How to troubleshoot an issue provisioning specific users to AD
Hey guys, Im not exactly sure if I have an actual problem or if this is expected behavior and Im just missing something. My environment currently consists of: ADMA with an active directory inbound/outbound SR Synchronizes users and groupsProvisions users to AD based on hrStatus flowing from the HRMA 0 = active1 = inactive2 = terminated HRMA with an inbound SR Flows users Created in the FIM portalCreated in ADFlows hrStatus FIMMA I have been trying to only provision just the users that have an hrStatus = 0. My problem is that ALL users with a hrStatus of 0 and 2 are provisioned in AD. Below are the steps I took to try and do this I created a set name All Active Employees with a criteria for all users with hrStatus = 0. Disabled my old (transition in) AD MPR that I had used previously to provision usersI created a new (transition in) AD MPR and tied it to my All Active Employees set * I don't know if this has anything to do with it, but for my HR MA and FIM MA I had been using Full Import and Synchronization in my run profiles instead of having the two steps separated. I've just recently tried separating the two steps to see if it affects my syncs. I don't know how to use them, yet. To test this, I have created new a few users in my HR system. Some with a status of 0 and some with 2. I synchronized these users into the FIM portal. I can verify that the users with a status of 2 are not in my All Active Employees set. Also, I noticed all of my users show the Active Directory Rule Any ideas what could be causing my employees with a status of 2 to still be provisioned in AD? Any advice or suggestions on how to troubleshoot this? Thanks, -PD
February 16th, 2012 5:32am

The only thing I could think of here is if perhaps you did things in the following order: 1) Disable old rule 2) Create new rule 3) Perform FIFS against HR 4) Perform Export to FIM MA 5) Perform FIFS against FIM MA If so, you should have another step in there that runs before Step 3 which would be to perform a FIFS against FIM. Otherwise the new sync rule would not have been in the FIM Sync Server yet and so it would have provisioned the status=2 users as per the old rule. Have you run through the process a second time? Eg, created another user in HR since you performed step 5 above? Again, this is assuming you did the FIFS from HR BEFORE you did the FIFS from FIM MA and AFTER the new rule was created. MCTS: Forefront Identity Manager 2010, Configuring
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2012 8:34am

Hi, thanks for the reply. i have a couple of questions: 1) does it matter whether i do a full import and synchronization together or if i run a full import first and then a full sync? 2) is there a proper way to disable my old rule? All i did was create a new MPR and disable the old MPR. thank you,-PD
February 16th, 2012 9:00am

Run Full Import first and then you can do the Full Sync, as you have new MPR the new Rule have to import first so the Full Sync show the desirable result. ___________________ Anirban(India)
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2012 11:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics