COMMUNITIES

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise

Administration and Deployment

Installing and maintaining your SAS environment
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
vkrishna
Quartz | Level 8 vkrishna
Quartz | Level 8
Go to Solution

How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-10-2017 05:00 PM (2212 views)

Hi all,

 

How can I compare AD users to SAS metadata users to highlight disabled accounts. Is there any tools available?

 

Any suggestions.

 

Thanks,

Vamsi

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-10-2017 11:06 PM (2671 views)  |   In reply to vkrishna

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

View solution in original post

4 REPLIES 4
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-10-2017 11:06 PM (2672 views)  |   In reply to vkrishna

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

vkrishna
Quartz | Level 8 vkrishna
Quartz | Level 8

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-13-2017 01:21 PM (2100 views)  |   In reply to PaulHomes

Thanks @PaulHomes. I'm Importing the AD directory users using Importad.sas sample. But I want to import only SAS users. We have a "SAS_Users" AD group which has nested SAS groups how can I import users from "SAS_Users" group?

0 Likes
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-17-2017 04:07 PM (2029 views)  |   In reply to vkrishna

Using the Metacoda Identity Sync plug-in you would just configure it to target the SAS_Users AD group and then it would follow the members of that group, both users and and further nested groups and their members.

 

To do this with the importad.sas code you would need to customize it so that, instead of getting all users and groups under the specified OUs, you query the single SAS_Users AD group to find its members (as a lookup table) and then fetch the details for just those member users (and possibly member groups if you need nested groups too). 

JuanS_OCS
Azurite | Level 17 JuanS_OCS
Azurite | Level 17

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted 11-18-2017 08:22 AM (2006 views)  |   In reply to vkrishna

Hello @vkrishna,

 

I love the tool that @PaulHomes  mentioned, I think it reduces maintenance costs (not everyone is capable of maintaining the importad sync script, and less if there are customisation), also with that tool you can hand over the user sync and comparisons to the relavant IT team, whom understand better how AD works.

 

However, if you would like to continue working with the script:

 

I think, since the input  for the script is an OU or a set of OUs, your best choice is to include that group within the a single Organisational Unit (OU) in the AD, and only that group. The script should be able to take that group and all the groups and users within that group.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • ‎11-10-2017 05:00 PM
  • 2213 views
  • 8 likes
  • 3 in conversation
Top