Example: Deprovisioning a Connector Space Object

Article
02/16/2009

When an object in the metaverse is deleted during outbound synchronization, the link to the connector space object is removed. The synchronization process uses the deprovisioning rule to determine what to do about the disconnector object in the connector space. If the deprovisioning rule for the management agent is configured to use a rules extension, the synchronization process calls the IMASynchronization.Deprovision method.

To disable a user account in Active Directory, set the userAccountControl attribute of the user account to the following constant:

    Const ADS_UF_ACCOUNTDISABLE = &H2    ' Disable user account

    const long ADS_UF_ACCOUNTDISABLE = 0x0002;    // Disable user account

For more information about the user account control constants, go to https://msdn.microsoft.com/library and, in the left pane, search for the topic ADS_USER_FLAG_ENUM.

The following example shows an implementation of the IMASynchronization.Deprovision method for deprovisioning a connector space object. If the connector space object is a disabled user account, the connector space object is moved to a different container. For user or group objects, the connector space object is deleted.

    Public Function Deprovision(ByVal csentry As CSEntry) As DeprovisionAction _
        Implements IMASynchronization.Deprovision
    
        Const ADS_UF_ACCOUNTDISABLE = &H2   ' Disable user account
        Const ADS_UF_PASSWD_NOTREQD = &H20  ' No password is required
        Const ADS_UF_NORMAL_ACCOUNT = &H200 ' Typical user account
    
        Deprovision = DeprovisionAction.Disconnect
    
        Select Case csentry.ObjectType
    
            Case "user"
    
                ' Disable the user account in Active Directory and move
                ' the account to another container.
                Dim currentValue As Long
    
                If csentry("userAccountControl").IsPresent Then
                    currentValue = csentry("userAccountControl").IntegerValue
                Else
                    currentValue = ADS_UF_NORMAL_ACCOUNT
                End If
    
                csentry("userAccountControl").IntegerValue = currentValue _
                                                             Or ADS_UF_ACCOUNTDISABLE _
                                                             Or ADS_UF_PASSWD_NOTREQD
    
                ' Move the disabled user account to another container.
                Dim container As String = "CN=Disabled Users,DC=fabrikam,DC=com"
                Dim rdn As String = "CN=" & csentry("cn").Value
                Dim ma As ManagementAgent = Utils.MAs("Fabrikam AD MA")
                Dim dn As ReferenceValue = ma.EscapeDNComponent(rdn).Concat(container)
                csentry.DN = dn
    
                ' Leave the object in the connector space and never join or project
                ' this object into the metaverse.
                Deprovision = DeprovisionAction.ExplicitDisconnect
    
            Case "contact", "group"
                ' Delete the connector space object for a contact or group
                Deprovision = DeprovisionAction.Delete
    
            Case Else
                Throw New EntryPointNotImplementedException
        End Select
    
    End Function

    DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)
    {
        const long ADS_UF_ACCOUNTDISABLE = 0x002;  // Disable user account
        const long ADS_UF_PASSWD_NOTREQD = 0x020;  // No password is required
        const long ADS_UF_NORMAL_ACCOUNT = 0x200;  // Typical user account
    
        DeprovisionAction Deprovision = DeprovisionAction.Disconnect;
       
        switch(csentry.ObjectType)
        {
            case "user":
                // Disable the user account in Active Directory and move
                // the account to another container.
                long currentValue;
                 
                if(csentry["userAccountControl"].IsPresent)
                {
                    currentValue = csentry["userAccountControl"].IntegerValue;
                }
                else 
                {
                    currentValue = ADS_UF_NORMAL_ACCOUNT;
                }
                 
                csentry["userAccountControl"].IntegerValue = currentValue 
                                                             | ADS_UF_ACCOUNTDISABLE 
                                                             | ADS_UF_PASSWD_NOTREQD;
                 
                // Moves the disabled user account to another container.
                string container = "CN=Disabled Users,DC=fabrikam,DC=com";
                string rdn = "CN=" + csentry["cn"].Value;
                ManagementAgent ma = Utils.MAs["Fabrikam AD MA"];
                ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(container);
                csentry.DN = dn;
    
                // Leave the object in the connector space and never join or project
                // this object into the metaverse.
                Deprovision = DeprovisionAction.ExplicitDisconnect;
                break;
             
            case "contact":
            case "group":
                // Delete the connector space object for a contact or a group
                Deprovision = DeprovisionAction.Delete;
                break;
          
            default:
                throw new EntryPointNotImplementedException();
        }
       
        return Deprovision;
    }

Send comments about this topic to Microsoft

Build date: 2/16/2009

Example: Deprovisioning a Connector Space Object

Additional resources