Hello I'm trying to understand the user provisioning process and data flow. Please correct me if I'm wrong.When I create a new user on the Portal I have to do the follow for it to populate in Active Directory.1. Run Full Import on the FIMMA - this is FimDatabase to Fim CS. The attribute that is imported are defined in the FIMMA "configured attribute flow" as "import" attribute flow direction. 2. Run Full Sync on the FIMMA - this takes the imported attributes of the user object into the MV. FIM CS to MV (Since there isn't a Sync Rule for FIMMA these are the same attributes that are defined in the FIMMA Configured Attribute flow).3. Run Export on the ADMA - At this point the new information from AD CS is exported to Active Directory.4. Run Delta import on the ADMA - This step required to confirm export. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/7b7decc2-eb5b-40f6-b4a2-0856be1ba9a9/I read on the newbie thread that the Full Sync on the FIMMA import from CS to MV and other connector spaces depending on your configuration. In my senario, after 1 I can do a search on the FIMMA connector space and find the users. After step 2 I can find my user in the metaverse but not in the AD connector space. Therefore when I run step 3 nothing gets added. How do I get the full sync of the FIMMA configured to import to the AD connector space?On my ADMA Configured Attribute flow, I have empty (inbound and outbound attributes are configured in my AD Sync Rule). Reading another thread that I shouldn't have non declarative attributes unless it's for migration senario. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/48cce2ce-5ef7-4677-80de-51dd51a77654/?prof=requiredWhen I lookup the user on the portal, the provision status shows pending.Also could you please tell me exactly what happens when you do a delta import on the ADMA (Step 4) so I can understand what "confirming export" means?Thank you,Nathalie

Please take a look at the Introduction to Outbound Synchronization.This document elplains what you need to do to get an object from FIM out to a connected data source.If the provisioning status is pending, it is possible that all you need to do is to enable provisioning.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus,Thanks for the reference to the outbound synchronization doc. I've reveiw that documentation over and over again and couldn't determine why my user was not being provisioned in AD. So I double clicked on my one update that showed up on the fimma full sync run. In there was a tab called sychronization error. My outbound attribute for the DN string was incorrect. I forgot the comma at the beginning of the string.I had two new users on the FIM portal. One was pending and the other was not applied status. I ran the following after updating my outbound attribute flow in my sync rule. By-the-way both users were in the MV.1. Full Import on FIMMA - source database to FIM CS2. Full Sync on FIMMA - FIM CS to MV and other AD CS per the AD outbound syn rule.3. Export on ADMA - AD CS to Active Directory4. Delta import on ADMA - confirm export 5. Delta Sync on ADMA - Sync new objectSid created in the new AD user6. Export on FIMMA - FIM CS to Fim Service database (update the mvojbectid from step2 and updated objectSid from step 5)7. Delta import - confirm export of the new mvobjectid and objectSidMy user that had the status of "not applied" was updated and provisioned in Active Directory but his account was set to disabled and the users that had the "pending" status never populated in Active Directory. Any thoughts? Is this the right steps to complete provisioning of a new user via the Portal?Cheers,Nathalie

Nathalie, Are you also setting the userAccountControl attribute on the user account? Make sure you are setting it right. The fact that the account gets provisioned as a disabled account may be pointing at the value which you are (or are not) setting it to. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

My user that had the status of "not applied" was updated and provisioned in Active Directory but his account was set to disabled and the users that had the "pending" status never populated in Active Directory. Any thoughts? Is this the right steps to complete provisioning of a new user via the Portal? Nathalie,the steps look good.There is another document, you should take a look at: Publishing Active Directory Users From Two Authoritative Data SourcesI also wrote an article called "Design Concepts: Using FIM to enable or disable accounts in Active Directory".In essence, to provision an enabled account in Active Directory, you need to set two attributes: userAccountControl unicodePwd UserAccountControl is a bit vector that governs amongst other things whether an account is enabled.However, to enable your account, this attribute is not sufficient.You need to make sure that you are setting a password on the object that meets your AD password policy requirements.If the passoword doesn't the account won't be enabled even if userAccountControl has the disabled flag not set!HTH...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus,Thank you for your help. I'm able to provision user from Fim to AD and AD to Fim. You were right about the password policy. Makes total sense. The reason why my accounts were in pending status and would not apply was because I missed the expectedRuleList attribute in my FIMMA attribute flow. This needed to be added as an imported user attribute in order for my sync rule to apply when I run import on my FIMMA. I changed the default password to our standard pasword policy. Accounts are now active in AD. One more question regarding passwords. Is there a way to auto generate a random password when users are created. And have that user's account information and password emailed to their manager? How is that accomplished? I think I saw a demo somewhere. Cheers,Nathalie

Andreas has outlined the general steps in this post.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation