Update AD Using Rule Extension
This post (FIM: Send Password Expiration Notifications) has an example of a simple rules extension (Point 9 & 10). Typically you create a new Import or Export Attribute flow by selecting two attributes of choice in the CS and MV and the check "advanced". If you click create a popup comes up where you can enter the name of your advance flow rule. This is the name used in the code (in the case statement) A good place to troubleshoot this as well is the "preview" functionality of the Synchronization Engine. On the other hand, you could do this with codeless provisioning too: Pick an attribute in the MetaVerse for which the HR MA is the only contributing MA Configure an outbound AF (in the portal): IIF(IsPresent(MV_AttributeFromHAMA),null(),BitOr(2,userAccountControl)) Once an object is deleted from the HR MA the value for that attribute should be recalled. At that moment "IsPresent" will resolve to false and the "BitOr(2,UserAccountControl") will be executed. Which is in fact the same as disabling the user. http://setspn.blogspot.com
July 24th, 2011 8:52am

i've written a small post on how to monitor your code execution in those cases check it out : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2010/07/22/debugging-your-ilm-miis-provisioning-code.aspx are you using the portal to implement your sync rules ? or just the miis part ? Hitch Bardawil How about posting this as Wiki article? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2011 1:02pm

I have a FIM set up that imports user records from a SQL Server data source and an AD data source. FIM joins matching user records. The DB is the ultimate authority so if there is a discrepency between AD and the DB, the user details in the DB are exported to AD. In the event that user is removed form the DB I want the corresponding AD account to be marked as disabled. I have read through "Example: Deprovisioning a Connector Space Object" and used this to create a rule extension to set the UserAccontControl field on the AD account to be disabled. I have set up deprovisioning on the ADMA to the rule extension that I created. When I remove a user from the DB and run a full import and full sync on the DB MA and then run a delta sync on the ADMA no change occurs to the AD acccount. I have not used rule extensions before so am not sure I have set it up correctly. How can I check to see if my rule extension is being called during the the profile run? Cheers,
July 24th, 2011 7:39pm

I figured out the issue. I was compiling the Rule Extension DLL using .NET 4.0. FIM didn't like this. I recompiled the DLL using .NET 3.5 and the issue was resolved. DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry) { DeprovisionAction Deprovision = DeprovisionAction.Disconnect; switch (csentry.ObjectType) { case "user": case "person": // Disable the user account in Active Directory and move // the account to another container. if (csentry["userAccountControl"].IsPresent) { csentry["userAccountControl"].IntegerValue = 66082; } // Moves the disabled user account to another container. string container = "OU=Disabled Users,OU=Users,DC=Local"; string rdn = "CN=" + csentry["cn"].Value; ManagementAgent ma = Utils.MAs["AD MA"]; ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(container); csentry.DN = dn; break; case "contact": case "group": // Do nothing break; default: throw new EntryPointNotImplementedException(); } return Deprovision; }
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2011 8:19pm

That looks fine except I would calculate the userAccountControl value mathematically rather than overwriting it. You can use code like this: const long ADS_UF_ACCOUNTDISABLE = 0x00000002; const long ADS_UF_NORMAL_ACCOUNT = 0x200; long uacValue =ADS_UF_NORMAL_ACCOUNT; if (csentry["userAccountControl"].IsPresent uacValue = csentry["userAccountControl"].IntegerValue; csentry["userAccountControl"].IntegerValue = (uacVaue | ADS_UF_ACCOUNTDISABLE); My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
July 24th, 2011 8:26pm

Can you post your Deprovisioning code? What is your MV Object Deletion rule for the Person object type set to? If you're using legacy provisioning code, please also post that.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2011 8:32pm

Looking at the debugging article posted above - You might be interested in an article I published on my company's blog site this week regarding a method to debug extension code running out-of-process. http://www.css-security.com/author/fdrewes/ Simple concept - but pretty handy, especially if you have code that works running in-process but doesn't behave when you switch to running out-of-process. If it's of interest, I can add it to the Wiki here. Frank
July 25th, 2011 1:15am

sure !Hitch Bardawil
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 4:09am

i've written a small post on how to monitor your code execution in those cases check it out : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2010/07/22/debugging-your-ilm-miis-provisioning-code.aspx are you using the portal to implement your sync rules ? or just the miis part ?Hitch Bardawil
July 25th, 2011 6:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics