Simple Account Provisioning Walkthrough
Applies To: Windows Server 2003 with SP1
Download Instructions
This document is available for download as a Windows Installer package at https://go.microsoft.com/fwlink/?LinkId=34336.
Overview
The goal of this fictional scenario is to manage Active Directory user accounts from a single authoritative data source. In this scenario, the fictional company called Fabrikam stores user information in its Human Resources system, which is referred to as the Fabrikam HR system. In this user account management scenario, you create a Microsoft Identity Integration Server 2003 management agent for the attribute-value pair text file that contains the data in the Fabrikam HR system. MIIS 2003 creates, modifies, deletes, and disables Active Directory user accounts by using this text file.
In the next step of this scenario, the Fabrikam HR system obtains the telephone numbers for Fabrikam employees from a telephone system. The telephone system delivers the telephone number data as a file dump in the form of a fixed-width text file. By the end of this scenario, the HR system information and the telephone system information is merged with the Fabrikam HR system by using Microsoft Identity Integration Server 2003.
The data flow in this scenario is a unidirectional flow of objects and attributes to Active Directory. No information flows back from Active Directory to the Fabrikam HR system or telephone system.
Before beginning this scenario, become familiar with the basic concepts of Microsoft Identity Integration Server 2003.
In This Walkthrough
Microsoft Identity Integration Server 2003 Features Used in this Scenario
This scenario illustrates the following Microsoft Identity Integration Server 2003 features:
Import attribute flow: You will configure attribute flow from the Fabrikam HR system and telephone system to the metaverse. This includes direct attribute flow mappings that you configure by using Identity Manager, and scripted attribute flow mappings where you set the value of the attribute by using programming. Scripted attribute flow requires use of a user-provided dynamic-link library (.dll) file known as a rules extension.
Export attribute flow: When you create a new user account in Active Directory, the user account needs to be populated with attributes from the two source data sources (Fabrikam HR system and telephone system). Export attribute flow accomplishes the population of data into Active Directory. When Fabrikam HR system data or telephone numbers change, Microsoft Identity Integration Server 2003 uses export attribute flow to modify the attributes in Active Directory. Both direct attribute flow mappings and scripted attribute flow mappings are configured for this data population. Scripted attribute flow mappings are used to show the creation of the Active Directory password that is set whenever a new user account is created in Active Directory. The initial value will be the employeeID attribute from the Fabrikam HR system.
Connector filter: You will configure Microsoft Identity Integration Server 2003 to only process employee data if the value of the connected data source employeeStatus attribute does not equal the string value “terminated.” If the value of the employeeStatus attribute is the string “terminated,” then the object is filtered by the connector filter. If the value of the employeeStatus attribute does not equal “terminated,” then Microsoft Identity Integration Server 2003 flows the value into the metaverse attribute that is also named employeeStatus. You will use a connector filter that prevents Microsoft Identity Integration Server 2003 from adding employees to the metaverse and leaves them as disconnector objects if employeeStatus equals “terminated.”
Projection: You will use declarative projection rules in Identity Manager to project employee objects in the connected data sources as person objects to the metaverse.
Join: The telephone system contributes all phone numbers to the Fabrikam HR data source. In order to add telephone system information to the Fabrikam HR data, you will use a join rule on the management agent (MA) for the telephone system. The join rule will search the metaverse for persons with matching employeeID attributes.
Account management: The account management solution in this scenario shows the creation, renaming, movement and deletion of an Active Directory user account. For this solution, a rules extension is used along with a provisioning callout, which is configured on the metaverse.
Creating a user accounts: Microsoft Identity Integration Server 2003 is configured to create a new user account in Active Directory whenever an employee is projected from the Fabrikam HR system to the metaverse.
Renaming a user account: You will review the programming code to construct the relative distinguished name of an Active Directory user account from the first and last name of an employee. When the last name changes, the user account in Active Directory is renamed to reflect the new name.
Moving and disabling a user account: You will learn to write programming code in a rules extension used to handle the case when a user has been deactivated in the HR system and you have to disable the user account in Active Directory. In addition, you will review the code used to move the Active Directory user account to a special Disabled Users container in Active Directory.
Deleting a user account: You will configure the metaverse deletion rule for the person object type to instruct Microsoft Identity Integration Server 2003 to delete an employee in the HR system if it is not present in a full import or has an employeeStatus attribute set to “terminated.” You will use the deprovisioning rule on the Active Directory management agent to delete objects when disconnecting from the metaverse.
Full and delta imports: You will configure Microsoft Identity Integration Server 2003 to use run profiles to process imports from the telephone and Fabrikam HR systems, and to import the Active Directory container hierarchy into which Microsoft Identity Integration Server 2003 will provision user accounts. The telephone system provides a full import dump and a delta import to change the phone information for a single user. The HR system provides both a full import and delta snapshots that only include changes for certain employees. Active Directory provides information about the container hierarchy that the HR and telephone system data populate.
Deleting objects: You will use an import run profile to configure Microsoft Identity Integration Server 2003 to process the bulk deletion of objects. You will learn to delete employees that are not in a full dump of the Fabrikam HR system, and thereby delete them from Active Directory.
Exporting Active Directory: You will run the Active Directory management agent in all import and export modes. The import mode populates the container hierarchy in the metaverse in preparation for the rules extension, which will provision accounts in the correct containers during export mode.
Management agent run profiles: You will configure different run profiles with single and multiple steps.
Running management agents: You will see how to start management agents by using Identity Manager and the Microsoft Identity Integration Server 2003 WMI instance provider interface. The scenario includes a Visual Basic script to start management agents from the command line and a batch file demonstrates how you canautomate management agent runs by using the Windows Scheduler.
Monitoring Microsoft Identity Integration Server 2003 statistics counters: The scenario explains different management agent and metaverse statistics counters. You will learn how to monitor the results of your management agent runs by using the Identity Manager.
Searching the metaverse: The scenario shows how Metaverse Search can be used to search for metaverse entries and to display their properties.
Searching the connector space: You will see how to use Search Connector Space to search in the connector space to find changes resulting from the run of a management agent.
Preview mode: Microsoft Identity Integration Server 2003 allows you to preview all rules that are applied to a connector space object to see how Microsoft Identity Integration Server 2003 calculates changes within the synchronization cycle.
Audit files: Audit files are special drop files that are configured on import and export run steps. Audit files report the changes Microsoft Identity Integration Server 2003 receives from and returns to a connected data source. The scenario explains how to configure and view audit files.
Backup and restore Microsoft Identity Integration Server 2003: This scenario explains how to use SQL Server 2000 Enterprise Manager to backup the Microsoft Identity Integration Server 2003 database and restore it by using the restore mode of the Microsoft Identity Integration Server 2003 Setup. It also explains how to use the encryption key management tool to save the Microsoft Identity Integration Server 2003 encryption keys.
Import/Export server configuration: The scenario explains how to use the import and export server configuration feature to transport a Microsoft Identity Integration Server 2003 server configuration from one server running Microsoft Identity Integration Server 2003 to another server running Microsoft Identity Integration Server 2003.
Using WMI statistics: A Microsoft Identity Integration Server 2003 import run is commonly stopped as a result of bad data. The scenario explains how to use a command batch file with the Microsoft Identity Integration Server 2003 WMI statistic counters to accommodate this common condition.