none
Disable AD account when a user was deleted RRS feed

  • Question

  • Hi everyone,

    I have the following scenario:

    SQL MA

    AD MA

    FIM MA.

    I have to disable an AD user Account when a user in SQL Server dissapear (deleted), but I don't know how to configure this.

    Do you have any idea?

    Thanks in advance,

    Monday, June 18, 2012 6:47 PM

Answers

  • Hi-

    So you're going to want to do a couple of things:

    • Set the Metaverse Object Deletion Rule on person objects to be deleted when the connector in the SQL MA disappears.
    • Set your FIM MA's deprovisioning action to Stage a Delete on Next Export
    • Set your AD MA's deprovisioning action to use a rules extension

    In your AD MA rules extension, you'll want to implement the Deprovision() method so that it looks something like this:

    long userAccountControl = 512; //ADS_UF_NORMAL ACCOUNT
    
    if (csentry["userAccountControl"].IsPresent)
         userAccountControl = csentry["userAccountControl"].IntegerValue;
    
    userAccountControl = userAccountControl | 2; //ADS_UF_DISABLED
    
    csentry["UserAccountControl"].Value = userAccountControl;
    
    return DeprovisionAction.Disconnect; 


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Proposed as answer by Pieter de Loos Tuesday, June 19, 2012 12:25 PM
    • Marked as answer by Axlrod86 Friday, June 22, 2012 8:07 PM
    Monday, June 18, 2012 10:01 PM
    Moderator

All replies

  • Do you want FIM to continue to manage the AD account, or just disable it and then forget about it?


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Monday, June 18, 2012 7:10 PM
    Moderator
  • Hi Brian,

    Disable it and then forget about it.

    Thanks in advance.

    Monday, June 18, 2012 9:57 PM
  • Hi-

    So you're going to want to do a couple of things:

    • Set the Metaverse Object Deletion Rule on person objects to be deleted when the connector in the SQL MA disappears.
    • Set your FIM MA's deprovisioning action to Stage a Delete on Next Export
    • Set your AD MA's deprovisioning action to use a rules extension

    In your AD MA rules extension, you'll want to implement the Deprovision() method so that it looks something like this:

    long userAccountControl = 512; //ADS_UF_NORMAL ACCOUNT
    
    if (csentry["userAccountControl"].IsPresent)
         userAccountControl = csentry["userAccountControl"].IntegerValue;
    
    userAccountControl = userAccountControl | 2; //ADS_UF_DISABLED
    
    csentry["UserAccountControl"].Value = userAccountControl;
    
    return DeprovisionAction.Disconnect; 


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Proposed as answer by Pieter de Loos Tuesday, June 19, 2012 12:25 PM
    • Marked as answer by Axlrod86 Friday, June 22, 2012 8:07 PM
    Monday, June 18, 2012 10:01 PM
    Moderator
  • Thanks a lot Brian. In a few minutes i'll try it.

    Wednesday, June 20, 2012 3:21 PM
  • Hi Brian,

    Axlrod86 (workmate of mine) told me that the procedure you suggested didn't work. I think there's an "else sentence" missing but that's just me :)

    Do you have any other suggestions?

    Friday, June 22, 2012 4:48 PM
  • What part didn't work? There's no 'else' clause necessary in the sample code.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, June 22, 2012 5:01 PM
    Moderator
  • Hi Brian,

    I had an issue in my "Object Deletion Rule", I solved it and everything works perfect.

    Thanks a lot for the code.

    Friday, June 22, 2012 8:06 PM
  • Hi Axldex,

    I am new and just started working on FIM, I will appreciate if you let me know how did you do that ? I need to do exactly the same but I don't know how and where you I use this script and as you mentioned please correct the script as well.

    Regards

    Wednesday, June 18, 2014 3:31 AM
  • Hi Brian,

    Thank you for such a great post however I could make it. I am new and just started working on FIM, I will appreciate if you let me know how did you do that ? I need to do exactly the same but I don't know how and where you I use this script and as you mentioned please correct the script as well. I have done the following:

    • Set the Metaverse Object Deletion Rule on person objects to be deleted when the connector in the SQL MA disappears.
    • Set your FIM MA's deprovisioning action to Stage a Delete on Next Export
    • Set your AD MA's deprovisioning action to use a rules extension

    But I don't how to workout with the script you have written. I will appreciate your help.

    Thx

    Wednesday, June 18, 2014 10:46 PM
  • Without wanting to appear harsh Stestman - if you can't follow these instructions you shouldn't be implementing deletion rules. If you do it wrong you could inadvertently delete your entire AD user population. I assume you are doing this in a lab environment (please don't try it in live until you know what you are doing), so spend some time reading about FIM and following some of the lab guides on TechNet until you are familiar enough with FIM to be able to implement Brian's solution.
    Thursday, June 19, 2014 8:56 AM
  • Thanks Everyone for the solution. The above was not working with me because the code was not complete code. I am not developer and didn't figure out the syntax code however my colleague helped me to correct the code. Here is the complete code and missing part is marked with underline:

    long userAccountControl = 512; //ADS_UF_NORMAL ACCOUNT

                if (csentry["userAccountControl"].IsPresent)
                    userAccountControl = csentry["userAccountControl"].IntegerValue;

                userAccountControl = userAccountControl | 2; //ADS_UF_DISABLED

                csentry["UserAccountControl"].Value = userAccountControl.ToString();

                return DeprovisionAction.Disconnect;


    Regards
    Sarwar


              


    Sarwar

    Wednesday, June 25, 2014 12:36 AM