User deletion problem (deleted much more than I wanted to in AD)
Thanks! My current understanding is that the synchronization rule deprovisioning never took place, and that metaverse object deletion rule started deleting all the users that were joined. If I want to use synchronization rule deprovisioning, should "deprovisioning" on the target MA be set to "stage a delete on the object for the next export run", or should it be set to "make then disconnectors"? Thanks, Francis
June 28th, 2011 9:53am

Hi all! I had a major epic today - I am synchronizing users from one parent system to AD. We are accessing both AD and the parent system using extensible connectivity management agents, but that shouldn't make a difference for this particular problem. I imported and projected the existing users in AD to the Metaverse. I then imported the users in the parent system to the Metaverse. Common user objects joined as they should. I then exported the users in the Metaverse to the FIM Portal so that the outbound synchronization rules would be "attached". The next thing I did was to export to AD, so that new "unjoined" users got provisioned to AD. So far, so good. I then realised that I had made a slight mistake when I created the sAMAccountname, so I wanted to remove the new users in AD (NOT the users that had been joined). A bit of background information: I have set up Management Policy Rules and workflows for both creating and deleting users in AD. I am synchronizing users in different sets; students are one set, teachers and staff are the other set. I have configured object deletion in FIM Sync to delete users when users are disconnected from the parent system, an object deletion is staged. The MPR's for adding and deleting teachers and staff to AD are disabled, and were disabled before I started synchronizing as I was only testing student provisioning. Our AD-connector is set to stage a delete on the next export run under object deletion. To save myself from manually deleting close to 2000 students in AD, I manipulated the parent system's MA to only provide one user to FIM, simulating total deletion. Under no circumstances did I want FIM to delete teachers and staff - My understanding was that because I had disabled the MPR's for staff and teachers, they wouldn't be deleted. Boy was I wrong! I started an export on our AD MA, and by the time I realised what was happening, nearly 300 staff and teachers were deleted. - Was I completely mistaken with regards to disabling the MPR's or have I simply configured something wrong? I need to understand why this happened, so I can prevent it from happening again after restoring from the AD-backup. Hope somebody can shed some light on my problem. Thanks, Francis
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2011 1:39pm

at first I recommend reading about deprovisioning scenarios: http://social.technet.microsoft.com/wiki/contents/articles/deprovisioning-in-fim.aspx deprovisioning can happen using two options: - synchronization rule deprovisioning - metaverse object deletion rule what I think that you configured metaverse object deletion in Sync Manager based on your parent system so if an object got disconnected the MV object get deleted, you mentioned that : "I manipulated the parent system's MA to only provide one user to FIM, simulating total deletion."; thus excluding all joined users and convert them to disconnectors except the one you specified. so you simulated a disconnect on the CS connector space for the parent system which in turn FIM will delete the linked MV objects which in turn will deprovision objects in other connected systems ( AD in your case which you configured to stage a delete on object on next export run)
June 28th, 2011 2:28pm

yup if you want the deprovisioning to delete objects in the target MA, you should choose the option "stage a delete on the object for the next export run".
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 1:27am

Thanks! - There has been a problem with restoring from the backup, så we'll have to add the deleted users to AD again "manually" (using one-off console application that I'll write for the purpose). I have a list of the DN's affected, and when I click on "provisioning disconnects" I get a list of the users that were to be deleted (I managed to cancel the deprovisioning when I realised what was going on, so only ~300 users were deleted). I need to get hold of some of the user attributes that I get when I open connector space object details, so that I can set the correct sAMAccountname, etc. I used the SQL-profiler to get the query that returns the list of users to be deprovisioned: select * from mms_step_object_details with(nolock) where step_history_id='{6BC2FC58-E69D-43B3-9266-358A8B6AA4E7}' and ((statistics_type=37 and ma_id='67F9E976-2895-4C08-BF16-85900F549D0D')) Does anybody know what table the connector space attributes reside in? It would be great if I could do a join to get the necessary attributes, without having to go through the list in the GUI manually. Thanks, Francis
June 30th, 2011 7:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics