BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
vkrishna
Quartz | Level 8

Hi all,

 

How can I compare AD users to SAS metadata users to highlight disabled accounts. Is there any tools available?

 

Any suggestions.

 

Thanks,

Vamsi

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

View solution in original post

4 REPLIES 4
PaulHomes
Rhodochrosite | Level 12

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

vkrishna
Quartz | Level 8

Thanks @PaulHomes. I'm Importing the AD directory users using Importad.sas sample. But I want to import only SAS users. We have a "SAS_Users" AD group which has nested SAS groups how can I import users from "SAS_Users" group?

PaulHomes
Rhodochrosite | Level 12

Using the Metacoda Identity Sync plug-in you would just configure it to target the SAS_Users AD group and then it would follow the members of that group, both users and and further nested groups and their members.

 

To do this with the importad.sas code you would need to customize it so that, instead of getting all users and groups under the specified OUs, you query the single SAS_Users AD group to find its members (as a lookup table) and then fetch the details for just those member users (and possibly member groups if you need nested groups too). 

JuanS_OCS
Amethyst | Level 16

Hello @vkrishna,

 

I love the tool that @PaulHomes  mentioned, I think it reduces maintenance costs (not everyone is capable of maintaining the importad sync script, and less if there are customisation), also with that tool you can hand over the user sync and comparisons to the relavant IT team, whom understand better how AD works.

 

However, if you would like to continue working with the script:

 

I think, since the input  for the script is an OU or a set of OUs, your best choice is to include that group within the a single Organisational Unit (OU) in the AD, and only that group. The script should be able to take that group and all the groups and users within that group.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 1592 views
  • 8 likes
  • 3 in conversation