Disable an user from AD
Hi everyone I have the following scenario: SQL MA AD MA FIM MA. I have to disable an AD user Account when a user in SQL Server dissapear (deleted),Disable it and then forget about it. I was implement the Deprovision() method so that it looks something like this: long userAccountControl = 512; //ADS_UF_NORMAL ACCOUNT if (csentry["userAccountControl"].IsPresent) userAccountControl = csentry["userAccountControl"].IntegerValue; userAccountControl = userAccountControl | 2; //ADS_UF_DISABLED csentry["UserAccountControl"].Value = userAccountControl; return DeprovisionAction.Disconnect; but my user from AD is enable yet, Do you have any idea? Thanks in advance,
June 22nd, 2012 10:56am

This seems to be a duplicate of this post here??? http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4e7c4f1b-def7-437e-975e-0f117b1475d2/Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:00am

Yesterday, my colleague brought up the scenario, and implement the suggestion but disallow the user from AD and why I come back to ask for help Thanks in advance
June 22nd, 2012 11:04am

Why do you want to disconnect your AD user from the metaverse? If you do that, and leave a disconnector in your AD connector space, then you run the risk of creating another account with the same login name at some point in the future ... far better to retain a connector in all cases and that way avoid potential sync errors later on. If you really do want to disconnect your user object in AD (e.g. you're worried about paying CALs for disabled accounts in FIM) then try implementing an object deletion rule on your SQL MA. If your AD MA is set with deprovisioning to "determine from rules extension" then your above code will fire before disconnect, and the next export run will update your AD account. You will have to work out what you are going to do with your user account in the FIM Portal ... you may choose to simply delete on next export ... but chances are you're going to have more complex rules than that. My preference remains not to disconnect.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:14am

What I try to do is when you delete a user account in AD in the status attribute pass from active to inactive, a scenario of what I try to do is when an employee is fired and the aim is that your account in AD is inactive. thanks
June 22nd, 2012 11:26am

Really sorry - it's late and I am having real trouble understanding what you are saying. It sounds like you need to implement a very standard scenario, so I suggest you search this forum for recent posts on exactly this subject. Your scenario should be a variation on a standard one.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:31am

Thank you very much and good day
June 22nd, 2012 11:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics