I'm building the OU hierarchy in AD based on organizational information in HR, the scenario goes in this format: - users have Department, Section and Branch value within HR to the AD OU's will be build in the format (CN=User,OU=Branch,OU=Section,OU=Department,DC=Domain,DC=COM) this works fine when users have all three values within HR, but for Department Manager only Department attribute have a value and the DN should be (CN=User,OU=Department,DC=Domain,DC=COM) similar to that is the Section Manager with (OU=User,OU=Section,OU=Department,DC=Domain,DC=COM) I'm building the DN value as an outbound attribute flow within the AD sync rule, I'm trying to use custom expressions to check if values are empty or present to cover all three scenarios, but I still can not construct it in the right way, Any help will be appreciated. thanks!

Hi There, You can do a couple of things in this scenario: 1. Create two different outbound synchronization rules that are applied to the appropriate set of users with the appropriate DN creation string (Departmental Managers and regular users). 2. In a outbound attribute flow, if you have an attribute for the departmental manager then you can make the decision about the DN structure on the fly using custom expressions. (In my example, I use a boolean value but you can make it whatever designator you like - replace attribute values as appropriate in your environment): As a function: Function -> IIF Condition -> Custom Expression -> Eq(DepartmentManager,"True") ValueTrue -> Custom Expression -> "cn=" + accountName + ",OU=" + department + ",DC=Domain,DC=COM" ValueFalse -> Custom Expression -> "cn=" + accountName + ",OU=" + branch + ",OU=" + department + ",DC=Domain,DC=COM" As an all in one custom expression: IIF(Eq(departmentManager,"True"),"cn=" + accountName + ",OU=" + department + ",DC=Domain,DC=COM","cn=" + accountName + ",OU=" + branch + ",OU=" + department + ",DC=Domain,DC=COM") 3. Similar to above for a single attribute flow rule, you maybe able to make a simple check is made to see if the "Branch" value is present: (I've only given the all in one custom expression here and assumes that all users have the appropriate fields and branch is only present in the normal users and branch isn't present in the department managers) IIF(IsPresent(branch),"cn=" + accountName + ",OU=" + branch + ",OU=" + department + ",DC=Domain,DC=COM","cn=" + accountName + ",OU=" + department + ",DC=Domain,DC=COM") Hope this is of some help. Thanks Blain

Thanks a lot Blain, I did try to follow your method, but the problem there is no info in HR table to indicate that an employee is a manager, so i can't depend on a condition for managers. what I'm trying to do is to use nested IIF to check on the presence of the 3 attributes, actually its 4 levels of hierarchy, so you can imagine how complicated it can get, so users will have all the 4 levels, some 1st and 2nd , and so one, a lot of possibilities. I did some tests the custom expression, and it seems its working fine, i will just make sure it covers all possible scenarios then i will post it here. I really appreciate your time around here :) Thanks! Bilal

sorry for taking this long to post the expression, this is basically what i decided to use at the end, I'm sure its not the most brilliant thing to do, but i couldnt come up with any other ideas, the expression will check on values existance for 4 attributes attached to the users HR record and depending on that it will build the AD hierarchy, the idea is to build a 4 level AD hierarchy: CustomExpression(IIF(IsPresent(MainDeptName),IIF(IsPresent(DeptName),IIF(IsPresent(SectionName),IIF(IsPresent(BranchName), +("CN=",accountName,",OU=",BranchName,",OU=",SectionName,",OU=",DeptName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com"), +("CN=",accountName,",OU=",SectionName,",OU=",DeptName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com")),IIF(IsPresent(BranchName), +("CN=",accountName,",OU=",BranchName,",OU=",DeptName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com"), +("CN=",accountName,",OU=",DeptName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com"))), IIF(IsPresent(SectionName),IIF(IsPresent(BranchName), +("CN=",accountName,",OU=",BranchName,",OU=",SectionName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com"), +("CN=",accountName,",OU=",SectionName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com")), IIF(IsPresent(BranchName),+("CN=",accountName,",OU=",BranchName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com"), +("CN=",accountName,",OU=",MainDeptName,",OU=IT,DC=Domain,DC=com")))),Null())) Thanks again Blain for your time Bilal

Hi Bill, Glad the suggestions were of some help and gave you some guidance to figure things out! :) Thanks B

Is that all different statements on different lines or would i if i chose to use something similar place my statement all on one line. currently this is the way it looks (all found in one single customExpression. I only have one Sync rule for AD having inbound and outbound flows. I do have two different MPR specifying the different sets of users that will be affected and one workflow. Would this work out fine or am i creating a bigger can of worms. IIF(Eq(employeeType,"EMPLOYEE"),"CN="+accountName+",OU=Employees,OU=domain_Users,OU=domaingroup,DC=domain,DC=com", "CN="+accountName+",OU=Students,OU=domain_Users,OU=domaingroup,DC=domain,DC=com") Thanks,

Hi There, The line that you've provided appears to be a valid custom expression that would create the DN's based on the condition of whether or not a person was an employee. Verify that the value for employeeType is in fact "EMPLOYEE" (check casing). You would enter that as a single custom expression or you could also use the "Function" method where you use the function example I gave above. (Which for these cases is a bit more readable for quick troubleshooting as the two DN values are in their own separate text boxes). Thanks B

very nice layout on this OU configuration however, as a new admin to FIM 2010 where are you creating these complex configurations at the sync service or the Portal in inbound outbound sync rules? I have the same problem and since our ADS structure is so complex and our HR program is even worse I need a start to come up with a resolution. We will probably end up with at least 75-100 differnt OU's to drop users into. Any help is greatly appreciated.

Hi There, The suggestions I've provided in the notes above are all declarative rules that were defined within the Portal/FIM Service. Thanks! B

Not to cause confusion, or to hijack the thread, but it might be worth mentioning that you can use declarative provisioning or 'classic' provisioning code to solve the issue. You can even mix them in some cases. Sometimes something that's simple to do one way is lengthy or obtuse the other and vice-versa - sometimes even in the same project.