Join OUs based on the DN
Hi all, I'm provisioning users and groups to AD LDS using provisioning hierarchy. After a export run on the AD LDS Management agent I run a confirming import and would like to join the new created OUs (during the export via provisioning hierarchy) to the allready existing metaverse object. My AD LDS base dn is DC=global,DC=org,DC=intern and so is my AD DS base dn. Therefore I can join the OUs via their DNs. The DN for OU "test" is OU=test,DC=global,DC=org,DC=intern in both directories. How can I join OUs that are created via provisining hierachy? Thank you for your support Chris
September 30th, 2011 12:03pm

Hi There, Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules. If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product) Thanks Bhttp://identityminded.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 2:23pm

Hi There, Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules. If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product) Thanks B http://identityminded.wordpress.com Hi Blain, thank you for your answer. I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs. If I use this code http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/ for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry. Thanks for your help Chris
October 6th, 2011 3:14am

Hi There, Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules. If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product) Thanks B http://identityminded.wordpress.com Hi Blain, thank you for your answer. I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs. If I use this code http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/ for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry. Thanks for your help Chris
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 3:14am

Fixed it with the following JoinRule Extension Case "cd.organizationalUnit#1:ou->distinguishedName" Dim dn As String = String.Empty dn = csentry.DN.ToString values.Add(dn) Thanks Chris
October 6th, 2011 7:58am

Hi There, Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules. If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product) Thanks B http://identityminded.wordpress.com Hi Blain, thank you for your answer. I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs. If I use this code http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/ for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry. Thanks for your help Chris
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 9:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics