none
AD outbound provisioning - same user to 2 different OUs RRS feed

  • Question

  • The same user from FIM needs to be provisioned to 2 different OUs in AD. Is that possible using portal sync rules?

    FIM User object properties:

    AD exists (boolean), samAccountname, employeeID

    Sync rule 1:

    scope - AD exists is true

    relationship - samaccountname = samaccountname

    rule - dn: cn="samaccountname",OU1

    Sync rule 2:

    scope - employeeID is present ( AD exists could be true or false)

    relationship - employeeID = employeeID

    rule - dn: cn="employeeID",OU2

    We have rule 1 already in place. When I tested with rule 2, it pushed only users that are not synced in OU1. How can I capture this via scope and relationship criteria.

    Thanks!!

    Tuesday, August 18, 2015 11:57 PM

Answers

  • A possible solution could be to have two different AD management agents.

    In this way, you could have an outbound sync rule for the management agent AD1 which provisions users to OU1, and another on AD2 which provisions users to OU2.

    What you are trying to do, however, is pretty strange.

    What is the problem you are trying to solve?


    Paolo Tedesco - http://cern.ch/idm

    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:34 PM
    Wednesday, August 19, 2015 8:45 AM
  • Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

    So, is there no way I can use portal sync rules to push an object to 2 different OUs?

    You need the following then,

    If user exists, join. If it does not exist, provision a new account. You will have to create the sAMAccountName.  Since employeeID is unique enough, you can use employeeID as sAMAccountName, unless you have other requirements for sAMAccountName.  You don't need 2 accounts. 


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:34 PM
    Wednesday, August 19, 2015 1:56 PM
  • Yes. 

    Below example is perfectly fine.

    cn=MernacajN,OU=Users,DC=Domain,DC=Com

    cn=12345,OU=User,DC=Domain,DC=Com


    Nosh Mernacaj, Identity Management Specialist


    • Edited by Nosh Mernacaj Wednesday, August 19, 2015 2:32 PM
    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:35 PM
    Wednesday, August 19, 2015 2:31 PM

All replies

  • Why you want to end up with two objects of the same person in Active Directory?

    Wednesday, August 19, 2015 3:37 AM
  • A possible solution could be to have two different AD management agents.

    In this way, you could have an outbound sync rule for the management agent AD1 which provisions users to OU1, and another on AD2 which provisions users to OU2.

    What you are trying to do, however, is pretty strange.

    What is the problem you are trying to solve?


    Paolo Tedesco - http://cern.ch/idm

    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:34 PM
    Wednesday, August 19, 2015 8:45 AM
  • Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

    So, is there no way I can use portal sync rules to push an object to 2 different OUs?

    Wednesday, August 19, 2015 1:13 PM
  • I highly discourage you from doing this.  For all intends and purposes, these are 2 different users now. Different sAMacocuntName and different objectSID.  If you tell us why you would be needing this, we could maybe help you avoid the craziness.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, August 19, 2015 1:30 PM
  • On Wed, 19 Aug 2015 13:13:45 +0000, fim_sc wrote:

    Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

    samAccountName is a required attribute in AD.


    Paul Adare - FIM CM MVP

    Wednesday, August 19, 2015 1:49 PM
  • Not all the users have a samAccountName in FIM. Only users with samAccountName are pushed to OU1. Now, we are planning to use AD as a directory of all the users, who may or may not have a samAccountName. employeeID is the unique attribute. So, we need planned to create a new OU and use employeeID in the dn for this new OU.

    So, is there no way I can use portal sync rules to push an object to 2 different OUs?

    You need the following then,

    If user exists, join. If it does not exist, provision a new account. You will have to create the sAMAccountName.  Since employeeID is unique enough, you can use employeeID as sAMAccountName, unless you have other requirements for sAMAccountName.  You don't need 2 accounts. 


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:34 PM
    Wednesday, August 19, 2015 1:56 PM
  • We have many users in FIM that don't get an accountName at all. They get only the employeeId. So, these users never get an AD account as dn of ou=people contains the accountName. dn="cn=accountName, domainname. Also, we don't keep all the users in our People OU. We delete the AD accounts a few days after the termination date.The average number of users in this OU will be 25k.

    Now, we are planning to use AD as a directory of all the users. We cannot export all the users to current People OU because not all the users have a accountName. We have to use employeeID in the dn. So, the idea is to create a new OU and put all the user accounts in and keep that OU disabled. As I said, this OU is only used as a directory search and not for authentication or exchange. The number of users in this OU will be 100k and will grow.

    Wednesday, August 19, 2015 2:07 PM
  • So, in the same OU, can we 2 different dn format? Users with accountname will have accountName in the DN and samAccountName. Users without accountname will have employeeID in the DN and samAccountName. Is this what you are suggesting?
    Wednesday, August 19, 2015 2:12 PM
  • Yes. 

    Below example is perfectly fine.

    cn=MernacajN,OU=Users,DC=Domain,DC=Com

    cn=12345,OU=User,DC=Domain,DC=Com


    Nosh Mernacaj, Identity Management Specialist


    • Edited by Nosh Mernacaj Wednesday, August 19, 2015 2:32 PM
    • Marked as answer by fim_sc Wednesday, August 19, 2015 2:35 PM
    Wednesday, August 19, 2015 2:31 PM