Deprovision AD user when disconnected
New installation of FIM 2010. We are syncing users from OU in one forest to another forest. When they are termed in the authoritative forest, they are moved to a different OU and disabled. I want to do the same in the target AD. How do I create a set based on being removed from the OU? All the examples I find have an employee status that changes. Thanks, Bill
June 15th, 2011 7:59pm

Have you tried flowing the DN as string into FIM yet? That way, you would have a something for "where attribute equals comparison". Can't you use the disabled state of the source objects as trigger? If all disabled objects in the source are moved into a special container, you could use "disabled account" as trigger to move something in the target, too... Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2011 9:25pm

Only a small number of the total users in the authoritative AD will actually be in the synced OU and we are not connecting to the disabled user OU which would include users that were not synced. The disabling and moving is a manual process so we cannot depend on them being disabled prior to being moved.Bill
June 15th, 2011 10:58pm

If the disabled OU is not in the scope for the MA then FIM Sync will see the move to the disabled OU as an object deletion. You can delete the metaverse and target objects based on that, though I wouldn't recomend it as I consider "deletion based on disappearance" to be a generally bad practise. If you want FIM to do other stuff based on the source object moving to the disabled ou than you're going to have to let it see the disabled OU.http://www.wapshere.com/missmiis
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 8:02am

So there is no way to act (disable and move to different OU) on it in the target system based on it disconnecting?Bill
June 16th, 2011 9:28pm

If you need FIM to manage an AD account, disabled or otherwise, then these accounts need to remain as connectors. What Carol is saying is obviously a prerequisite to FIM being able to maintain such connectors. If the account is manually moved to an OU which is outside of FIM's visibility then to FIM this is effectively a DELETE (and obviously disconnection). FIM policy can only be applied to a connected object ... before it becomes a disconnector (if it really has to).Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2011 4:27am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics