How to: Deprovision Connector Space Objects
When an object in the Forefront Identity Manager Synchronization Service database (metaverse) is deleted during outbound synchronization, the link to the connector space object is removed. The synchronization process uses the deprovisioning rule to determine what to do about the disconnector object in the connector space. If the deprovisioning rule for the management agent is configured to use a rules extension, the synchronization process calls the Deprovision method.
To disable a user account in Active Directory Domain Services (AD DS), set the userAccountControl attribute of the user account to the following constant:
Const ADS_UF_ACCOUNTDISABLE = &H2 ' Disable user account.
const long ADS_UF_ACCOUNTDISABLE = 0x0002; // Disable user account.
For more information about the user account control constants, go to the MSDN Library and search for the topic “ADS_USER_FLAG_ENUM”.
The following examples show an implementation of the Deprovision method for deprovisioning a connector space object. If the connector space object is a disabled user account, the connector space object is moved to a different container. For user or group objects, the connector space object is deleted.
Public Function Deprovision(ByVal csentry As CSEntry) As DeprovisionAction _
Implements IMASynchronization.Deprovision
Const ADS_UF_ACCOUNTDISABLE = &H2 ' Disable user account
Const ADS_UF_PASSWD_NOTREQD = &H20 ' No password is required
Const ADS_UF_NORMAL_ACCOUNT = &H200 ' Typical user account
Deprovision = DeprovisionAction.Disconnect
Select Case csentry.ObjectType
Case "user"
' Disable the user account in Active Directory Domain Services
' and move the account to another container.
Dim currentValue As Long
If csentry("userAccountControl").IsPresent Then
currentValue = csentry("userAccountControl").IntegerValue
Else
currentValue = ADS_UF_NORMAL_ACCOUNT
End If
csentry("userAccountControl").IntegerValue = currentValue _
Or ADS_UF_ACCOUNTDISABLE _
Or ADS_UF_PASSWD_NOTREQD
' Move the disabled user account to another container.
Dim container As String = "CN=Disabled Users,DC=fabrikam,DC=com"
Dim rdn As String = "CN=" & csentry("cn").Value
Dim ma As ManagementAgent = Utils.MAs("Fabrikam AD MA")
Dim dn As ReferenceValue = ma.EscapeDNComponent(rdn).Concat(container)
csentry.DN = dn
' Leave the object in the connector space and never join or project
' this object into the <tla rid="fim_syncdb_short" />.
Deprovision = DeprovisionAction.ExplicitDisconnect
Case "contact", "group"
' Delete the connector space object for a contact or group.
Deprovision = DeprovisionAction.Delete
Case Else
Throw New EntryPointNotImplementedException
End Select
End Function
DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)
{
const long ADS_UF_ACCOUNTDISABLE = 0x002; // Disable user account
const long ADS_UF_PASSWD_NOTREQD = 0x020; // No password is required
const long ADS_UF_NORMAL_ACCOUNT = 0x200; // Typical user account
DeprovisionAction Deprovision = DeprovisionAction.Disconnect;
switch(csentry.ObjectType)
{
case "user":
// Disable the user account in Active Directory Domain Services
// and move the account to another container.
long currentValue;
if(csentry["userAccountControl"].IsPresent)
{
currentValue = csentry["userAccountControl"].IntegerValue;
}
else
{
currentValue = ADS_UF_NORMAL_ACCOUNT;
}
csentry["userAccountControl"].IntegerValue = currentValue
| ADS_UF_ACCOUNTDISABLE
| ADS_UF_PASSWD_NOTREQD;
// Moves the disabled user account to another container.
string container = "CN=Disabled Users,DC=fabrikam,DC=com";
string rdn = "CN=" + csentry["cn"].Value;
ManagementAgent ma = Utils.MAs["Fabrikam AD MA"];
ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(container);
csentry.DN = dn;
// Leave the object in the connector space and never join or project
// this object into the <tla rid="fim_syncdb_short" />.
Deprovision = DeprovisionAction.ExplicitDisconnect;
break;
case "contact":
case "group":
// Delete the connector space object for a contact or a group
Deprovision = DeprovisionAction.Delete;
break;
default:
throw new EntryPointNotImplementedException();
}
return Deprovision;
}