Architecting, installing and maintaining your SAS environment

How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 8
Accepted Solution

How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Hi all,

 

How can I compare AD users to SAS metadata users to highlight disabled accounts. Is there any tools available?

 

Any suggestions.

 

Thanks,

Vamsi


Accepted Solutions
Solution
a month ago
PROC Star
Posts: 428

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

View solution in original post


All Replies
Solution
a month ago
PROC Star
Posts: 428

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Hi Vamsi,

 

Do you mean user accounts that have been marked as disabled in Active Directory? If so and you are using code derived from the SAS importad.sas sample, using the standard SAS %MDUEXTR and %MDUCMP macros, then you can also extract the AD userAccountControl attribute and check for the appropriate bit - see https://support.microsoft.com/en-au/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulat...

 

Additionally, our Metacoda Identity Sync Plug-in, from version 6.0 R4 onward, also provides an option to treat user accounts that have been disabled in AD as tag-deleted so that they are tagged and effectively disabled in SAS metadata:

 

Selection_053.png

 

I hope this helps.

 

Cheers

Paul

Occasional Contributor
Posts: 8

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Posted in reply to PaulHomes

Thanks @PaulHomes. I'm Importing the AD directory users using Importad.sas sample. But I want to import only SAS users. We have a "SAS_Users" AD group which has nested SAS groups how can I import users from "SAS_Users" group?

PROC Star
Posts: 428

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Using the Metacoda Identity Sync plug-in you would just configure it to target the SAS_Users AD group and then it would follow the members of that group, both users and and further nested groups and their members.

 

To do this with the importad.sas code you would need to customize it so that, instead of getting all users and groups under the specified OUs, you query the single SAS_Users AD group to find its members (as a lookup table) and then fetch the details for just those member users (and possibly member groups if you need nested groups too). 

Trusted Advisor
Posts: 1,424

Re: How to compare AD users to SAS Metadata users to highlight the disabled AD accounts

Hello @vkrishna,

 

I love the tool that @PaulHomes  mentioned, I think it reduces maintenance costs (not everyone is capable of maintaining the importad sync script, and less if there are customisation), also with that tool you can hand over the user sync and comparisons to the relavant IT team, whom understand better how AD works.

 

However, if you would like to continue working with the script:

 

I think, since the input  for the script is an OU or a set of OUs, your best choice is to include that group within the a single Organisational Unit (OU) in the AD, and only that group. The script should be able to take that group and all the groups and users within that group.

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 4 replies
  • 416 views
  • 8 likes
  • 3 in conversation