none
FIM 2010 Group Synchronization RRS feed

  • Question

  • hi,

    My customer has challenging requirement. I would like to seek your valuable advice. Let me explain the situation first.

    Their environment is using FIM2010 server to synchronize between Lotus Notes and Active Directory. Their domain is, let's called DomainA.

    • They have one way forest trust to government forest.
    • All users in DomainA are using workstations which are joined to DomainB.
    • All of the application Servers are located in DomainA.
    • So that everytime new user joins, government create user account, domainB\user1 in AD and they create one user account, user1 in Lotut Note.Then FIM will provision new user in AD (DomainA).
    • When they want to grant permission for Application Server access, they add "DomainA\user1" to particular group in Lotus Notes group. FIM will sync updated group members to AD.
    • But the tricky part is since user are using DomainB\user1 account, they still not able to access applications which is only granted to domainA\user1.
    • So i am exploring the possibilities that can leverage on FIM for membership synchronization for domainB users. What I mean is if there is a group membership update in Lotus Notes, during synchronization to AD, I want to add not only DomainA\user1 but also DomainB\user1 (btw their user name is same). Is there a way I can control group membership synchronization for this activities by using extension code? (Government doesn't allow FIM to connect their AD directly)
    • Another option what i can think of is export connector space data to xml and look for membership updates. Then use powershell to read it and update in AD. But I believe this is a tedious job. I really appreciate your advice.

    Thursday, December 17, 2015 9:04 AM