EmployeeStatus and deprovisioning
Hi, Just wanted to see if maybe I can do this without too much/any code. Oracle has an employeeStatus field - it can have any of these 3 values: active, inactive, delete In FIM, on a Sync Rule I have this: IIF(CustomExpression(Eq(employeeStatus,"active")),512,514) => userAccountControl The above should handle the Active/Inactive state quite nicely...but how do I handle the 'delete' status? won't it get confused somehow? Essentially the record will remain in Oracle, but its status will be 'delete' which means it must be deleted from AD, and its mailbox must be removed. i was thinking of putting a filter in for emplueeStatus=delete...and if the record was not re-imported it coould be deprovisioned? Or is that way off? or maybe have a DeletedUsers set (where emplueeStatus=delete) and then have a deprovisioning sync rule? but how would this work with the IIF expression above? thank you PS. I assume the only way to delete a mailbox via FIM is via a powershell cmdlet?
April 20th, 2011 3:09am

Hi, Deleting the user can be accomplished using a MPR that has Expiration Workflow activity, and a DeletedUsers Set (or UsersToBeDeleted) as you mentioned. Just configure the set to contain users that need to be deleted. This blog post should help you get started and contains more specific information that to configure and how: http://blogs.dirteam.com/blogs/jorge/archive/2010/03/08/automatically-deleting-expired-objects-in-fim-2010.aspx
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 3:21am

So essentially you are saying that my "IIF..." expression can stay and will cater for Active/Inactive user states, and I need to just create a Set, Sync rule, workflow and MPR for a Delete operation - and I wont need any extra code? thats cool :-)
April 20th, 2011 3:25am

Well, things are a bit more complex... First of all, you should never flow constant values into userAccountControl unless you are initializing a newly provisioned object. See How to Enable or Disable Accounts in Active Directory Domain Service Using FIM for more details on this. You have a set transition that brings your object into the scope of your Active Directory outbound synchronization rule. You can use the same approach to remove the resource from the scope of this synchronization rule. Something like "All objects where employeeStatus = active or employeeStatus = inactive". You can also use a transition into "All objects where employeeStatus = deleted" - works as well. This will take care of your AD DS accounts. Just enable deprovisioning in your synchronization rule. You can find more details on this in Understanding Deprovisioning in FIM. The next problem are your Oracle accounts ("Essentially the record will remain in Oracle, but its status will be 'delete' which means it must be deleted from AD, and its mailbox must be removed."). Will they eventually be deleted? If so, you are good. Make sure, you have the object deletion rule configured to delete the MV object when disconnected from Oracle and deprovisioning on the FIM MA configured to stage a deletion. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 6:38am

Hi, Deleting the user can be accomplished using a MPR that has Expiration Workflow activity, and a DeletedUsers Set (or UsersToBeDeleted) as you mentioned. Just configure the set to contain users that need to be deleted. This blog post should help you get started and contains more specific information that to configure and how: http://blogs.dirteam.com/blogs/jorge/archive/2010/03/08/automatically-deleting-expired-objects-in-fim-2010.aspx
April 20th, 2011 10:18am

Hi, Deleting the user can be accomplished using a MPR that has Expiration Workflow activity, and a DeletedUsers Set (or UsersToBeDeleted) as you mentioned. Just configure the set to contain users that need to be deleted. This blog post should help you get started and contains more specific information that to configure and how: http://blogs.dirteam.com/blogs/jorge/archive/2010/03/08/automatically-deleting-expired-objects-in-fim-2010.aspx
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 10:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics