Add users from different domains to an AD group RRS feed

  • Question

  • I have an environment where a person can have an account in two different AD domains (Domain A and Domain B).  It is also possible for a user account from Domain A to be a member in a group in Domain B.  This is currently managed manually.  I'm working on a solution where this will be handled by FIM (actually MIM).  The solution I envisioned would have an MA for each AD domain.  Group membership will be determined by a third HR system so there will be an MA for that as well, which will be authoritative.  The person object in the MV would join to each AD MA, the FIM portal and the HR MA (ie 1 MV object per person).  The challenge with this design is that I'm not sure it's possible to  populate the Membership attribute of an AD group using a synchronization rule in a way that distinguishes which domain a group member comes from.  Does anyone know if this is possible and if so how would I set this up?  A solution that I think would work is to create multiple objects for a person in the MV (eg one for Domain A and one for Domain B).  But I would prefer not to do that.

    Wednesday, October 17, 2018 3:24 PM

All replies

  • To manage group membership in AD, both user and group must be in the same MA (same AD Domain). So if user is in Domain A and group in Domain B, there is no way to correlate the objects. Not natively, anyways. You could do this running a powershell activity in the portal that would populate the group in AD directly, but this is not what Group Management in MIM is about.

    Nosh Mernacaj, Identity Management Specialist

    Sunday, October 21, 2018 6:01 PM
  • If both your domains are in the same forest you can/must use a single AD MA for group membership.

    Monday, October 22, 2018 9:06 AM
  • Thanks for the clarification Mark. For some reason I took it for granted they are not on the same forest. there is only one MA per forest.

    Nosh Mernacaj, Identity Management Specialist

    Monday, October 22, 2018 1:00 PM
  • Hi Mark, 

    You are saying that if Domain A and B are from the same forest then I can only set up a single AD MA to manager group membership for both of these domains? Is that correct?  If so, does that mean I can still have 1 AD MA per domain to manage accounts in those domains?

    Monday, October 22, 2018 10:48 PM
  • You can keep your AD MAs for managing accounts and create a third one just for group membership, but in this third MA the user accounts from each domain must be joined to a person object in the Metaverse for it to work.


     MV.Group joined to AD_DomainA.Group

     MV.Person joined to AD_DomainA.Person and AD_DomainB_Person

    You could also just use a single AD MA managing both accounts and groups, although handling multiple connector space objects in a single MA joined to a single MV object can be a pain, and will need all advanced flows. (In the first scenario the accounts are just joining with no provisioning or attribute flow so easy to do.)

    Tuesday, October 23, 2018 8:04 AM
  • Ok, thanks.

    At the end of the day what you and Nosh are saying is that it's not possible to assign a user from one domain to a group in another domain (same forest).  To get around this, what if I created a new MV object type (eg DomainAccount) and added a multivalue attribute to the person object to store the IDs of all the DomainAccounts the user is associated with.  Then, instead of using user objects to populate group membership, I would use the DomainAccount objects to populate group membership.  This idea comes from this post here, which appears to cover a similar scenario.   It's not clear to me from that post if the OP successfully implemented his proposed solution.  Do either of you know if this would be a workable solution?

    Tuesday, October 23, 2018 4:30 PM
  • No, what we are saying is that if Domain A and Domain B are both in one forest, Forest C, then all you need is one AD MA and you can implement Group Management. 
    FYI: AD MA points to a forest, so it covers all Domains within it.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, October 23, 2018 7:43 PM
  • Ok, I think I understand how the group management would work but how would this solution allow me to manage users in the two AD domains? For example, i have 4 MAs: Person_ADMA_DomainA, Person_ADMA_DomainB , Group_ADMA_DomainA and HR_MA.  Person 'Joe' needs to be provisioned from HR to both Domain A and B but the account in domain B should be disabled.  If 'Joe' is represented as a single person object in the MV how would FIM know to provision an active user to domain A and a disabled user to domain B?
    Tuesday, October 30, 2018 7:35 PM