locked
AD rule extension coding RRS feed

  • Question

  • Actually i have a code written from one of my friend but i dont understand it completely either u can give me a detailed description of the code given or please write a code so that i can understand in simple way

    all i need is following to happen atleast the first two

    1. when expiry date +1 day equals todays date user moves to inactive container

    2.when expiry date set to > todays date noves to staff container

    3. optional is according to email format the user should move to appropriate group like

    like id= o****** moves to office group

                c****** moves to cleaners group

                p****** moves to personal group

    send me code with basic explanations Thanks for replying

     Dim ManagementAgent As ConnectedMA
            Dim Connectors As Integer
            Dim DN As ReferenceValue
            Dim DN1 As ReferenceValue
            Dim Container As String
            Dim Container1 As String
            Dim RDN As String
            Dim csentry As CSEntry
            Dim cnForObject As String
            Dim cnForDifferentContainer As String
            ManagementAgent = mventry.ConnectedMAs("AD_MA")
            Connectors = ManagementAgent.Connectors.Count
            Container1 = "ou=inactive,dc=admin,dc=yahoo,dc=co,dc=in"
            Container = "ou=localuser Users,dc=admin,dc=yahoo,dc=co,dc=in"
            cnForObject = mventry("CnAD").Value
            RDN = "CN=" + cnForObject
            cnForDifferentContainer = mventry("employeeID").Value

            Dim ContainerNew As String = check_DomainNames(cnForDifferentContainer)
            If (String.IsNullOrEmpty(ContainerNew)) Then
                DN = ManagementAgent.EscapeDNComponent(RDN).Concat(Container)
            Else
                DN = ManagementAgent.EscapeDNComponent(RDN).Concat(ContainerNew)

            End If

            DN = ManagementAgent.EscapeDNComponent(RDN).Concat(Container)
            DN1 = ManagementAgent.EscapeDNComponent(RDN).Concat(Container1)

            If 0 = Connectors Then
                If (mventry("expiryDate").IsPresent) Then
                    If (Convert.ToDateTime(mventry("expiryDate").Value) > DateTime.Now) Then
                        csentry = ManagementAgent.Connectors.StartNewConnector("user")
                        csentry.DN = DN
                        csentry("unicodePwd").Values.Add("{crypt}Not__Assigned")
                        csentry("userAccountControl").Values.Add(512)
                        csentry.CommitNewConnector()
                    End If
                End If
            ElseIf 1 = Connectors Then
                csentry = ManagementAgent.Connectors.ByIndex(0)
                If (mventry("expiryDate").IsPresent) Then
                    If (Convert.ToDateTime(mventry("expiryDate").Value) < DateTime.Now) Then
                        csentry.DN = DN1
                    ElseIf (Convert.ToDateTime(mventry("expiryDate").Value) > DateTime.Now) Then
                        csentry.DN = DN
                    End If
                End If
            Else
                Dim ExceptionMessage As String
                ExceptionMessage = "Multiple Connectors on Management Agent"
                Throw New UnexpectedDataException(ExceptionMessage)
            End If

        End Sub


        Public Function ShouldDeleteFromMV(ByVal csentry As CSEntry, ByVal mventry As MVEntry) As Boolean Implements IMVSynchronization.ShouldDeleteFromMV
            ' TODO: Add MV deletion code here
            Throw New EntryPointNotImplementedException()
        End Function
        Private Function check_DomainNames(ByVal s As String) As String

            Dim myMMSConnectionString As String = "Initial Catalog=MicrosoftIdentityIntegrationServer;Data Source=localhost;Integrated Security=SSPI;connect timeout=5000;"
            Dim myMMSConnection As SqlConnection = Nothing
            Dim myMMSReader As SqlDataReader = Nothing
            myMMSConnection = New SqlConnection(myMMSConnectionString)
            myMMSConnection.Open()
            Dim mySelectQuery As String = "select dn from containerDetails where sAMAccountName like '" & s & "%'"
            Dim myCommand As New SqlCommand(mySelectQuery, myMMSConnection)
            Dim Container As String = ""
            Dim CN As String = ""
            Dim sqlColumn As Object() = New Object(2) {}
            myMMSReader = myCommand.ExecuteReader()
            myCommand.CommandTimeout = 0
            While myMMSReader.Read()
                myMMSReader.GetValues(sqlColumn)
                If Not ((sqlColumn(0).Equals(""))) Then
                    Container = sqlColumn(0).ToString()
                End If
            End While
            Return Container
            myMMSConnection.Dispose()
            myMMSConnection.Close()

        End Function
    End Class

     

    Thursday, November 4, 2010 1:17 PM

Answers

  • This part of the code is a little troublesome because the MV Extension (where this code lives) is only called when:

    1. Changes are made to the MVEntry attributes
    2. Joins are established or broken
    ElseIf 1 = Connectors Then
          csentry = ManagementAgent.Connectors.ByIndex(0)
          If (mventry("expiryDate").IsPresent) Then
            <strong><em>If (Convert.ToDateTime(mventry("expiryDate").Value) < DateTime.Now) Then</em></strong>
              csentry.DN = DN1
            ElseIf (Convert.ToDateTime(mventry("expiryDate").Value) > DateTime.Now) Then
              csentry.DN = DN
            End If
          End If
    
    

    If you are regularly running a full sync then you should be fine, but this is less than optimal. 

    Are you using the FIM Service and Portal? If so then you can use Temporal Sets. 

    From TechNet:

    Temporal Sets in particular provide a mechanism that can fully automate the process of transitioning into or out of a Set based on the passage of time. An example temporal set is defined for all groups that expire one week from today. The system evaluates the objects in the system automatically and adds them to this set on a daily basis.


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, November 5, 2010 5:49 PM

All replies

  • I did something more or less similar. However I splitted the implementation in two parts:

    • classic rules extension, like your code above
    • declarative rules

    Using classic rules extension I interprete the date and the expiryDate (in my implementation I'm using accountExpires from AD). If an account is expired (the date is in the past), I flip an other attribute in the metaverse: accountStatus to "Inactive".This is done by a rules extensions at attribute import/export.

    Using declarative rules from within the portal the deprovisioning logic kicks in whenever it detects a user as Inactive: disable the account, move to the disabled OU, ....

    I'm quit satisfied with this approach, it provides me a lot of flexibility, and keeps coding to a minimum. Ofcourse you have to decide for yourself if coding is necessary or the preferred way to go.


    http://setspn.blogspot.com
    Thursday, November 4, 2010 9:59 PM
  • So what's wrong with the code you pasted? Looking at it quickly it appears to do what you want. The only issue I see is the SQL call to the Sync Service database. This is really a bad idea, but, if you're intent on doing this I would add a WITH NOLOCK query hint.
    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Friday, November 5, 2010 5:29 PM
  • This part of the code is a little troublesome because the MV Extension (where this code lives) is only called when:

    1. Changes are made to the MVEntry attributes
    2. Joins are established or broken
    ElseIf 1 = Connectors Then
          csentry = ManagementAgent.Connectors.ByIndex(0)
          If (mventry("expiryDate").IsPresent) Then
            <strong><em>If (Convert.ToDateTime(mventry("expiryDate").Value) < DateTime.Now) Then</em></strong>
              csentry.DN = DN1
            ElseIf (Convert.ToDateTime(mventry("expiryDate").Value) > DateTime.Now) Then
              csentry.DN = DN
            End If
          End If
    
    

    If you are regularly running a full sync then you should be fine, but this is less than optimal. 

    Are you using the FIM Service and Portal? If so then you can use Temporal Sets. 

    From TechNet:

    Temporal Sets in particular provide a mechanism that can fully automate the process of transitioning into or out of a Set based on the passage of time. An example temporal set is defined for all groups that expire one week from today. The system evaluates the objects in the system automatically and adds them to this set on a daily basis.


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, November 5, 2010 5:49 PM