none
Provisioning / Deprovisioning OCS R2 via third party IDM software RRS feed

  • Question

  • I need to give advice on provisioning and deprovisioning OCS via AD.

     

    It seems that provisioning requires the following user attributes populated;

     

     

    proxyAddresses

    msRTCSIP-PrimaryUserAddress

    msRTCSIP-OptionFlags

    msRTCSIP-FederationEnabled

    msRTCSIP-InternetAccessEnabled

    msRTCSIP-UserEnabled

    msRTCSIP-PrimaryHomeServer

     

    I have some questions;

    - Does the OCS backend database need population, or provisioning AD is enough?

    - To deprovision a user, which of these attributes must be removed? Some of them such as UserEnabled are boolean, should this be changed to false or the attribute removed?

    - When deprovisioning a user via AD, are remnants of the account left in the backend database, and if so is that a problem?

     

    Thankyou for any suggestions.

     


    Thursday, June 9, 2011 3:40 AM

Answers

  • Sharon, thanks for your help. I've escalated to the product group and received the following definitive answer;

     

    On Provisioning user accounts by populating AD attributes

    Technically this might be possible as given in some blogs. However, Microsoft hasn’t tested it and we consider anything not tested as not supported as well. Regarding automation of administrative tasks, we can recommend our customers only to populate the following AD attributes and then exercise WMI controls as we have tested this already.

     

    AD Attribute Name

    Type

    Meaning

    msRTCSIP-UserEnabled

    Boolean

    True = OCS Enable; False = not OCS Enabled

    msRTCSIP-OptionFlags (1)

    Integer

    Bitmask representing OCS features.

    msRTCSIP-PrimaryUserAddress

    String

    The primary SIP address of the user.

    msRTCSIP-PrimaryHomeServer

    String

    The Distinguished Name of the Home Server.

     

    On contacts getting removed from dbo.resource after the corresponding AD account is disabled

    Yes, this happens on its own. But there could be issues and the database might have stale records. Microsoft is however bound to support all the issues around this.

    • Marked as answer by Al Nelson Thursday, June 23, 2011 11:24 PM
    Thursday, June 23, 2011 11:24 PM

All replies

  • Hi,

    Unfortunately, third party software is not in the scope of MS support.I am afraid I have no exact answer for you,maybe you can go to the IDM software official website to look for more information or post your question there.

    However I will try my best to give you some useful information,here is the link about AD properties required to enable a user for OCS .

    http://blog.insideocs.com/2010/05/03/ad-attributes-required-to-enable-a-user-for-ocs/

    Another more information for your reference.

    http://social.technet.microsoft.com/Forums/en-ZA/identitylifecyclemanager/thread/71d2faee-0dbd-4e7a-b5b6-e559b34940cb

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=29

    http://blog.insideocs.com/2009/01/16/189/

    Hope this useful!

    Regards,

    Sharon

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, June 13, 2011 6:53 AM
    Moderator
  • Thankyou for the reply. I am not after 3rd party support - just the commands needed to provision OCS directly via commandline  / AD / WMI. These can then be utilised by IDM software.

    Thankyou for the links. Reading the top link, it appears some attributes of AD must be populated first, then use WMI. 

    Can you advise if Microsoft supports this method of provisioning?

    Monday, June 20, 2011 1:19 AM
  • Hi,Al,

    Using WMI to configure new users for OCS is supported,you can refer the following link

    http://technet.microsoft.com/en-us/library/dd441296(office.13).aspx.

    It may use the OCS resource kits and you can download the it from this link:

    http://www.microsoft.com/download/en/details.aspx?id=15344

    Another more information for your reference.

    http://social.technet.microsoft.com/Forums/en-US/ucccommunityocsdeployment/thread/3f56a337-23bf-482b-89a3-08a666564ab3/

    Regards,

    Sharon 

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, June 20, 2011 12:25 PM
    Moderator
  • Thanks Sharon. I've read the links but am still unsure if Microsoft supports provisioning via AD. Even some OCS blog post talk about how hot provision totally via AD, or partially followed by WMI. But I can't tell if Microsoft supports this method (assuming it works, which we are yet to test). 
    Tuesday, June 21, 2011 1:38 AM
  • Sharon, thanks for your help. I've escalated to the product group and received the following definitive answer;

     

    On Provisioning user accounts by populating AD attributes

    Technically this might be possible as given in some blogs. However, Microsoft hasn’t tested it and we consider anything not tested as not supported as well. Regarding automation of administrative tasks, we can recommend our customers only to populate the following AD attributes and then exercise WMI controls as we have tested this already.

     

    AD Attribute Name

    Type

    Meaning

    msRTCSIP-UserEnabled

    Boolean

    True = OCS Enable; False = not OCS Enabled

    msRTCSIP-OptionFlags (1)

    Integer

    Bitmask representing OCS features.

    msRTCSIP-PrimaryUserAddress

    String

    The primary SIP address of the user.

    msRTCSIP-PrimaryHomeServer

    String

    The Distinguished Name of the Home Server.

     

    On contacts getting removed from dbo.resource after the corresponding AD account is disabled

    Yes, this happens on its own. But there could be issues and the database might have stale records. Microsoft is however bound to support all the issues around this.

    • Marked as answer by Al Nelson Thursday, June 23, 2011 11:24 PM
    Thursday, June 23, 2011 11:24 PM
  • How can i provision and deprovision Lync 2010 users using AD??

    Where i can get the registrar pool atribute in AD?/

    Monday, October 24, 2011 4:47 PM