AD Group provisioning RRS feed

  • General discussion

  • I'm trying to do a setup, where i provision and populate AD Securitygroups from an organizational structure in HR. The groups are nestet with parent/child groups and groups contain users from the specifik departments.

    Groups are named what the departments are named in HR, but the problem is here, HR is not IT guys and there puts stuff like " , & / \ % " whatever characters they like in departmentname.

    DN cannot be flown to AD with comma in the CN part,   "CN=Group,name,OU=name,DC=test,DC=com"  or can it? Can i somehow make the ADMA know that the comma in"group,name" is text and not a delimitter?

    Backup solution would be to create the groups with some other sAMAccountName and flow department name to DisplayName.

    Does anyone have an xPath for removing certain characters from attributes?

    /Frederik Leed

    Wednesday, June 19, 2013 11:36 AM

All replies

  • You would need to escape the DN - there's an EscapeDNComponent function if you're using Sync Rules. If you're using legacy provisioning code it's a method of the ConnectedMA class if I remember right.

    My Book - Active Directory, 4th Edition
    My Blog -

    Wednesday, June 19, 2013 3:00 PM
  • Worked great!

    <export-flow allows-null="false"><src><attr>NAME</attr></src><dest>dn</dest><scoping></scoping><fn id="+" isCustomExpression="false"><arg>"CN="</arg><arg><fn id="EscapeDNComponent" isCustomExpression="false"><arg>NAME</arg></fn></arg><arg>",OU=HROrganization,OU=SecurityGroups,DC=domain,DC=com"</arg></fn></export-flow>

    /Frederik Leed

    Thursday, June 20, 2013 9:05 AM