Deprovision-QADUser
From PowerGUI Wiki
Request ActiveRoles Server to deprovision a user account. This cmdlet requires a connection to be established to the ActiveRoles Server Administration Service by supplying the Proxy parameter.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Deprovision-QADUser [-Identity] <IdentityParameter> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-Credential <PSCredential>] [-Proxy] [-ReportFile <string>] [-Service <string>] [-UseGlobalCatalog] [-Xml] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Use this cmdlet to deprovision a user account via ActiveRoles Server. ActiveRoles Server provides the ability to deprovision rather than delete or only disable user accounts. Deprovision refers to a set of actions being performed in order to revoke user access to resources. The deprovision operation on user objects triggers deprovision policies. ActiveRoles Server comes with a default policy to automate some commonly-used deprovisioning tasks, and allows the deprovision policies to be adjusted as needed.
This cmdlet originates a request to deprovision the user accounts specified. When processing the request, ActiveRoles Server performs all operations prescribed by the deprovision policies.
The cmdlet has optional parameters that determine the server and the security context for the operation. Normally, the connection parameters could be omitted so far as a connection to a server is established prior to using the cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Note that this cmdlet requires a connection to the ActiveRoles Server Administration Service, so the Proxy parameter must be used to establish the connection.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Control | Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows: -Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation. Note that this parameter only has an effect on the operations that are performed through ActiveRoles Server (connection established using the Proxy parameter); otherwise, this parameter causes an error condition in ActiveRoles Management Shell. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Identity | Specify the DN, SID, GUID, UPN or Domain\Name of the user account you want to deprovision. This parameter can be omitted if you pipe into this cmdlet one or more objects returned by a Get- cmdlet, so as to have those objects identify the user accounts to deprovision. | true | true (ByValue, ByPropertyName) | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ReportFile | Supply this parameter on the command line if you want to save a report on the deprovisioning results to a file in HTML or XML format. The parameter value must be a valid path to a file, including the file name. The cmdlet creates the file if necessary. Omit this parameter if you do not want to save the report in a file. ActiveRoles Server preserves the report data regardless of this parameter, so you always have the option to examine the deprovisioning results using the ActiveRoles Server console. | false | true (ByPropertyName) | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Xml | Supply this parameter on the command line if you want to save the report on the deprovisioning results in XML format. Omit this parameter if you want to save the report in HTML format. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Examples
EXAMPLE 1
deprovision-QADUser 'MyDomain\JSmith' -Proxy
Description
Connect to any available ActiveRoles Server Administration Service with the credentials of the locally logged on user and deprovision the user account identified by Domain\Name.
EXAMPLE 2
connect-QADService -Service 'myserver.mydomain.lab' -Proxy C:\PS>get-QADUser 'MyDomain\JSmith' | deprovision-QADUser
Description
Connect to a specific Administration Service with the credentials of the locally logged on user, retrieve a user object using the get-QADUser cmdlet, and pipe the user object into the Deprovision-QADUser cmdlet to deprovision the user account represented by that object.
EXAMPLE 3
connect-QADService -Service 'myserver.mydomain.lab' -Proxy C:\PS>get-QADUser 'MyDomain\JSmith' | deprovision-QADUser -ReportFile 'C:\JSmith.html'
Description
Connect to a specific Administration Service with the credentials of the locally logged on user, retrieve a user object using the get-QADUser cmdlet, and pipe the user object into the Deprovision-QADUser cmdlet to deprovision the user account represented by that object, with a report on the deprovisioning results being saved in a specific file in HTML format.
EXAMPLE 4
connect-QADService -Service 'myserver.mydomain.lab' -Proxy
C:\PS>get-QADUser -SearchRoot 'mydomain.lab/retired' |
deprovision-QADUser -ReportFile {'C:\DeprovisionReports\' + $_.SamAccountName + '.html'}
Description
Connect to a specific Administration Service with the credentials of the locally logged on user, and deprovision all user accounts found in a specific container, with a report on the deprovisioning results for each user account being saved in a separate file.
