AD outbound provisioning - same user to 2 different OUs

The same user from FIM needs to be provisioned to 2 different OUs in AD. Is that possible using portal sync rules?

FIM User object properties:

AD exists (boolean), samAccountname, employeeID

Sync rule 1:

scope - AD exists is true

relationship - samaccountname = samaccountname

rule - dn: cn="samaccountname",OU1

Sync rule 2:

scope - employeeID is present ( AD exists could be true or false)

relationship - employeeID = employeeID

rule - dn: cn="employeeID",OU2

We have rule 1 already in place. When I tested with rule 2, it pushed only users that are not synced in OU1. How can I capture this via scope and relationship criteria.

Thanks!!

August 18th, 2015 7:58pm

Why you want to end up with two objects of the same person in Active Directory?

Free Windows Admin Tool Kit Click here and download it now
August 18th, 2015 11:39pm

A possible solution could be to have two different AD management agents.

In this way, you could have an outbound sync rule for the management agent AD1 which provisions users to OU1, and another on AD2 which provisions users to OU2.

What you are trying to do, however, is pretty strange.

What is the problem you are trying to solve?

August 19th, 2015 4:46am

Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

So, is there no way I can use portal sync rules to push an object to 2 different OUs?

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 9:15am

I highly discourage you from doing this.  For all intends and purposes, these are 2 different users now. Different sAMacocuntName and different objectSID.  If you tell us why you would be needing this, we could maybe help you avoid the craziness.
August 19th, 2015 9:31am

On Wed, 19 Aug 2015 13:13:45 +0000, fim_sc wrote:

Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

samAccountName is a required attribute

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 9:50am

Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

So, is there no way I can use portal sync rules to push an object to 2 different OUs?

You need the following then,

If user exists, join. If it does not exist, provision a new account. You will have to create the sAMAccountName.  Since employeeID is unique enough, you can use employeeID as sAMAccountName, unless you have other requirements for sAMAccountName.  You don't need 2 accounts. 

August 19th, 2015 9:57am

We have many users in FIM that don't get an accountName at all. They get only the employeeId. So, these users never get an AD account as dn of ou=people contains the accountName. dn="cn=accountName, domainname. Also, we don't keep all the users in our People OU. We delete the AD accounts a few days after the termination date.The average number of users in this OU will be 25k.

Now, we are planning to use AD as a directory of all the users. We cannot export all the users to current People OU because not all the users have a accountName. We have to use employeeID in the dn. So, the idea is to create a new OU and put all the user accounts in and keep that OU disabled. As I said, this OU is only used as a directory search and not for authentication or exchange. The number of users in this OU will be 100k and will grow.

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 10:08am

So, in the same OU, can we 2 different dn format? Users with accountname will have accountName in the DN and samAccountName. Users without accountname will have employeeID in the DN and samAccountName. Is this what you are suggesting?
August 19th, 2015 10:13am

Yes. 

Below example is perfectly fine.

cn=MernacajN,OU=Users,DC=Domain,DC=Com

cn=12345,OU=User,DC=Domain,

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 10:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics