Customizing User Images

 
 

What Are 'User Image Rules' ?

 

Hyena has a unique capability where a number of different images can be displayed for user accounts that meet specific conditions. Additionally, the order or sequence of application of these 'user image rules' can be controlled.  

 

By default, Hyena will only display a few different images for users, for example, a disabled user account will be displayed with a red 'x'.  INetOrgPerson objects by default will show a user image with a green shirt.

 

Many of these settings can be customized with only a minimal impact on performance.

 

Customizing User Images

 

The default user image rules are as follows, and if left unchanged, are processed in this order:

 

1. If the user or INetOrgPerson account is disabled, the image will be a user with a red 'X'.

2. If the object is an INetOrgPerson, the image will be a user with a green shirt.

3. If the object is a user, the image will be a user with a blue shirt.

 

To access the additional user image rules, select Tools->Settings->AD, and click the User Icons... button. The behavior of these different rules is as follows:

 

1. The user image rules are processed in the sequence as seen on the 'Set User Icon Options' dialog. To move a rule up or down in priority (order), use the Move Up and Move Down buttons.

2. Only rules that are enabled (checked) are actually applied.

3. Once a rule has been met, processing stops. In other words, the first rule to be met will have its image used for the user.

4. Some rules can conflict slightly with one another, so when determining the order for rules that are active consider what is more important. For example, if its more important to know that an account is disabled vs. the user needing to change their password at their next logon, then put the 'account is disabled' rule first.

5. The expiration date-related rules can conflict with one another if placed in the wrong order and if multiple rules are enabled. For example, the 'account expiring' rule should not be placed before the 'account expired' rule. See below for specific rule information.

6. Some rules may require retrieval of additional Active Directory attribute and/or calculations, which can affect performance. See below for specific rule information.

 

User Image Rules

 

The following rules are supported, and along with the impact on AD query performance.

 

Account Disabled - Indicates that the account is disabled, as set in the 'UserAccountControl' AD attribute. No performance impact.

 

User Locked Out - Indicates that the account MAY BE locked out as indicated by the 'lockouttime' attribute. Very little performance impact as only the 'lockouttime' attribute is automatically added to the active query.

 

INetOrgPerson Account - Used to indicate that the objectclass attribute is set to INetOrgPerson. No performance impact.

 

User Must Change Password - The account has the 'user must change password at next logon' option enabled, as indicated by the pwdlastset attribute. Very little performance impact; pwdlastset attribute automatically added to the active query.

 

User Password Does Not Expire - As set in user properties, as set in the 'useraccountcontrol' AD attribute. No performance impact.

 

Account Expired / Account Expiring Soon / Account Expiring - These indicate that the account has an expiration date set and falls into one of these categories. If enabled, the rules should be placed in this order. 'Expired' accounts are accounts whose expiration dates have passed. 'Expiring Soon' are accounts that are less than the expiring soon expiration window (as specified), and 'Expiring' are accounts with any expiration date.

 

'Expired' accounts are therefore also 'expiring soon' and 'expiring'.

 

Low performance impact. 'AccountExpires' attribute automatically added to query and calculation performed on offset from current date.

 

User Cannot Change Password - The behaviour and accuracy of this setting is complex and can dramatically affect performance depending on usage. Read this information fully.

 

The 'User Cannot Change Password' (UCCP) setting in Windows has historically been set by a user flag in the useraccountcontrol attribute. Microsoft has deviated from its standard by also setting a security setting on the user account restricting or granting the user itself from modifying the password. This results in a conflicting state that can cause various applications to handle and report on this value differently. Moreover, retrieval of the user security setting is very complex and time consuming, which essentially prevents it from being done when creating a system-wide user listing for multiple (ie hundred or thousands) of users. Complicating matters further, different versions of Windows/Active Directory will enforce different rules on which AD elements will contain a correct UCCP value.

 

Hyena takes a flexible approach in reporting the UCCP data, depending on the options enabled. By default, if the UCCP rule is enabled under Tools->Settings->Active Directory (Set User Icons...), Hyena will only check for the UCCP bit setting in the useraccountcontrol attribute. This will not affect query performance.

 

However, if the UCCP setting as seen in the query results is determined to be out-of-sync with the actual User Properties setting, then a special symbol, %SYM_AD_USER_NO_CHG_PWD%, can be added to the query.  See the Using Symbols in Queries topic for more information. The icon status will then be determined by retrieval of additional information, but at the cost of performance.