How can I provision a user to AD with group membership? RRS feed

  • Question

  • I have a use case where an admin wants to be able to assign AD group membership when he is creating the user within FIM Portal. Right now I am provisioning and synch'ing AD users and groups. 

    I've been thinking to create a FIM set that is corresponds to the AD security group and am looking for a FIM attribute I could set (something like memberOf?) which I could hard code within a sync rule such that if the user is designated as Employee Type 'App A User', the user, upon provisioning into AD, would also become a member of the App A Security Group within AD.

    I cannot find a Person attribute called memberOf, so wondering how else this might be achieved.  THoughts?

    PS. I do realize I can open the Security Group within FIM and add the user there after creating him, but this is sort of, well, non-optimal  in their opinion. 

    Wednesday, March 13, 2013 6:48 PM


  • MemberOf is a computed attribute.
    This means, AD DS calculates the attribute value on demand.

    FIM supports the concept of criteria-based membership in a group.
    For example, you can configure a group X to automatically add a person to X when "employeeType = contractor".
    This will also automatically remove the object from X when the condition is not satisfied anymore.

     From that perspective, you already have a "memberOf" - it is just not a single attribute.
    By looking at the attributes of an object, you can also determine "memberOf".
    If "employeeType = contractor", an object is member of X.

    All you need is to determine your business requirements for adding an object to a group and to configure your groups according to these requirements.
    See Introduction to User and Group Management for more details on this.


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    • Marked as answer by Osho27 Wednesday, March 13, 2013 7:55 PM
    Wednesday, March 13, 2013 7:40 PM