In some situations, it will be necessary to do post-processing on the server side after, for example, a user is provisioned. The post-processing script can for example create the users home directory, or do other nice stuff.
Overview of the flow
The following sequence-diagram outlines how the PP scripts are used:
+---------+ +-----------+ | AD sync | | AD-server | +---------+ +-----------+ | | +--------------------------------------------------->+ | 1. Update a user | | | +--------------------------------------------------->+ | 2. Run post-processing script | | | +<---------------------------------------------------+ | 2.1. Fetch PPS return code | | | | | | +--------------------+ | | Owner of AD-server | | +--------------------+ | | +---------------------------------->+ | 3. If PPS RC nonzero, report | | |
Interesting Powershell variables to consider for implementation
| $LastExitCode | The exit code from the last executed program |
| $Error | An array of the most recent error objects. Most recent first. |
Signing of Powershell scripts
In order for the sync to be able to run the post-processing scripts, the execution poicy must be changed, and the scripts should be signed.
It will probably be wise to spend a bit of time signing the PPS, and using the AllSigned execution policy.
Execution policies
- Restricted The restricted execution policy will not allow any scripts to be run, either signed or unsigned. This is the default policy.
- AllSigned All scripts that are signed by a publisher you trust can be run.
- RemoteSigned All scripts that are signed by a publisher you trust can be run automatically by applications like Outlook. You probably should not do this!
- Unrestricted All scripts can be run, no signing required. You probably should not do this!