Share via

MIM avoid creating duplicate users in Active Directory

Madhu Menon 96 Reputation points
2020-12-16T09:16:57.293+00:00

Hello Everybody,

I have MIM 2016 Version 4.5.412 (on-premise)
I have 4 Agents

CRM MA(Extensible Connectivity 2.0), FIM MA (FIM Service Man. ag.), DMZ MA (Extensible Connectivity 2.0),AD MA (Active Directory Domain Services)
I use MVExtension.dll
I have extension dll on CRM MA and DMZ MA

I create users in my CRM, CRM MA, handles the request, and creates users in my DMZ MA (Active Directory-OU CRM Users).
The above function works fine.

There are other applications that create users in DMZ AD (OU External Users)(same AD & Domain as above)
Now if CRM User creates user in CRM an existing user with same (firstname,lastname,email) that exists in OU External Users, then i want to perform a JOIN, and move that user from OU External Users to OU CRM Users.

Solutions i tried

  1. When existing External user is created in CRM. i check in MVExtension.cs, if user exists move the user from OU External Users to OU CRM Users. csentry.CommitNewConnector is in try catch(objectAlreadyExistsException) has //nothing. But on DMZ MA it fails with "export failed while applying to Active Directory". The error occurs because user already exists in AD
  2. I modified DMZ MA Extension, csentrychange.objectModificationType from Add to Update. Got error "System.InvalidOperation". ObjectModificationType already exists.

I have tried several ways with failure, i hope the community will be able to guide me a proper way of doing it.
I would appreciate any input from any of you experts on MIM.

Regards,
Madhu

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
Accepted answer
  1. Madhu Menon 96 Reputation points
    2020-12-22T13:45:57.437+00:00

    Hello Everybody,

    I found half solution to my above problem.
    As i have mentioned above, when my DMZ AD ECMA2- Export no-limit runs, i get error "export failed while applying to Active Directory". I created NEW JOIN RULES on my DMZ AD ECMA management agent. The rules had 2 joins.

    1. givenName =>FirstName
    2. sn=> LastName
    3. samAccountName=>accountName

    When my DMZ AD ECMA2 - Full Import and Full Synchronization runs, it finds the exists AD User in DMZ Active Directory and makes the JOIN. I have an error, but finally the JOIN happens, and all records are connected properly.

    I hope this post will help others in Future.

    Best Regards,
    Madhu

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Madhu Menon 96 Reputation points
    2020-12-17T12:50:39.247+00:00

    Hello,

    Sharing MVExtension.cs
    49194-image.png 

        void ProvisionExternalUser(string maName, MVEntry mventry)  
    {  
          
        //this method updates the dn and populates the desired attributes on first synchronization  
        var managementAgent = mventry.ConnectedMAs[maName];  
        var connectors = managementAgent.Connectors.Count;  

        //Has the object been provisioned?  
        if (connectors == 0)  
        {  
            //Is the object ready for provisioning? / includes a case when the AD account was accidentally deleted in AD (re-provisions the user, password is re-generated in ADMA extension)  
            if (mventry["initialPassword"].IsPresent  
                && mventry["employeeType"].IsPresent && mventry["employeeType"].StringValue.Equals("External", StringComparison.InvariantCultureIgnoreCase)  
                && mventry["employeeStatus"].IsPresent && mventry["employeeStatus"].StringValue.Equals("Active", StringComparison.InvariantCultureIgnoreCase)  
                && mventry["crmSyncStatus"].IsPresent && (mventry["crmSyncStatus"].StringValue.Equals("NonEffective", StringComparison.InvariantCultureIgnoreCase) || mventry["crmSyncStatus"].StringValue.Equals("Effective", StringComparison.InvariantCultureIgnoreCase))  
                )  
            {  
                var isGeneric = mventry["credentialType"].IsPresent && mventry["credentialType"].StringValue.Equals("generic", StringComparison.InvariantCultureIgnoreCase);  

                //Provision object  
                var csentry = managementAgent.Connectors.StartNewConnector("user");  

                //perpare firstName, lastName and cn  
                var lastname = (mventry["lastName"].IsPresent) ? mventry["lastName"].StringValue : "";  
                var firstname = (mventry["firstName"].IsPresent) ? mventry["firstName"].StringValue : "";  

                if (!String.IsNullOrEmpty(firstname))  
                {  
                    var ti = new CultureInfo("en-US", false).TextInfo;  
                    firstname = ti.ToTitleCase(firstname);  
                }  

                var strB = new StringBuilder();  
                if (!String.IsNullOrEmpty(firstname))  
                {  
                    strB.AppendFormat("{0} ", firstname);  
                }  
                strB.Append(lastname.ToUpperInvariant());  

                if (isGeneric)  
                {  
                    strB.AppendFormat(" {0}", GenericSuffix);  
                }  

                var cnString = strB.ToString();  

                //initialize common attributes  

                csentry["userAccountControl"].IntegerValue = 0x200; //Normal Account  
                csentry["pwdLastSet"].Value = "0"; //Change Password at first logon  
                csentry["unicodePwd"].Value = mventry["initialPassword"].StringValue; //set initial password  
                  

                if (ProvisionUniqueId)  
                {  
                    csentry["objectGUID"].BinaryValue = Guid.NewGuid().ToByteArray();  
                }  
                  
                //initialize provisioning dependent on DN and samAccountName  
                //the advanced logic is there for cases when more than one user is provisioned  
                //to AD at the same time - the existence check is done in AD-GetAdId and then in MV-try,catch on commmit  

                var provisioned = false;  
                var iteration = 0;  
                bool userExists = false;      
                while (!provisioned)  
                {  
                    //Get unique samAccountName  
                    var samAccountNameVal = this.GetAdId(firstname, lastname, isGeneric, ref iteration, ref userExists);  

                    var cn = String.Concat(cnString, " (", samAccountNameVal, ")");  
                    var rdn = String.Concat("CN=", cn);  

                    //Fill attributes of csentry  
                    csentry["cn"].Value = cn;  
                    csentry["sAMAccountName"].Value = samAccountNameVal;  
                    csentry["userPrincipalName"].Value = String.Concat(samAccountNameVal, "@", UpnSuffix);  
                    //set the DN  
                    csentry.DN = csentry.MA.EscapeDNComponent(rdn).Concat(RootOu);  
                    if (userExists)  
                        csentry["description"].Value = "userExistsInAD";  
                    try  
                    {  
                        //Finish new connector   
                        csentry.CommitNewConnector();                
                        provisioned = true;  
                    }  
                    catch (ObjectAlreadyExistsException)  
                    {  
                        //if (iteration > MaxProvisioningAttempts)  
                        //{  
                        //    //exceeded number of attempts  
                        //    throw;  
                        //}  
                    }  
                }  
            }  
        }  

        else if (connectors > 1)  
        {  
            throw new UnexpectedDataException("Too many connectors on Management Agent " + maName);  
        }  
    }

    DMZ MA Extension
    DMZ ECMA2
    49175-image.png

    ActiveDirectoryContext.cs
    public IEnumerable<CSEntryChangeResult> PutExportCsObjects(IEnumerable<CSEntryChange> changes)
    {
    var csEntryChangeResults = new List<CSEntryChangeResult>(); 

            foreach (var csEntryChange in changes)  
        {  
            var exportObject = exportObjectFactory.CreateExportObject(csEntryChange);  

            csEntryChangeResults.Add(this.writer.Write(exportObject));  
        }  

        return csEntryChangeResults;  
    }

    ExportObjectFactory.cs 

        public ActiveDirectoryExportObject CreateExportObject(CSEntryChange csEntry)  
    {  
        switch (csEntry.ObjectType.ToLowerInvariant())  
        {  
            case "user":  
                return new UserExportObject(csEntry, connection, mapper);  
            case "group":  
                return new GroupExportObject(csEntry, connection, mapper);  
            case "foreignsecurityprincipal":  
                return new FspExportObject(csEntry, connection, mapper, FspDecoyGroupDn);  
            default:  
                return new ActiveDirectoryExportObject(csEntry, connection, mapper);  
        }  
    }

    class UserExportObject : ActiveDirectoryExportObject
    {
    public UserExportObject(CSEntryChange csEntry, IActiveDirectoryConnection connection, ActiveDirectoryObjectMapper mapper)
    : base(csEntry, connection, mapper)
    { 

        }  

    public override byte[] Create()  
    {  
        using (var parentDirEntry = this.connection.GetParentDirectoryEntryFromDn(this.Dn))  
        {  
            using (var newObj = parentDirEntry.Children.Add(this.Rdn, this.ObjectType).Wrap())  
            {  

                mapper.MapActiveDirectoryExportObjectToExistingDirectoryEntry(this, newObj);  

                newObj.CommitChanges();  

                mapper.MapActiveDirectoryExportObjectToExistingDirectoryEntrySecondPass(this, newObj);  

                return newObj.Guid.ToByteArray();  
            }  
        }  
    }  

    public override byte[] Update()  
    {  
        if (!this.connection.DirectoryEntryExistsFromDn(this.Dn))  
        {  
            throw new ObjectMissingException(String.Format("Object {0} does not exist in Active Directory.", this.Dn));  
        }  

        using (var adObject = this.connection.GetDirectoryEntryFromDn(this.Dn))  
        {  
            if (this.IsRenamed)  
            {  
                string attributeDNValue = this.GetSingleValuedAttributeValue("DN") as string;  
                adObject.Rename(Utils.GetRdnFromDn(attributeDNValue));  

                if (attributeDNValue.Contains("DisabledAccounts"))  
                {  
                    var adnewObject = this.connection.GetDirectoryEntryFromDn(attributeDNValue.Substring(attributeDNValue.IndexOf(",") + 1));  

                    adObject.MoveTo(adnewObject);  
                }  
            }  

            mapper.MapActiveDirectoryExportObjectToExistingDirectoryEntry(this, adObject);  

            adObject.CommitChanges();  

            mapper.MapActiveDirectoryExportObjectToExistingDirectoryEntrySecondPass(this, adObject);  

            return adObject.Guid.ToByteArray();  
        }  
    }  
}

    With the above code, MIM Export throws below error.
    49184-image.png

    49125-image.png
    I am not sure how much this code helps you understand my project. Please feel free to contact me for more details.
    I don't know if its normal, but if you would like a Teams meeting, i can arrange that to show you my code in detail.

    Kind Regards,
    Madhu

    0 comments
  2. Vicky Wang 2,731 Reputation points
    2020-12-22T07:04:10.647+00:00

    Hi,
    Thank you for posting in our forum.
    According to your description, this problem seems to have nothing to do with ADDS. I can want to delete this tag. You can seek help from identity.
    Thank you for your understanding and support
    Best wishes
    Vicky

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.