, so you can't automate it. You don't know when the account is going to be needed, so how will you know when to schedule the task?

If all you want to do is run a script to enable or disable an account when you get that 4 AM call, instead of having to open ADUC to do it, there's no need to schedule a task.

If you load the QAD PowerShell tools, it's a simple command "Enable-QADUser domain\username", then to disable "Disable-QADUser domain\username".

Devilsbane

Everyone wrote: »

I still say your over complicating a very simple task.

If you don't know when or for how long an account will need to be enabled, how does this script help you? You still have to remember to disable the account when it is no longer in use, but since you don't know when that will be, so you can't automate it. You don't know when the account is going to be needed, so how will you know when to schedule the task?

If all you want to do is run a script to enable or disable an account when you get that 4 AM call, instead of having to open ADUC to do it, there's no need to schedule a task.

If you load the QAD PowerShell tools, it's a simple command "Enable-QADUser domain\username", then to disable "Disable-QADUser domain\username".

Scripts are already in place to disable the accounts after 24 hours. I'm not sure how this is accomplished, but it has been in place for years. I've spoke with several people who know it is done, but aren't aware of how. No need to reinvent the wheel, accounts already get disabled.

The point isn't that calls are coming in at 4AM. The calls come in on Thursday or Friday requesting the account to be enabled at 4AM. Currently we create a ticket and send it over to our off hours team who then do nothing. The owner of the account then has to call them at 4AM and on one occasion waited 3 hours until someone figured out how to enable it.

My home here is to use a task to bypass the off hours team completely. I think this will do just that. I've tested several times and plan on an overnight test tonight. One of my unfortunate colleagues will have his account disabled before I leave and hopefully re-enabled at 1AM. If not, I'll manually enable it and spend tomorrow figuring out what went wrong.

Everyone

Now it sounds more like you're trying to find a technical work-around to a behavioral and/or training problem. Possibly a policy issue as well.

If you have an off hours team, it would make more sense for these calls to go directly to them, and they should be able to handle such a simple task. I understand that this is something that is probably beyond your control, but you can always try to discuss it with whoever is in charge.

It's really sad when people don't document stuff like this. You always end up with a "Well someone many years ago that no longer works here set this up, and it's worked, but nobody knows how or why".

Having a script that automatically disables accounts after 24 hours sounds like an administrative nightmare. If they're going to need the account for more than 24 hours, they have to call every day to get it turned back on?

What's the reason for constantly disabling the accounts?

Devilsbane

Everyone wrote: »

If you have an off hours team, it would make more sense for these calls to go directly to them, and they should be able to handle such a simple task. I understand that this is something that is probably beyond your control, but you can always try to discuss it with whoever is in charge.

IBM is in charge of that team. They won't be changing unless more money is forked over, and that isn't going to happen. Now we could go train them, but unless I see a plane ticket and a passport given to me, that also won't happen.

It's really sad when people don't document stuff like this. You always end up with a "Well someone many years ago that no longer works here set this up, and it's worked, but nobody knows how or why".

This isn't it at all. I've sent them tickets with step by step instructions. When to enable the ID, how to enable it, and what to do with the ticket after it is enabled. They still don't enable it on time and the ticket takes a detour before landing where it is supposed to.

Having a script that automatically disables accounts after 24 hours sounds like an administrative nightmare. If they're going to need the account for more than 24 hours, they have to call every day to get it turned back on?

What's the reason for constantly disabling the accounts?

They don't need it turned on for more than 24 hours. These are delevoper accounts used to modify some applications. If they were enabled 24/7, someone could potentially cause millions of dollars in damages overnight. The process is that they remain disabled until the user requests and the manager approves. Once both are done we can enable the account and they can implement their change. It is this way because of our legal and compliance teams, and there is nothing that can be done about it other than smile and enable the ID when it is requested.