none
FIM 2010 deprovisioning AD account in resource forest

    Question

  • Hi,

    I am using the sync engine of FIM 2010 only, it is configured to sync users between an account forest and resource forest. 

    I am struggling with the deprovisioning and hoping someone can help me out.  I have read other questions/answers on the forum about this subject and also 'understanding-deletions-in-ilm-2007' article, but I still can't get FIM to delete the resource account.

    At the moment I have FIM disabling a user account and moving to a 'pending deletion OU' when the user is moved to a OU called 'Disabled' in the account forest.  What I would like to do now is when an account is deleted from this OU, and only this OU, the account is the resource forest is also deleted.

    Can anybody share any pointers or even some code that will help me out?

    Many thanks...David

    Friday, July 12, 2013 2:37 PM

Answers

  • If I understand you correctly, you have your business logic in your provisning code.

    If thats the case, I'd have some code along the lines of (pseudo code and not tested) -

    ConnectedMA resourceMA = mventry.ConnectedMAs["resourcead"];

    ConnectedMA accountforestMA = mventry.ConnectedMAs["accountad"];

    // deprovision

    if (resourceMA.Connectors.Count == 0 && accountforestMA.DN.ToString().EndsWith("our dn"))

    {

      accountforestma.Deprovision();

    }

    In general, I like to NOT let FIM physically delete objects, but tend to put process in place that take of this - after data and such has been saved/archived - but thats just me :-)


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Proposed as answer by UNIFYBobMVP Monday, July 15, 2013 2:22 PM
    • Marked as answer by Longbridge158 Monday, July 22, 2013 1:29 PM
    Friday, July 12, 2013 2:48 PM

All replies

  • If I understand you correctly, you have your business logic in your provisning code.

    If thats the case, I'd have some code along the lines of (pseudo code and not tested) -

    ConnectedMA resourceMA = mventry.ConnectedMAs["resourcead"];

    ConnectedMA accountforestMA = mventry.ConnectedMAs["accountad"];

    // deprovision

    if (resourceMA.Connectors.Count == 0 && accountforestMA.DN.ToString().EndsWith("our dn"))

    {

      accountforestma.Deprovision();

    }

    In general, I like to NOT let FIM physically delete objects, but tend to put process in place that take of this - after data and such has been saved/archived - but thats just me :-)


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Proposed as answer by UNIFYBobMVP Monday, July 15, 2013 2:22 PM
    • Marked as answer by Longbridge158 Monday, July 22, 2013 1:29 PM
    Friday, July 12, 2013 2:48 PM
  • Also remember to have your resource MA set to either "delete on next export", or "rules extension" (whereby you specify the disconnector action in code).

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Monday, July 15, 2013 2:21 PM
  • Sorry for delay - Yes the business logic is in the provisning code.

    I will give this a try, I assume it would go in the MV extension code rather than on the MA?

    David

    Friday, July 19, 2013 9:35 AM
  • Ok, I've added the code but had to make some changes to get it to complie.

    If I delete a user in the account domain it's not deleted in the resource domain.  I know the answer must be starring me in the face but I can't see it!

    Code:

    If resourceMA.Connectors.Count = 0 And mventry("AccountDN").Value.EndsWith("OU=Disabled Users,OU=MABBOTT-TEST,DC=contoso,DC=ext") Then
                    csentry = resourceMA.Connectors.ByIndex(0)
                    csentry.Deprovision()

    Friday, July 19, 2013 2:25 PM
  • Your test and deprovision actions are on the same MA (resource) ... don't you want to test one and deprovision the other?

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Friday, July 19, 2013 3:26 PM
  • Bob - So should the code read:

    If acountMA.Connectors.Count = 0 And mventry("AccountDN").Value.EndsWith("OU=Disabled Users,OU=MABBOTT-TEST,DC=contoso,DC=ext") Then
                    csentry = resourceMA.Connectors.ByIndex(0)
                    csentry.Deprovision()

    Monday, July 22, 2013 11:02 AM
  • Looks more like it.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, July 22, 2013 12:58 PM
  • Yep..That was it, it's now working....

    Thanks for your help with this...

    David

    Monday, July 22, 2013 1:27 PM