OU placement based on group membership
This may have been asked before, but I did not find it in my searches.

I have a setup where authoritative user information is being provided through an ADLDS instance - this includes both general user information as well as some specific groups (actually groupsofnames) which are used to determine user roles.

In both initial provisioning, as well as subsequent rename operations, I need to be able to reference which groups (currently a total of 8 possible) that a given user object is a member of and use that information to build the DN - specifically for determining which OU the account will be in.

The FIM configuration is in place and operating against an older authoritative datasource at this time using classic rules extentions for all of the provisioning and advance import/export attribute flows.  This will most likely continue to be the case due to limitations with the declarative provisioning capabilities.  The existing code will be updated to reflect the new authoritative source as soon as I can figure out how to get the data needed from the group membership.

Thanks in advance.

-Jody
January 9th, 2015 5:23pm

Jodi,

For a sync-only solution like yours you might consider something like this:

https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fc%2Fb%2F3%2Fcb3e8ab9-d892-442e-b16a-51b54509fdc8%2FMIIS32_DC_GroupProv.doc

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2015 12:55pm

Jodi,

For a sync-only solution like yours you might consider something like this:

https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fc%2Fb%2F3%2Fcb3e8ab9-d892-442e-b16a-51b54509fdc8%2FMIIS32_DC_GroupProv.doc

January 10th, 2015 12:55pm

Thanks Glenn.  I had been looking for that document.

I was hoping that there would be an alternative solution which did not require adding in another connector - especially since the data is available within the portal (and clearly within the MV).  But if this is the best alternative, I will work with it to come up with a solution.

Free Windows Admin Tool Kit Click here and download it now
January 14th, 2015 10:57am

Thanks Glenn.  I had been looking for that document.

I was hoping that there would be an alternative solution which did not require adding in another connector - especially since the data is available within the portal (and clearly within the MV).  But if this is the best alternative, I will work with it to come up with a solution.

January 14th, 2015 10:57am

Hi

I would use the ReplayMA written by Bob Bradley. You can use this MA to import group Membership as multivalue Attribute. Bob has published the MA and a description of usage here:

https://unifysolutions.jira.com/wiki/pages/viewpage.action?pageId=16875654

Henry

Free Windows Admin Tool Kit Click here and download it now
January 19th, 2015 2:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics