none
With FIM 2010 RTM is it really impossible to flow a null value to the MV from an outbound Sync Rule? RRS feed

  • Question

  • I am having difficulties with AD management.

    We have a simple Portal / AD / Exchange setup.

    The Portal is authoritative for mailnickname and Exchange is authoritive for mail.

    If we want to deprovision a mailbox for a user. The Portal  user admin emptis the mailnickname attribute on the Form.

    What we do now is try to remove the mail attribute in this case!

    One the AD resource sync rule in the outbound set of attribute flows I have tried this:

    IIF(IsPresent(mailNickname),mail,nullValue)  -> mail

    In otherwords, if mailnickname is not empty on Portal use whatever is in MV mail (as it will be updated by exchange anyway) otherwise NULLify mail on AD.

    This seems not to work. No change in AD is seen.

    If I try

    IIF(IsPresent(mailNickname),mail,"")

    what I get is an empty string sent to AD mail attribute on export (mail attribute is then deleted by AD LDAP operations) and I get an exported change not re-imported error!!

    What is the trick here???

    Friday, February 8, 2013 11:21 AM

All replies

  • have you tried:
    IIF(IsPresent(mailNickname),mail,null())  -> mail
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "HaroldHare" wrote in message news:b13bb2f4-8be0-4ca0-87ef-5c035e831eff@communitybridge.codeplex.com...

    I am having difficulties with AD management.

    We have a simple Portal / AD / Exchange setup.

    The Portal is authoritative for mailnickname and Exchange is authoritive for mail.

    If we want to deprovision a mailbox for a user. The Portal  user admin emptis the mailnickname attribute on the Form.

    What we do now is try to remove the mail attribute in this case!

    One the AD resource sync rule in the outbound set of attribute flows I have tried this:

    IIF(IsPresent(mailNickname),mail,nullValue)  -> mail

    In otherwords, if mailnickname is not empty on Portal use whatever is in MV mail (as it will be updated by exchange anyway) otherwise NULLify mail on AD.

    This seems not to work. No change in AD is seen.

    If I try

    IIF(IsPresent(mailNickname),mail,"")

    what I get is an empty string sent to AD mail attribute on export (mail attribute is then deleted by AD LDAP operations) and I get an exported change not re-imported error!!

    What is the trick here???


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Proposed as answer by Furqan Asghar Monday, February 11, 2013 1:32 PM
    Friday, February 8, 2013 12:45 PM
  • I had some trouble with this way back in RTM and ended up writing code for it as I didn't succeed. Today, you could maybe use a custom workflow to clear an attribute - or use my Code Run custom activity to "clear" a value, by writing a dummy function for it, that returns null (effectively the workflow will do a Delete of any existing value) - https://fimactivitylibrary.codeplex.com/wikipage?title=Code%20Run&referringTitle=Documentation

    If you decide to go with the Code Run workflow, then the function could looke something like this -

    using System;
    using System.Text.RegularExpressions;
    public class FIMDynamicClass
    {
        public object FIMDynamicFunction()
        {
            return null;
        }
    }
    And just sets the target to be [//Target/MailNickName]. And of course you'll need the MPR and Set to trigger this workflow on the right objects.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt


    Friday, February 8, 2013 4:37 PM
  • I see.

    So it really is impossible to set a null value on outbound flow. I understand that by writing code I can nullify the value but I am disappointed that I have to.

    This null() function I believe doesnt set a null or return a null but is simply a NOP .. just do nothing in this event. But I DO want to do something, I want to set the MV attribute value to null!! I think I will set the MV to an empty string and live with the export/reimport error message.

    Monday, February 11, 2013 7:30 AM
  • Though, you are disappointed, I do think you should go with a custom workflow or Sync Engine extensions code as having this imp/exp errors continuosly should never be a valid setup - monitoring software and similar would pop up with yellows/reds and such - so IMHO runs should also be successful in my book.


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, February 11, 2013 7:35 AM
  • besides the matter of "how to flow null", isn't it better to "remove mailboxes" using Exchange API's? E.g. through the disable-mailbox powershell commandlets? Simply empting mail seems really "hackish" to me and will probably leave Exchange unhappy as all other Exchange properties remain in place.

    Not sure if this is applicable for Exchange 2003, but for Exchange 2007/2010 and 2013 I'd use disable-mailbox in some way. Either though a powershell workflow in the Portal or using a rules extension. I think Soren even has a powershell activity available in his public workflow library efforts ;)

    Regards,

    Thomas


    http://setspn.blogspot.com


    Monday, February 11, 2013 1:22 PM
  • I agree with Thomas. Do not just remove Exchange-attributes, eventually Exchange will be very unhappy and you'll end up with an unhealthy Exchange system. As Thomas suggests, use appropriate CMDlets for Exchange.

    Craig has this PS WF (http://fimpowershellwf.codeplex.com/) or you could go the MA way with my PS MA (http://blog.goverco.com/p/powershell-management-agent.html), which I use a lot for Exchange related stuff, but also for many other tasks (homedirectories, data cleaning, web services and such)

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, February 11, 2013 1:27 PM
  • No..

    I am attempting to empty the mail attribute when I also nullify the mailnickname attribute. Only then. Exchange is happy enough to convert the user from UserMailbox to User when mailnickname is nullified. When this happens the mailbox has gone in Exchange but Exchange doesnt "write back" to AD this fact.

    Getting a Powershell script to do something so basic sems like overkill.

    Its a moot point if the AD mail attribute actually is an "Exchange attribute" and I must maintain it via Exchange cmdlets. 

    Lets say the user is an external consultant and doesnt have a company Exchange mailbox... but he uses his own gmail account (say) or if you're M$ he has a rocketmail account. So that internal people can see his mail address the AD mail attribute is used... and in Exchange terms he is a MailUser. Now, he doesnt want people to see his address any more so we want to clear the mail attribute in AD..... by attempting to send a null on outbound sync rule.

    Still the weakness in FIM remains, the inability to send a null on outbound attribute flow in a SyncRule.

    Wednesday, February 13, 2013 8:18 AM