Using the PowerShell workflow activity to disable an Active Directory account immediately

This workflow will disable and set the account expires of an Active Directory user immediately and then change those attributes for the FIM user immediately.

Create Workflow

PSWorkflowActivity_DisableAccount_Step1.png

Add Function Evaluator

Add a function evaluator to set an in-bound workflow data item that stores the target resources ObjectSID.

PSWorkflowActivity_DisableAccount_Step2.png

Add PowerShell Activity

The PowerShell script uses the ActiveDirectory module to find the user by their SID and then set the account expiration to the current date and disable the account. It then adds an outbound workflow data item that is a FIM compatible date value.

param($WorkflowDefinitionId, $RequestId, $ActorId, $TargetId, $WorkflowData, $TargetObjectSID)

$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
$ENV:ADPS_LoadDefaultDrive = 0

Import-Module ActiveDirectory

Get-ADUser -Filter { ObjectSID -eq $TargetObjectSID } | Set-ADUser -AccountExpirationDate ([DateTime]::Now) -Enabled $false

$WorkflowData['TargetAccountExpires'] = [DateTime]::Now.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fff')

PSWorkflowActivity_DisableAccount_Step3.png

Add Function Evaluator

Add a function evaluator to set the AccountExpires attribute on the target to the value in the workflow data item TargetAccountExpires.

PSWorkflowActivity_DisableAccount_Step4.png

Add Function Evaluator

Add a function evaluator to set the Enabled attribute on the target to False.

PSWorkflowActivity_DisableAccount_Step5.png

Last edited Jan 16, 2012 at 1:07 PM by adweigert, version 3

Comments

mmacdonell Jun 9, 2014 at 10:21 PM 
Hi Adam,

I'm very curious as to how you got the AD PowerShell Module to work, given that the module requires .NET 4.0 to run, and the FIM Service is only running at 3.5.

If I use what you have defined here, I get the following error:

The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

If I modify the Microsoft.ResourceManagement.Service.exe.config to add 4.0 as a supported runtime version, it will work, but I'm not sure that would be a supported change.

Thoughts?

Marc