none
Provisioning users from a group RRS feed

  • Question

  • Hi,

    This may be a simple question for experts here.

    I have AD with groups and I want to bring users who belongs to a particular group. No need to sync groups and all users belongs to a OU...just want ignore all users.

    One solution I can think of is create a boolean attribute and set filter in the MA configuration. Is there any elegant solution than this out there?

    Thanks,
    Bhavesh

    Friday, October 5, 2012 7:31 PM

Answers

  • Correct me if I'm wrong, but I think Bhavesh is wanting to only bring the users in that OU who belong to a particular AD group?  The obvious issue here is that you cannot create an inbound sync rule filter on this because memberOf is not a physical attribute binding of user.

    We have a "catch-22" situation here ... in order for FIM to determine that a particular user is a member of a group, you would have to flow ALL users into FIM as well as the groups.  Only then will you be able to write policy to mark users the way you are talking about (e.g. setting a boolean attribute binding for the user in FIM).

    If you were wanting to bring in all users in the nominated OU, but only apply some sort of policy to those in the group, I can tell you about a couple of ways to do this, such as this approach with policy to manage static sets.  However, I have a feeling that you won't want to do this.

    If I am right, then there is nothing "elegant" I can think of short of creating a new sub-OU and moving your accounts into that and following Patrick's advice.

    However, perhaps you could explain what your real business problem here is, because there may be other ways that FIM can help you achieve your goals.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by bhavesh001 Wednesday, October 10, 2012 1:11 PM
    Sunday, October 7, 2012 11:32 PM

All replies

  • Hi,

    If all the users belong to a specific OU (as you mentioned) you can filter all the others users by selecting only the OU requested in FIM Synchronization Service:

    In Configure Directory Partitions tab click the Containers button and select only the OU/s you want to synchronize. In that way all others OUs will be automatically filtered.

    Patrick.


    Patrick Layani

    Saturday, October 6, 2012 6:40 PM
  • Correct me if I'm wrong, but I think Bhavesh is wanting to only bring the users in that OU who belong to a particular AD group?  The obvious issue here is that you cannot create an inbound sync rule filter on this because memberOf is not a physical attribute binding of user.

    We have a "catch-22" situation here ... in order for FIM to determine that a particular user is a member of a group, you would have to flow ALL users into FIM as well as the groups.  Only then will you be able to write policy to mark users the way you are talking about (e.g. setting a boolean attribute binding for the user in FIM).

    If you were wanting to bring in all users in the nominated OU, but only apply some sort of policy to those in the group, I can tell you about a couple of ways to do this, such as this approach with policy to manage static sets.  However, I have a feeling that you won't want to do this.

    If I am right, then there is nothing "elegant" I can think of short of creating a new sub-OU and moving your accounts into that and following Patrick's advice.

    However, perhaps you could explain what your real business problem here is, because there may be other ways that FIM can help you achieve your goals.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by bhavesh001 Wednesday, October 10, 2012 1:11 PM
    Sunday, October 7, 2012 11:32 PM
  • Thanks Bob and Patrick.

    Bob you got my question right and there is nothing elegant to bring only those users who belong to specific groups in AD.We dont want to bring all users and groups from AD to MV and apply rules to filter out unwanted. Creating sub OUs can solve the business problem but there are some infrastructure costs and efforts involved.

    All users are sourced from Sql DB and we can create views at database to filter out and bring from DB instead of AD.It sounds weired but we dont care ObjectSid from AD which we were thinking to use to bring users based on group membership, instead we have totally different domain and AD where we want to provision after getting them from database.

    It is hard for me to explain everything here but trust me it works.

    Thank you,
    Bhavesh


    • Edited by bhavesh001 Wednesday, October 10, 2012 1:13 PM added words
    Wednesday, October 10, 2012 1:10 PM