Join OUs based on the DN
Hi all,
I'm provisioning users and groups to AD LDS using provisioning hierarchy. After a export run on the AD LDS Management agent I run a confirming import and would like to join the new created OUs (during the export via provisioning hierarchy) to the allready
existing metaverse object.
My AD LDS base dn is DC=global,DC=org,DC=intern and so is my AD DS base dn. Therefore I can join the OUs via their DNs.
The DN for OU "test" is OU=test,DC=global,DC=org,DC=intern in both directories.
How can I join OUs that are created via provisining hierachy?
Thank you for your support
Chris
September 30th, 2011 12:03pm
Hi There,
Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending
on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules.
If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish
the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product)
Thanks
Bhttp://identityminded.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 2:23pm
Hi There,
Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending
on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules.
If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish
the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product)
Thanks
B
http://identityminded.wordpress.com
Hi Blain,
thank you for your answer.
I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs.
If I use this code
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/
for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry.
Thanks for your help
Chris
October 6th, 2011 3:14am
Hi There,
Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending
on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules.
If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish
the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product)
Thanks
B
http://identityminded.wordpress.com
Hi Blain,
thank you for your answer.
I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs.
If I use this code
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/
for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry.
Thanks for your help
Chris
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 3:14am
Fixed it with the following JoinRule Extension
Case "cd.organizationalUnit#1:ou->distinguishedName"
Dim dn As String = String.Empty
dn = csentry.DN.ToString
values.Add(dn)
Thanks
Chris
October 6th, 2011 7:58am
Hi There,
Once the objects are created in the ADLDS system, if they are in scope, you should be able to to join them by setting up a join rule for the organizational unit objects in the FIM Synchronization Engine (if they are not already connected). Depending
on how you plan to manage the objects you could certainly do this either in the Synchronization Manager in the GUI or declaratively if you're doing things via the FIM Service sync rules.
If you are using the OU's as objects and using them as managed objects, I don't know that provisioning hierarchy is the way I would go. OU's can be provisioned and managed the same as a user object for all intents and purposes and that would establish
the join immediately upon the creation of the connector for export. (Which was what we had to do before the provisioning hierarchy stuff came about in the product)
Thanks
B
http://identityminded.wordpress.com
Hi Blain,
thank you for your answer.
I can't set up a join rule based on the DN in the Synchronization Manager GUI for OUs.
If I use this code
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d776a1d9-387c-4ac3-b5e3-07ca1ee45c7e/
for provisioning the OUs I assume that I run into the same problem, not having the provisioned OU connected to the OUs MV entry.
Thanks for your help
Chris
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 9:56am