In this article I’ll try to describe how we can use the driver to create home directories, set a Terminal Services attribute and give the correct rights to the newly created directories. This is not a complete or optimal solution, I only cover the VB Script part, and the error handling can be much improved.
This article assumes you already know how to use Designer, iManager, create rules using DirXML-script etc. As a result I won’t be going through those steps.
I recommend you read the driver documentation and have it available while implementing it.
Here the scripting driver is used in combination with the AD-driver, with the following flow:
Install the scripting driver
The server I installed the driver on was a domain member and it was the file server where all the users home directories were located.
The OS was Windows Server 2003 SP2.
The installation was done by running the windows_scriptdriver_install.exe from the nt\dirxml\drivers\scripting\bin folder on the IDM 3.5.1 DVD.
Installation is easy, you only need to select the folder where to install the program files and at the end you are prompted to retrieve the SSL certificate from your Identity Vault. Click Yes and a command prompt will open which allows you the specify the hostname and port of your IDV server.
After that you’ll be prompted to set the Driver and Remote Loader passwords, click Yes. Another command prompt will open allowing you to set those password, at the end of the installation click Finish.
For the driver to work correctly it needs to be able to create EFS encrypted files on the server which can be prevented if the EFS certificate has expired or if the Group Policy prevents EFS.
Patch the scripting driver
Before you begin to use the scripting driver you should install the latest patch, the installation usually consists of copying the three .exe files from the Win folder to the C:\Program Files\Novell\WSDriver\bin folder, the files are usually EventReader.exe, idmevent.exe, wsdriver.exe. Read the instructions before patching.
Starting the service
Use the Services applet on the control panel (Administrative Tools) to start the “Novell IDM Windows Script Driver” service.
Changing the user the service runs as
The service runs logged on as the “Local System” account. It might not have all the rights needed to run all your scripts, in the Services control panel applet you can edit the “Log On” tab of the service and make it use another user account that has the rights necessary. Start with an Administrator equivalent user and then start reducing rights until you get it right. Restart the service after you make changes there.
Accessing the built-in HTTP server
The scripting driver has a built-in web server which you can access by surfing to the following addresses, you log in by using the driver password.
The file wsdrv.conf is located in the C:\Program Files\Novell\WSDriver\conf folder and is a plain text file that can be edited to change the ports the driver listens on, tracelevel, tracefile and location of the SSL certificate.
Create the driver in the IDV
Use Designer or iManager to create the driver in your driver set.
Some questions you will need to answer:
Driver name: <You decide> Configure Data Flow: Identity Vault to Application Scripting Language: Windows VBScript Polling Interval (Seconds): Since we don't use the publisher channel you can set it to what you want. Base Container in eDirectory: <You decide> Auto Associate: No Strip or Keep old attribute values: Strip Enable Entitlements: No Remote Host Name and Port: hostname of the server which runs the driver and the port configured in the wsdrv.conf file. Use SSL: Yes Driver Object Password: The password entered during the installation. Remote Loader Password: The password entered during the installation.
The next step is to configure all the rules to do what you need them to do. The goal of this example is to get an add document with the attribute that will be used to name the directory to the driver shim. This is not covered here.
Creating the VB scripts
Here is an example that does the following:
The script can (should) be expanded to maybe include the following:
Remember to set the homeDrive and homeDirectory AD attributes which can be done using the AD-driver.
Here is an example script file:
Sub ADD ' ***************************************** ' * Add implementation-specific code here * ' * Use the ADD_ASSOCIATION command to * ' * supply a unique association * ' ***************************************** ' Gets the UserID from the current ADD operation, which is used to name the directory CN = IDMGetEventValue("UserID") ' Get the workforceID from the current ADD operation, it is used to set the association workforceID = IDMGetEventValue("workforceID") ' Executes the md command to create the homedirectory in the path below CreateHomeDir = "cmd.exe /c md d:\users\"& CN &"" ExitCode = IDMExecute(CreateHomeDir) If ExitCode = 0 Then ' Executes the SetACL command to set the rights on the homedirectory, the following rights are set ' Change, Delete, Delete subfolders/files ' Additionaly the command sets the current user to the owner of the homedirectory SetACL = "setacl.exe -on d:\users\"& CN &" -ot file -actn ace -ace n:utb\"& CN &";p:change,del_child,delete -actn setowner -ownr n:utb\"& CN &"" Else IDMStatusError "ADD-FAILED: HomeDir Creation Failed for "& CN &"" & ExitCode End If ExitCode = IDMExecute(SetACL) If ExitCode = 0 Then ' Executes the TSCmd command to set the TerminalServerProfilePath for the current user TSPath = "tscmd.exe DC-1 "& CN &" TerminalServerProfilePath \\filserver-2\tprofile$" Else IDMStatusError "ADD-FAILED: Setting rights on the directory failed for "& CN &"" & ExitCode End If ExitCode = IDMExecute(TSPath) If ExitCode = 0 Then IDMSetCommand "ADD_ASSOCIATION" IDMWriteValue "ASSOCIATION", workforceID IDMWriteValue "DEST_DN", IDMGetEventValue("SRC_DN") IDMStatusSuccess "Add event succeeded" Else IDMStatusError "ADD-FAILED: Unable to set the TerminalServerProfilePath for "& CN &"" End If End Sub
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.