none
Disable an user from AD RRS feed

  • Question

  • Hi everyone¡¡

    I have the following scenario:

    SQL MA

    AD MA

    FIM MA.

    I have to disable an AD user Account when a user in SQL Server dissapear (deleted),Disable it and then forget about it.

    I was implement the Deprovision() method so that it looks something like this:

    long userAccountControl = 512; //ADS_UF_NORMAL ACCOUNT

    if (csentry["userAccountControl"].IsPresent)
         userAccountControl
    = csentry["userAccountControl"].IntegerValue;

    userAccountControl
    = userAccountControl | 2; //ADS_UF_DISABLED

    csentry
    ["UserAccountControl"].Value = userAccountControl;

    return DeprovisionAction.Disconnect;

    but my user from AD is enable yet,

    Do you have any idea?

    Thanks in advance,

    Friday, June 22, 2012 2:56 PM

Answers

  • Really sorry - it's late and I am having real trouble understanding what you are saying.  It sounds like you need to implement a very standard scenario, so I suggest you search this forum for recent posts on exactly this subject.  Your scenario should be a variation on a standard one.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Friday, June 22, 2012 3:31 PM

All replies

  • This seems to be a duplicate of this post here???

    http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4e7c4f1b-def7-437e-975e-0f117b1475d2/


    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Friday, June 22, 2012 3:00 PM
  • Yesterday, my colleague brought up the scenario, and implement the suggestion but disallow the user from AD and why I come back to ask for help Thanks in advance
    Friday, June 22, 2012 3:04 PM
  • Why do you want to disconnect your AD user from the metaverse?  If you do that, and leave a disconnector in your AD connector space, then you run the risk of creating another account with the same login name at some point in the future ... far better to retain a connector in all cases and that way avoid potential sync errors later on.

    If you really do want to disconnect your user object in AD (e.g. you're worried about paying CALs for disabled accounts in FIM) then try implementing an object deletion rule on your SQL MA.  If your AD MA is set with deprovisioning to "determine from rules extension" then your above code will fire before disconnect, and the next export run will update your AD account.  You will have to work out what you are going to do with your user account in the FIM Portal ... you may choose to simply delete on next export ... but chances are you're going to have more complex rules than that.

    My preference remains not to disconnect.


    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Friday, June 22, 2012 3:14 PM
  • What I try to do is when you delete a user account in AD in the status attribute pass from active to inactive, a scenario of what I try to do is when an employee is fired and the aim is that your account in AD is inactive. thanks
    Friday, June 22, 2012 3:26 PM
  • Really sorry - it's late and I am having real trouble understanding what you are saying.  It sounds like you need to implement a very standard scenario, so I suggest you search this forum for recent posts on exactly this subject.  Your scenario should be a variation on a standard one.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Friday, June 22, 2012 3:31 PM
  • Thank you very much and good day
    Friday, June 22, 2012 3:35 PM