How to provision users to specific AD OU depending on location? RRS feed

  • Question

  • I am trying to flow users to AD depending on location.  In Active Directory we have an OU for each office location and users are created underneath.

    What I have is a numerical value (mail code) in my data set, amongst the other required attributes, that relates to a location for a particular new user. That number would match to a specific location (i.e. 099=Chicago) 

    I would like to be able to set the DN of the user based upon location and flow that user creation to AD.  Also I would like to set the office location attributes of the user based upon this same numerical value, add the user to specific user groups, and create a home directory on a server local to the office.

    I would like to be able to do this using a SQL feed from our ERP and also while creating a user using the FIM Portal.

    Any ideas on how I should go about accomplishing this?

    Monday, October 21, 2013 6:35 PM

All replies

  • You can accomplish this using an IIF condition in your DN flow.
    This post covers a similar scenario.


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Tuesday, October 22, 2013 2:15 AM
  • Hello,

    I also think the IIF is first choice, depending on how much Locations you have, this could leed to a very large and deep nested Custom Expression.

    Maybe also consider using a Workflow Parameter Variable and Setting department based on sets with an workflow, or the good old Extension code.

    I think the IIF solution is good for around 10-20 Location but if there are around 100 i would not want to maintain that in a SyncRule.


    Peter Stapf - Doeres AG - My blog:

    Tuesday, October 22, 2013 7:24 AM
  • I have close to a 100 locations and the nested IIF would get large and possibly unmanageable.

    I am thinking heading towards the Workflow, unless someone has a better solution.

    Tuesday, October 22, 2013 1:01 PM
  • Using a workflow is fine...
    There is also the typical usual suspect - a MV rules extension that reads your mapping from a XML file or something like this...


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    • Proposed as answer by Toshi Teruya Tuesday, October 22, 2013 11:53 PM
    Tuesday, October 22, 2013 1:33 PM
  • If your HR Data is coming from SQL through a view, I'd suggest you think outside of FIM.

    Using logic in my View I have a column called OU. I created an attribute in the MV and Portal and use that to string together the OU

    for example in SQL if you have a column called LOCATION and you wanted people at the location of HEADQUARTERS to go into an OU called HQ  your T-SQL would be:

    case LOCATION when 'Headquarters' then 'HQ' end as OU

    this will show up in your view, add an attributes and flow in the data, string together the the rest in your Sync Rule. :)


    • Proposed as answer by jmanley WI Wednesday, October 23, 2013 2:18 AM
    Wednesday, October 23, 2013 2:18 AM