Disable an user from AD
Hi everyone
I have the following scenario:
SQL MA
AD MA
FIM MA.
I have to disable an AD user Account when a user in SQL Server dissapear (deleted),Disable it and then forget about it.
I was implement the Deprovision() method so that it looks something like this:
long userAccountControl =
512; //ADS_UF_NORMAL ACCOUNT
if (csentry["userAccountControl"].IsPresent)
userAccountControl = csentry["userAccountControl"].IntegerValue;
userAccountControl = userAccountControl |
2; //ADS_UF_DISABLED
csentry["UserAccountControl"].Value
= userAccountControl;
return DeprovisionAction.Disconnect;
but my user from AD is enable yet,
Do you have any idea?
Thanks in advance,
June 22nd, 2012 10:56am
This seems to be a duplicate of this post here???
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4e7c4f1b-def7-437e-975e-0f117b1475d2/Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:00am
Yesterday, my colleague brought up the scenario, and implement the suggestion but disallow the user from AD and why I come back to ask for help Thanks in advance
June 22nd, 2012 11:04am
Why do you want to disconnect your AD user from the metaverse? If you do that, and leave a disconnector in your AD connector space, then you run the risk of creating another account with the same login name at some point in the future ... far better
to retain a connector in all cases and that way avoid potential sync errors later on.
If you really do want to disconnect your user object in AD (e.g. you're worried about paying CALs for disabled accounts in FIM) then try implementing an object deletion rule on your SQL MA. If your AD MA is set with deprovisioning to "determine from
rules extension" then your above code will fire before disconnect, and the next export run will update your AD account. You will have to work out what you are going to do with your user account in the FIM Portal ... you may choose to simply delete on
next export ... but chances are you're going to have more complex rules than that.
My preference remains not to disconnect.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:14am
What I try to do is when you delete a user account in AD in the status attribute pass from active to inactive, a scenario of what I try to do is when an employee is fired and the aim is that your account in AD is inactive. thanks
June 22nd, 2012 11:26am
Really sorry - it's late and I am having real trouble understanding what you are saying. It sounds like you need to implement a very standard scenario, so I suggest you search this forum for recent posts on exactly this subject. Your scenario
should be a variation on a standard one.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:31am
Thank you very much and good day
June 22nd, 2012 11:35am