I've seen code snippets and answers for setting a user to an Org Unit (OU) during user creation, but nothing regarding moving a user from one OU to another after it's been created.
NOTE: Prior to this I retrieved the user I wanted to modify, which is what the user variable refers to.
user.OrgUnitPath = "/NLWC";
var updateResult = await _service.Users.Update(user, user.Id).ExecuteAsync();
updateResult returns a User object. When I view the OrgUnitPath in the returned user I view the desired OU path (and also, when I query that same user in the future I get the same result).
But when I view the user in the Gsuite admin console, the OU hasn't changed.
In fact, I manually moved the user to the OU, and queried the user object again. After manually moving it, the OrgUnitPath is still the same.
Additionally, I queried the Org Units to verify I have the right path, and it shows the following:
I can't understand why it's not moving the user to the right OU, what am I missing?
Related
I have a DB table which records changes made to orders. One of the properties on the order object is the ID of the administrator. When an administrator goes out-of-office they have the option of assigning a replacement; the replacement can then assign someone to replace themselves, who can then assign a replacement...
Each time a replacement is assigned the order is updated and an audit trail is created in a DB table named audit_log.
When an administrator returns to work they can remove their replacement, which should then cause their orders to be reassigned to them. This seems a simple problem but I'm having trouble with the logic behind deciding which orders should be reassigned. For example, take a look at the image below...
Now look what happens if Admin 1 returns...
...so far so good, but if Admin 2 then returns...
...Admin 2 would be mistakenly reassigning an order from Admin 1 because the audit log shows that Admin 2 had previously reassigned it to Admin 3 prior to leaving the office. But that order shouldn't be reassigned from Admin 1 to Admin 2 - it belongs to Admin 1 and Admin 1 is not out-of-office.
Consider the scenario where the order gets reassigned through 5 different administrators, then Admin 3 returns and reclaims the order from Admin 5; if Admin 4 then returns they should not be assigned the order, but if Admin 1 or Admin 2 returns then they should reclaim the order from Admin 3.
What this needs is a way of graphing the changes in assignment, then detecting which orders have been assigned ahead of a user but not behind a user, where...
ahead of = a user who is to the right of a context user in the above images (Admin 3 being ahead of Admin 2)
behind = a user who is to the left of a context user in above images (Admin 1 being behind Admin 2)
...but I just don't know how to build this? Are there any well-known algorithms or patterns from building such a graph, and any pointers as to how to implement such in C#?
Some additional information: The records in the audit_log DB table also have id and recorded (DateTime2) fields, so they can be retrieved in chronological order.
I have a task to select specific group of computers. Their unique property is that their security list contains permission for specific user. In AD tool - right click on computer, Security tab, Group or user names as seen on screenshot:
I can get the ComputerPrincipal object of relevant host, UserPrincipal of user, and both underlying DirectoryEntry objects, but I struggle to make a "join" and find if user is on the list.
I use C#, .NET3.5.
You will have to loop through every group, and for each group you could do something like this (assuming you have a groupDe, which is a DirectoryEntry for the group):
foreach (var identityReference in groupDe.ObjectSecurity.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier)) {
var nt_name = identityReference.Translate(typeof(NTAccount)).Value;
//nt_name.Value is now domain\username of the user this permission is for
//so you can match this against your list of users
}
The false in the call to GetAccessRules makes it not look at inherited permissions (I assumed that's what you want).
I haven't tested this, so it might need some tweaking.
This will probably be a very slow process, depending on how many groups you're looking through. You might be able to make it go faster by omitting the call to Translate. identityReference.Value would have (I believe) a SID, so you could try to match by SID rather than translating to something else before matching.
User will input his wanted login name and I need to create active directory user by given name. So I need to validate it for AD userPrincipalName rules. How can I do it?
You need only query the UPN (Forest wide so do a globalcatalog search). If the DirectorySearcher returns an object, the UPN is in use.
You would also need to check that the planed samAccountName is not in use in the target domain, and that the planed user Name is not in the destination OU or Container. In both searches, as above, if the DirectorySearcher returns results, you must not continue, but chose alternatives.
Look here to find which attributes must be unique, but bear in mind, although the user's Name attribute is not mentioned in the table, it is being refered to in example 1.
I'm having issues with our Domain Administrator changing the name of our domain org units without any warning. I have the AD path listed in my web.config. When he changes the names my reference in the code breaks. Is there another way to reference i.e. some sort of 'OU ID'?
<appSettings>
<add key="adStructure" value="OU=Org Name 2,OU=Org Name 1,dc=test,dc=test2,dc=test3"/>
</appSettings>
I'm trying to get a list of all groups within OU Org Name 2.
Yes, you can take advantage of otherWellKnownObjects. http://msdn.microsoft.com/en-us/library/ms679095(v=vs.85).aspx. You will need to populate a GUID and initial path to each OU in there, and then in the future when the OU is moved or renamed, AD will keep track. You simply bind by GUID instead of DN.
This link explains how - http://msdn.microsoft.com/en-us/library/ms676295(v=vs.85).aspx.
If the user accounts or other bjects you are accessing have an unique property for accessing them you could perform an LDAP/AD search query for getting the list of objects you need - independent of the distinguished name (DN) and therefore independent of the OU the are located in.
For details how to search in the AD see here:
How to get AD User Groups for user in Asp.Net?
http://www.codeproject.com/KB/system/QueryADwithDotNet.aspx
If you are looking for user objects an alternative would be a group containing all user accounts related to your application - as the Active Directory automatically updates/generates the distinguished name of the members.
I want to verify that the user email is valid and turn this email into his id in my system.
Yet I don't know how to make a link in the mail, that activates the account like(facebook and others
) and I don't really understand what happens when the link is selected.
I thought of generating a key like "sdklbsdgk4493" to enter once- so that guessing is hard, yet for many people copy and paste is not trivial and I may annoy them with this solution.
Any thoughts or ideas?
p.s: I'm working in c# so if it can be done with c#... it will be great :)
Thanks Asaf
When you insert a new user in the Database, their status should be "Deactivated" and you insert a "GUID" you generate alongside. You send them a link to your activation Page which would contain this GUID in the Query String. It will look like this:
www.YourSite.com/Activation.aspx?GUID=jdfhg43h98234
In the Activation.aspx page, you take this GUID from the Query String and compare it to the one you have in the Database. You then activate the Account having that GUID.
Create the user
Generate a unique string for the user
Have a Table that stores the unique string, the user Id ,a boolean that holds whether it got activated or not, the generation date, the expiration date and if you have different uses for these activation strings, the type(link to another table)
Now within the email you should get the string and write it within the email along with a link to the page you're going to use for validation such as whatever.com/verify.aspx?activationString=hd3fd33fen342n43
Within this page you do a query search within the table that holds the keys and if its not already validated
You have your users table in the DB (or where ever it is that you store your list of users), just add a column stating if the user's mail is validated.
To the validation mail add a link that fires some PHP with a user-specific code (like it's index in the DB). The PHP will set the user's "validated" column to true, and it'll be done.
It's not as complicated as it may seem at first.
The idea is to create a random key, save it to the database connected to the useraccount, supplying a link to the users e-mail which could point to a webservice(or regular website) which takes the key as a querystring which will then activate the account connected to that specific key.