none
FIM2010 AD provisioning

    Question

  • Hello, 

    Is there a manner to know if a user was sucessfully provisioned in AD or not. I want to to put a flag in FIM portal if the provisioning is ok 

    Any idea ? 

    Wednesday, September 11, 2013 3:10 PM

All replies

  • I usually create a new metaverse attribute and then flow a "true" value there via a constant attribute flow.

    If the account is in AD, then the value will get brought in on the import. Otherwise, it won't see it to import it.

    You could do an advanced attribute flow rule if you wanted to check things like if the account is enabled, has a mailbox, etc. Just be sure the AD MA is the only one flowing to that attribute.

    HTH.

    Sami

    Wednesday, September 11, 2013 5:05 PM
  • We also use such a constant flow from AD, called IsInAD, like we do in other Systems (ex. HR), this also speeds up problem solving with account in the MV when you do searches.

    In addition for sending mail on new account creation we use the objectSID attribute and trigger a workflow when this attribute changes, which in normal cases only is once in a lifetime of that account.

    Regards

    Peter


    Peter Stapf - Doeres AG - http://www.doeres.com

    Wednesday, September 11, 2013 5:09 PM
  • You could also use Expected State Detection

    Understanding Expected State Detection

    Thursday, September 12, 2013 6:29 AM
  • I explain my case : 

    for example i create a user in FIM , when i Run DI and DS in FIM MA suppose i got an error. 

    How could i update the flag to mark that the AD provisioning failed in order to send a notification mail to the manager. 

    if i do something like this it doesn't make sens if there is an error in the synchronization cycle in FIM MA run profile.

     

    AD EXTENSION

       Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry, ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport
       
    
    
     If mventry.ConnectedMAs("MA Active Directory").Connectors.Count < 1 Then
                                mventry("flag").Value = "0"
                            ElseIf mventry.ConnectedMAs("MA Active Directory").Connectors.Count > 0 Then
                                mventry("flag").Value = "1"
                            End If



    Thursday, September 12, 2013 7:41 AM
  • Hi,

    i think that could be done with Expected State Detection, but don't have an exact solution currently.

    another possible way could be to catch AD provisioning exceptions in the provisioning code and send mail from within there. but you schould create some sort of flag (maybe a file) to set if already a error mail was send, otherwise a mail will send on every retry on the provisioning on the next sync schedule.

    last not least you could Provision all users to a SQL MA with a flag if ad provisioning has failed and do the mail sending with SQL Jobs, a colleague told me that he one read about this best practice in a blog, but could not remember the URL.

    Regards
    Peter


    Peter Stapf - Doeres AG - http://www.doeres.com

    Thursday, September 12, 2013 12:46 PM