Function
Gets the value of an attribute of an Active Directory user account or other object. The attribute is specified by the LDAP display name of the attribute. For the most common properties, the LDAP name can be selected from a list.
Deployment
This action is typically used in a script that is intended to manage existing user accounts or other Active Directory objects. Once the attribute is found for the object, the attribute value is saved in a variable that can be used by subsequent actions of the script. The actions supports multi-value attributes: When an attribute has multiple values, the values can be stored as multi-values or
converted to a single value.
The attribute can be obtained from any Active Directory object. In most scripts, the Active Directory object is an user account. The Active Directory object must be specified as a variable. This variable is used for property User Object or property Active Directory
Object. The Script Action: Get user (AD) on page 16 can be used to set the value for the variable used for the User Object
property. For the Active Directory Object property, the action Script Action: Get Object (AD) on page 84 can be used. Either one
of the two properties User Object and Active Directory Object must be used.
Properties
Property Name Description Typical setting Remarks
User Object A data structure representing a user account. If you want to obtain the
property of a user account object, you can use this property to specify the Active Directory object for this action. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'.
%UserObject% The User Object must always be specified as a variable. This variable must have been set by a previous script action, for example Script Action: Get user (AD) on page 16.
Active Directory Object A data structure representing a Active Directory object for which an attribute must obtained. This property can only be used as a input variable. Earlier in the script, another script action must have generated the value for this variable.
Convert to text If set to Yes, the value is converted to text.
If not, the value is converted to one of the UMRA supported data types.
Yes See section How attribute
71
Multi-value flag Specifies how to convert an AD multi- value attribute to the resulting UMRA variable.
If the AD value is multi-valued, and this flag is Yes, the value is stored as an list or an table type variable.
If the AD value is multi-valued. and this flag is No, the values are converted and stored in single text variable.
No See section How attribute
values are stored below
LDAP attribute display
name The LDAP name of the attribute. The name identifies the attribute of the Active Directory object. For a number of well- known attributes, the LDAP name can be selected from a list but you can specify any other valid name.
A LDAP attribute has several names. In the Windows 2003/2000 schema, for instance the common name and the LDAP-Display-Name are used. (example: for the NT-style name of a user, the common name is 'SAM- Account-Name' and the LDAP display name is
sAmAccountName. Note that these names are case sensitive.
Error if no attribute
found Generate an error for this script action if the specified attribute is not found. Yes Error if empty Generate an error for this script action if
the attribute is found but attribute value is empty.
Yes
Attribute value The value found for the attribute. This property is an 'output only' property and is generated by the application
automatically. By default, the value for this property is stored in variable %AttributeValue%.
In most cases, you must specify a output variable for this property. Otherwise, the value of the attribute cannot be used in other script actions.
How attribute values are stored
Active Directory contains many different data types. In UMRA, the following data types are supported:
text
numeric
date-time
long integer
Boolean
The way in which the values of output variables are stored, depends on your settings. The table below provides an overview of the various possible settings and the resulting effect for the way in which the output variable is stored.
72 An instance of a single-valued attribute can contain a single value (e.g. givenName, surname, title). An instance of a multi valued attribute (e.g. group membership lists) can contain either a single value or multiple values. Depending on the Multi-value flag and
Convert to text properties (Yes or No), the data types will be stored as follows:
If Convert to text is And Multivalue is Then the variable is stored as type
Yes No text
Yes Yes text list
No Yes table
No No single unconverted data
If you are not sure what the original data type of an attribute value is, the best option is to choose the table type (original value is not converted).
73