none
Provision FIM Users to different OUs depending on OU Description RRS feed

  • Question

  • Hello,

    I have some users in the FIM Portal and i wonder if the below is applicable or not:

    User1:

    First Name: User

    Last Name: One

    Department = 10

    User2:

    First Name: User

    Last Name: Two

    Department = 20

    and in Active Directory i have the OUs:

    IT

    Description = 10

    Sales

    Description = 20

    Can i sync the mentioned users in the FIM portal into Active Directory where each user will go under its corresponding OU depending on (Department --> OU description)  ???  (User One  --> IT OU, User Two --> Sales OU)


    Note: i have multiple OU levels with more than 100 OUs. 

    Thanks.


    Mohamad Chahla



    Tuesday, October 22, 2013 1:23 PM

All replies

  • Hello,

    seems very similar to this articele: http://social.technet.microsoft.com/Forums/en-US/93f7c2ca-b79d-48b0-a851-1a3977e84966/how-to-provision-users-to-specific-ad-ou-depending-on-location?forum=ilm2

    but in this particular case I would do the following.

    - Determine the correct out by using Set/Workflow combination.

    - Workflow using Powershell Activity to do a AD Search for the correct OU Name/Path, depending on the Description value.

    - Using this value as Workflow Parameter Variable in the SyncRule.

    So I think you will need only a few workflows insetad of creating them staticly in Portal for all the OUs

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Tuesday, October 22, 2013 1:56 PM
  • Hi,

    Yes you can do this. First of all i need to confirm that All users have Depatment value which is equal to OU description value.

    If this is the case you can do it by three ways and you don't have to use OU description field.

    1) Create different Criteria based sets based on Users department and create different MPR's to provision them to different OU's.

    2) If you want to use only one MPR then you can create a custom expression  for DN which will be like :

          IIF(Eq(Department,10), IT_OU , IIF(Eq(Department,20), Sales_OU, "Add all OU conditions here"))-->dn

    3) You can create a Source rule extension in which you can put directly OU values into a custom MV attribute(i.e. OU_MOVE) based on User's department and then map it to "dn":

                                        OU_MOVE-->dn

    I hopr this will help you

    Thanks & Regards,

    Giriraj Singh


    Thanks~ Giriraj Singh Bhamu

    Tuesday, October 22, 2013 2:02 PM
  • Is there any links that may help to apply your suggested solution ?

    - Workflow using Powershell Activity to do a AD Search for the correct OU Name/Path, depending on the Description value.

    Regards,


    Mohamad Chahla

    Wednesday, October 23, 2013 8:58 AM
  • Thanks for your reply, but option 1 and 2 that you mentioned are not applicable, what if i have more than 100 OU !!!

    Option 3: do you mean that i have to manually input the DN of each OU to accomplish this ? can you write more details please.

    Regards,


    Mohamad Chahla

    Wednesday, October 23, 2013 9:02 AM
  • Hello,

    I think there is no link on how to completely do this, thats how i would try to do this to avoid entering all OU Names manually in Sets, Code or IIFs.

    Here are some additional infos:

    - Create a WorkflowParameter (Type String) which hold OU Name later to the workflow which creates the SyncRule-ERE.

    - Add a FunctionEval activity to the workflow which creates the SyncRule-ERE, set the target object Department value as a WorkflowData Value to give it to the next activity.

    - Add a Powershell Activitiy to the workflow which creates the SyncRule-ERE as first step.

    - Do a search for the OU using Get-ADOrganizationalUnit with Filter Description -eq $fimwf.WorkflowDictionary.YourDescriptionValueHere.

    - Give the name of the OU found back to the WorkflowData to use is in SyncRules as Workflow Parameter

    - Use the WorkflowParameter Variable created in first step to create the DN.

    Hope this helps

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Wednesday, October 23, 2013 9:45 AM
  • Hi,

    For Option 3: No, you do not need to put all DNs manually. All You have to do is Get csentry attribute Department for Users and Use this value to search OU into AD using filter (To make search faster i.e. Description = "10"). Now retrieve DN value for that OU and assign it to OU-MOVE attribute.

    Thats it and I am very much sure it is fast because of Filter. For code you can search for an article.If you any more help in coding let me know. I hope this will clear your doubt about solution.   


    Thanks~ Giriraj Singh Bhamu

    Wednesday, October 23, 2013 12:54 PM
  • Hello,

    GirirajSingh's solution/thoughts are the same, you have to decide if you want to do that in either code extension or as a powershell activity.

    In addition you can still archive the same by writing your own workflow activity but i think this is much harder to learn than code extension or powershell.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Wednesday, October 23, 2013 1:06 PM
  • Hi,

    I do agree with Peter but if you are familiar with Workflow Activity then Creating your own workflow activity is the best solution in terms of performance and efficiency both. 


    Thanks~ Giriraj Singh Bhamu

    Wednesday, October 23, 2013 1:26 PM
  • This might help:

    http://blogs.technet.com/b/doittoit/archive/2009/05/20/introducing-hierarchal-provisioning.aspx

    Hot Lam!


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Wednesday, October 23, 2013 9:47 PM