axinthefield: Comparing AX and Active Directory User Accounts

[Blog bot]

Источник: http://blogs.msdn.com/b/axinthefield...-accounts.aspx
==============

I was recently working with an AX 2009 customer who wanted to compare the user accounts configured in AX with the user accounts in Active Directory. The basic goals were:

1. Find all AX user accounts that no longer exist in Active Directory.
2. Find all accounts that are disabled in Active Directory but not in AX.

It would be great if AX would flag these scenarios for you, but unfortunately it doesn't. If you’re interested in knowing if you have any orphaned accounts or accounts that should probably be disabled in AX, here’s a quick way to do just that.

1. Export AD users to a CSV file. I used a PowerShell command for this step. The command I used requires the Active Directory Module for Windows PowerShell. This is installed by default on domain controllers, but it is also available via the Remote Server Administration Tools for Windows 7 if you want to run it from a workstation instead. http://www.microsoft.com/download/en/details.aspx?id=7887
2. Create a table for the AD user details. I created a new table in the AX database to store the AD user account details so I could easily join this information to the AX user details already stored in the database.
3. Load the contents of the CSV file into the table. I used a bulk insert statement to load the data from the CSV file created in step 1 into the table created in step 2.
4. Query the table for your results. I used 2 simple queries that joined the AD user account table with the AX userinfo table to get the information I needed.

NOTE: See the attached text file for the exact PowerShell commands and SQL statements I used.

In the one real world scenario (AX 2009) that we looked at, AX had 112 orphaned accounts and there were another 75 accounts that were disabled in AD but not in AX.

This procedure should work for both AX 4.0 and 2009. The userinfo table still exists in AX 2012, so the comparison should work with this version too, but there might be some scenarios such as flexible authentication that throw the results off. That's something I haven't really looked into yet.




Источник: http://blogs.msdn.com/b/axinthefield...-accounts.aspx

[gl00mie]

• Доставить на клиентскую тачку набор утилей для удаленного администрирования, чтобы запустить простенький скрипт в PowerShell (понятно, он моднее, чем VBScript, но на любом компе без установки лишних компонентов отработает VBScript, работающий через ADSI)
• Выгрузить всех пользователей из AD (а если у меня доменный лес и пользователей - десятки тысяч, из которых в Аксапте работает пара сотен?)
• Создать новую таблицу в AOT, чтобы один раз сверить два набора данных - это вместо тупого джобика перебора и проверки пользователей Аксапты или выгрузки данных в Excel.

И это "родной" суппорт?! Охренеть, дайте два...

[gl00mie]

Тут по некотором размышлении родился джобик, который делает то же самое "без лишнего шума и пыли":

X++:

#define.UserAccountControl  ('userFlags')
#define.UF_ACCOUNTDISABLE   (0x0002)
Counter                     numTotal;
Counter                     numNotFound;
Counter                     numDisabled;
UserInfo                    userInfo;
int                         userAccControl;
COM                         dirObject;
str                         dirPath;
;
while select userInfo
    where   userInfo.networkAlias
        &&  userInfo.networkDomain
{
    numTotal++;
    dirPath = strfmt(@"WinNT://%1/%2,User", userInfo.networkDomain, userInfo.networkAlias);
    dirObject = COM::getObjectEx(dirPath);
    if (dirObject)
    {
        if (userInfo.enable)
        {
            userAccControl = dirObject.get(#UserAccountControl);
            if (bitTest(userAccControl, #UF_ACCOUNTDISABLE))
            {
                numDisabled++;
                info(strfmt("%2\%1 disabled in AD, but not in AX", userInfo.networkAlias, userInfo.networkDomain));
            }
        }
        dirObject.finalize();
        dirObject = null;
    }
    else
    {
        numNotFound++;
        warning(strfmt(@"%2\%1 - not found", userInfo.networkAlias, userInfo.networkDomain));
    }
}
info(strfmt(@"Total: %1, not found: %2, disabled in AD, but not in AX: %3", numTotal, numNotFound, numDisabled));

[oip]

Хоть в исходной задаче этого и не было, но для красоты можно еще проверять accountExpires, а то аккаунт может быть незаблокированным, но с истекшим сроком годности.