We are struggling with future hires. HR will create a new row in Table with status INACTIVE for a new employee. The row is created usually 2 or 3 weeks before his startDate. When startDate is reached, HR then sets the status ACTIVE. Naturally they want FIM/Exchange to create a Mailbox for the new hire as well as the disabled AD account. We have tried and succeeded in creating disabled accounts (userAccountControl 514) on AD but Exchange refuses to create a Mailbox where the account is Disabled. I guess we have to handle new hires in 2 stages: first create normal account + mailbox and secondly disable the account. This is easy to say but I am struggling to find a design to get FIM to actually do this. So far all I see is normal Enabled account/Mailbox creation in the FIM how-tos and so on. This quite normal business practice so there must be FIM guides how to do this 2 step action.

Hi, If you're using the FIM portal, there is a way to detect if the provisioning succeeded. You can do this by means of a 'Detected Rule Entry'. Assuming you are using a separate Exchange Management Agent, the procedure would be as follows: Create an enabled account in ActiveDirectory. In the synchronization rule, set useraccountcontrol to 512 (normal account). Check 'use as existence check' on the useraccountcontrol attribute. As soon as the account is created, a detected rule entry (DRE) will be created.Create a new set containing all the users with the detected rules entry of step 1. To do this, follow the steps "Creating the All Enabled ADDS Users DREs set" and "Creating the All Enabled ADDS Users set" on this site: http://technet.microsoft.com/en-us/library/ff800819(v=ws.10).aspxCreate a new Exchange account based on the inbound user event of the created set.Follow the same procedure to disable the Active Directory account. I know this seems like a fairly complicated procedure, but once you understand it, you'll see that it is a powerfull tool! I hope this is of any help to you. Please let me know if you have any more questions! Best regards, Pieter.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Just to ask- why does the account have to be disabled? How about setting a random password that no-one actually knows, and then Helpdesk set the password for the person when they start. I've got round a couple of these scenarios like that. http://www.wapshere.com/missmiis

No real reason except that is how the Customer has requested the procedure to be. Locking the account by a scrambled password seems a bit old-fashioned, the classic "disable" an LDAP directory entry method. I see your point and its an approach worth an attempt at selling to customer.

You could also do the disable after the mailbox is created. Should be able to get that done in one Sync run so your window for having the account actually enabled is really small.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Again easy to say "should". The design isnt so straight forward. My problem is that we are using the Inbuilt FIM powershell call to provision mailboxes. This works very well for updated entries and new users who are created with active AD accounts. I guess we must abandon our simple In/outbound SR and get used to MPRs, Sets and Workflow. The only design I have a feeling will ("should?") work is a multi-workflow approach. WF1 creates Enabled account WF2 calls Powershell to Create Mailbox (makes me wonder why not use PS to do Everything!) WF3 is called if necessary to disable the account I am interested, Brian, how you manage to do the create account and then disable it in one Sync/Export cycle.

Couple steps to do this in one cycle. You should only need WF #2 in your list. Create an attribute in the MV called existsAD (or similiar). Populate it with a <dn> > "true" in your inbound sync rule.Make your userAccountControl rule look something like this IIF(existsAD, <disable/enable>, <enable>).Set your cycle to be an AD Export, Delta Import, Delta Sync, FIM Export, Delta Import, Delta Sync, AD Export, Delta Import, Delta Sync. If you're doing alot of accounts you'll need some space between the FIM cycle and the second AD one for the WFs to fire. My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com