none
Enable FIM AD Account RRS feed

  • Question

  • Hi Guys,

    Trying to enable AD account that already exists in FIM & AD if employeeType attribute changes ?? Couldn't get any success when trying to flow the useraccountcontrol value thru custom attribute but it revert backup when AD-MA runs. Any clue would be helpful..

    Thx
    JC

    Monday, July 14, 2014 6:42 AM

All replies

  • Hi JC,

    Can you provide more details.  When it is getting revert.

    What do you see in preview?

    Thanks,

    Mann

    Monday, July 14, 2014 8:16 AM
  • In short I want to achieve is that if employeeType changed to inactive the account become disabled or similarly if employeType active then account change to enabled.

    JC


    • Edited by Jcruze09 Tuesday, July 15, 2014 4:52 AM
    Monday, July 14, 2014 11:21 PM
  • Hello,

    You can find many resources on the internet.

    A great post from jorge:

    http://jorgequestforknowledge.wordpress.com/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim/

    You will need to add an "useraccountcontrol" attribute in the metaverse and flow it with the AD "userAccountControl" attribute.

    Regards,


    Sylvain


    • Edited by Sylvain.c Tuesday, July 15, 2014 8:19 AM
    Tuesday, July 15, 2014 8:19 AM
  • JC,

    Can you please provide more information like :

    1. What source you are using for user objects.
    2. What MPRs you have created for flowing the User Account Control for new users.
    3. What MA has higher precedance for UAC attribute.

    Well, my suggestion is that you can create transition in MPR to change the UAC for user by creating a set having some attribute value as "enable" which has a workflow to change the UAC to 512.

    But, please be sure that this will only work if the precedence of UAC is higher for FIMMA and not for ADMA, but its not nice way to do this. If you can provide few more detail, then I can help you by providing some better approach.


    Regards,
    Manuj Khurana

    • Proposed as answer by Jcruze09 Wednesday, July 16, 2014 5:38 AM
    Tuesday, July 15, 2014 8:43 AM
  • Hi Manuj,

    Thx for pointing the precedence thing out as I forgot to look that earlier. It would be great if you can give an idea regarding the provision of mailbox on the basis of employeeType !!! Actually I have 5 categories of employeeType lets say A,B,C,D,E and only two categories A & B need mailbox provision. It works fine with all but if I use IIF(Eq(employeeType,"A") then just work with A and give ma-extension-error when provisioning AD account for any other employeeType.  

    Regards

    JC




    • Edited by Jcruze09 Wednesday, July 16, 2014 5:52 AM
    Wednesday, July 16, 2014 5:51 AM
  • JC,

    There are many ways of acheiving this. As you said above, please check the user by running a manual sync to it in preview section, I am sure, you will easily be able to figure out the error.

    Or what you can do is, create a synchronization rule for exchange provisioning. And use a "Transition-In" MPR for a set having criteria: "EmployeeType = A or EmployeeType = B", you can add any other criteria as well if you want. Once a user enters this set, the transition - in MPR will trigger and this will add maping of exchange attributes as stated in the synchronization rule.

    Also, you can use the approach in rules extension in which, you can easily write few line of code to set the mapping of exchange attributes after providing your condition of EmployeeType.


    Regards,
    Manuj Khurana

    • Proposed as answer by Manuj Khurana Wednesday, July 16, 2014 12:26 PM
    Wednesday, July 16, 2014 12:26 PM
  • Thx Manuj. I have created another Sync rule along with SET and MPR but none of the attributes in new sync rule (Exch) flows. I have got the work around by using IIF function but I am more interested to use another sync rule and make exchange attributes flow thru. I have added four attributes only in new sync rule mDBUseDefaults, mailNickname, homeMDB, msExchHomeServerName and I don't know where am I making mistake.

    Regards

    JC


    • Edited by Jcruze09 Thursday, July 17, 2014 2:48 AM
    Thursday, July 17, 2014 2:48 AM
  • JC,

    You have to firstly check, is the sync rule is getting applied or not? This you can check in sync preview section. Also, when a user becomes part of the set, the MPR should trigger for action workflow to come in action. This can be verified, by manually making a user part of that set and post the addition of user in that set, you can go to search requests and check that proper MPR is triggered as required? Post this, you can go to synchronization angine and run a DI for FIM MA and search the user and running a manual sync preview and it will clear your concerns.


    Regards,
    Manuj Khurana

    Thursday, July 17, 2014 10:27 AM