Changing a user's OU
-
Friday, January 04, 2013 2:17 PM
After following this guide I am successfully flowing users from an SQL database to AD.
In step 6 of the guide, where the AD Outbound SR is created, the guide specifies "Important: Verify that you have selected Initial Flow Only for the attribute flow that has the DN as the destination.".
My problem is that the users' OUs need to change based on their age; if a user's OU is set as initial flow only, how do I go about changing their OU at a later date? I've tested without ticking initial flow only and it does appear to work as I want it to but is there a reason I shouldn't be doing this?
Any advice would be much appreciated.
- Edited by FIM-EN Friday, January 04, 2013 2:39 PM
All Replies
-
Friday, January 04, 2013 4:01 PMSetup another synchronization rule or flow in same rule which will be updating user DN based on your requirements. If this is based on well defined criteria like age I would probably create some sets and set of synch rules with updating DN and assign users to approperiate synch rules when they will enter appropriate set.
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
-
Saturday, January 05, 2013 7:59 AM
Well initial flow is important, when you are provisioning (creating new users) it is ONLY used with provisioning, AS DN is absolutely needed when you are provisioning users.
You should always have an initial flow for the DN attribute.
In ADDITION to that as Tomasz suggested create another similar attribute flow to the DN
So in the end you will have two (2) similar attribute flows to the DN attribute, one with the initial flow and one without the initial flow.
That should do it.
- Marked As Answer by FIM-EN Monday, January 07, 2013 12:16 PM
-
Monday, January 07, 2013 10:11 AM for subsequent attribute flow of the DN create a new flow, probably using the age variable in the DN and do not configure the flow as initial only
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
-------------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
-------------------------------------------------------------------------------------------------------
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<>"FIM-EN" wrote in message news:d8666e0c-6d1c-4368-a23e-7c13f9520ae4@communitybridge.codeplex.com...After following this guide I am successfully flowing users from an SQL database to AD.
In step 6 of the guide, where the AD Outbound SR is created, the guide specifies "Important: Verify that you have selected Initial Flow Only for the attribute flow that has the DN as the destination.".
My problem is that the users' OUs need to change based on their age; if a user's OU is set as initial flow only, how do I go about changing their OU at a later date? I've tested without ticking initial flow only and it does appear to work as I want it to but is there a reason I shouldn't be doing this?
Any advice would be much appreciated.
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/- Marked As Answer by FIM-EN Monday, January 07, 2013 12:15 PM
-
Monday, January 07, 2013 10:25 AM
Thanks to everyone for the replies.
Going by what you say here Jorge, I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial. Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?
-
Monday, January 07, 2013 11:29 AM >>>>I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initialCorrect!>>>>Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?both flows can be static or based upon some variable. It does not matter, as long as the DN path exists in ADyou can have the initial flow for the DN to include the age variable if you want
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
-------------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
-------------------------------------------------------------------------------------------------------
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<>"FIM-EN" wrote in message news:b4eebaca-d1c7-4b9e-a2ea-1b6b525b63d2@communitybridge.codeplex.com...Thanks to everyone for the replies.
Going by what you say here Jorge, I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial. Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/- Marked As Answer by FIM-EN Monday, January 07, 2013 12:15 PM
-
Monday, January 07, 2013 12:16 PMMany thanks!
-
Monday, January 07, 2013 12:25 PMur welcomeno problem
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
-------------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
-------------------------------------------------------------------------------------------------------
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<>"FIM-EN" wrote in message news:b534cfca-6c3b-4982-a342-73e0870b06f3@communitybridge.codeplex.com...Many thanks!
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/ -
Tuesday, January 08, 2013 9:02 AMI wouldnt entirely agree with jorge on the DN path exists matter, even if the OUs are not there, and you are using the Configure Provisioning Hierarchy the OUs will be created automatically.
-
Tuesday, January 08, 2013 11:46 AMThanks. There are only a limited number of OUs in this case so they do all exist already but I will look into Provisioning Hierarchy, it's something I've not really touched on that may prove useful some day. Would you suggest that it's a good idea to configure OU -> OrganizationalUnit in provisioning hierarchy?
-
Tuesday, January 08, 2013 12:07 PMYes thats what i usually do. And it always creates the OU if it dosent exist.
-
Tuesday, January 08, 2013 12:11 PMSounds like a good plan then. Thank you.
-
Tuesday, January 08, 2013 12:13 PMMost Welcome
-
Tuesday, January 08, 2013 1:58 PMonly if you want FIM to create the OU when these do not exist. It is not a bad/best practice, just enable it if you want/need it
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
-------------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
-------------------------------------------------------------------------------------------------------
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<>"FIM-EN" wrote in message news:b793b3fb-b445-489e-a56a-b0619e2844cf@communitybridge.codeplex.com...Thanks. There are only a limited number of OUs in this case so they do all exist already but I will look into Provisioning Hierarchy, it's something I've not really touched on that may prove useful some day. Would you suggest that it's a good idea to configure OU -> OrganizationalUnit in provisioning hierarchy?
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
.png)
