Hey guys I am currently trying to grant NTFS permission to a users homefolder when a user account is created during provisioning to AD DS by a Visual Basic rules extension. I can create the homefolder, but for some reason the permission aren't being applied. However, if I replace the person object from the MV with my AD Account in the code, it applies the permissions. I am trying to see how you guys out there are handling setting permissions on homefolders during provisioning with FIM. 'HomeDirectory Creation 'If HomeDirectory doesn't exist create it If (Not System.IO.Directory.Exists(HomeDirectoryFolder)) Then 'Create HomeDirectory System.IO.Directory.CreateDirectory(HomeDirectoryFolder) 'Build new ACL object HomeDirectoryACL.AddAccessRule(New FileSystemAccessRule(UserAccount,_ FileSystemRights.Modify, InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit,_ PropagationFlags.None, AccessControlType.Allow)) 'Apply ACL change HomeDirectoryInfo.SetAccessControl(HomeDirectoryACL) End If

You can't do this during provisioning. The provisioning method doesn't create a new object in ADDS - it creates a new object in the AD DS connector space. You will have to export the object to get it created. Calling anything outside sync from a rules extension is not supported. If you have to apply modifications to your data source that are outside the scope of sync, you should: Create a custom MA and include your code into it Develop a post-processing method that handles the operations. For more details, see these posts. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I've been creating home folders with ILM for about two users using an XMA largely based on the code sample in Carol's blog. Of course with the advent of FIM, if you are using the FIM Service/Portal you could write some kind of custom powershell workflow/activity to handle the home folder creation and permissions assignment once the AD account has been created. Regardless of the technique, the key is to ensure that the AD account is created before the code runs to grant permissions to the folder (or to create the folder in the first place if you're doing it all at once). As Markus indicated, that requires an export, as well as an import to confirm the export did its job. In my case, I import the homeDirectory attribute from AD (only) and use that to trigger the provisioning code to run to create a new connector to the home folder MA. ILM 2007 has no trouble exporting a value via a rule extension and then doing a direct import of the same value to the metaverse. FIM 2010 will do the same, but if you were to update the value after initial population through a subsequent export (not directly in AD or whatever data source), a delta sync will not update the value in the metaverse after the confirming import. (Bug already reported.) I never change homeDirectory in code once populated, though...any changes to homeDirectory after folder creation are handled manually, as is the renaming or moving of the folder to a different server/share. Chris

Thanks for the suggestions ! Maybe I didn't use the right terminology, but I am creating the homefolder during the provisioning/creation of the account in AD DS not the Metaverse. I will research those suggestions. Thanks again.

After trying to follow the posts suggested, the one Chris suggested worked best for me.