locked
How do I create an AD OU structure on the fly when provisioning new objects to the AD? RRS feed

  • General discussion

  •   ILM Knowledge Bit

    A new option in the FIM2010 Synchronization Engine allows creating your organizational unit structure on the fly when objects need to be provisioned while the parent container is missing. While this functionality is missing out-of-the-box in ILM 2007, it is very easily reproduced.

    To mimic the FIM2010 behaviour, you will need to catch MissingParentObjectException while providing the code required to provision your container in your MV Extension provisioning code, as in the following example:

      While not bReady
        Try
          csentry = myMA.Connectors.StartNewConnector("user")
          csentry.DN = dn
          csentry.CommitNewConnector()
    	  bReady = True
    
        Catch ex As MissingParentObjectException
          ProvisionContainer(myMA, dn.Subcomponents(1, dn.Depth))
        End Try
      End While

    You can then create a recursive function (because the container that holds your new container might also be missing) that builds your organizational unit structure:

      Private Sub ProvisionContainer( _
    	ByVal ADMA As ConnectedMA, _
    	ByVal dn As ReferenceValue _
      )
    
        Dim csentry As CSEntry
    
        Dim bReady As Boolean = False
        While Not bReady
    
          Try
            csentry = ADMA.Connectors.StartNewConnector("organizationalUnit")
            csentry.DN = dn
            csentry.CommitNewConnector()
            bReady = True
    
          Catch ex As MissingParentObjectException
            Dim newDn As ReferenceValue = dn.Subcomponents(1, dn.Depth)
            ProvisionContainer(myMA, dn.Subcomponents(1, dn.Depth))
          End Try
    
        End While
    
      End Sub

    One word of caution when you are using this approach: your organizationalUnit object will be joined to the user object that you were provisioning in this container, which may be undesired. You can solve this by deprovisioning your container later on, leaving the object in the connector space as a disconnector. 

      Go to the ILM Knowledge Bit Collection

    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Monday, June 14, 2010 8:24 PM

All replies

  • Very cool, Paul!

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, June 14, 2010 9:23 PM
    Moderator
  • Awesome thanks. Quick follow-up question. How would you deal with OU renames especially if they have child objects both users and other OUs?

    Monday, June 14, 2010 10:46 PM
  • The answer to that question is not that quick ... there is a lot of "it depends" involved.

    For starters, if you follow my suggestion to deprovision your organizationalUnit objects, they become in fact unmanaged. This means that from within ILM you wouldn't be able to rename them. If they do remain managed objects (but preferably connected to a MV object that didn't kick off the provisioning to your target CS), then the question becomes: from where and how are they managed? E.g. they could come from another LDAP-like directory service having the same structure that you would like to replicate. In that case you could allow the renames to happen catching errors in your renaming code as they occur (you will get errors for as long as there are child objects). Eventually, those errors will go away, depending on the depth of the tree you are renaming.

    If you have a precise scenario, I would suggest you start a new thread that we could then have a look at.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Tuesday, June 15, 2010 6:58 PM