Group Creation and Provisioning Walkthrough: Implementation Steps
Applies To: Windows Server 2003 with SP1
Previous Steps in This Walkthrough
In this section you will perform the following procedures:
Prepare the Fabrikam Active Directory to receive groups.
Prepare the Fabrikam Active Directory management agent to export groups to Active Directory.
Configure a metaverse rules extension to create groups.
Configure a metaverse object deletion rule for groups.
Initialize the GroupPopulator table.
Create the GroupPopulator management agent.
Important
If you have not set up the Simple Account Provisioning scenario, do not continue with this scenario. You must complete the Simple Account Provisioning scenario before running this scenario.
Prepare the Fabrikam Active Directory to Receive Groups
For the first step in the scenario configuration, prepare the Fabrikam Active Directory to receive groups by creating the appropriate OU structure in Active Directory.
To prepare the Fabrikam Active Directory to receive groups
On the Fabrikam Active Directory domain controller (fabnoa-dc-01), open Users and Computers.
Locate the organizational unit (OU) that was used for the Simple Account Provisioning scenario (OU=Fabrikam,OU=SimpleAccountProvisioning,OU=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com).
Under this organizational unit, create a new OU with the name Groups.
Following is the organizational unit structure:
DC=fabcorp,DC=fabrikam,DC=com
OU=FABNOA-DC-01
OU=SimpleAccountProvisioning
OU=Fabrikam
OU=Users
OU=Disabled Users
OU=Groups
Prepare Fabrikam AD MA to Export Groups to Active Directory
In this step, you will configure the Fabrikam AD MA for the export of groups to Active Directory.
To prepare the Fabrikam AD MA to export groups to Active Directory
In Management Agents, double-click Fabrikam AD MA.
Click the Select Object Types page, and select group as an additional object type.
Click Select Attributes. In the Select Attributes page, ensure that the Show All check box is selected, and then select grouptype and member as additional attributes.
Click Configure Attribute Flow. In the Configure Attribute Flow page, add the export attribute mappings listed in Table3.8 to the group object type (scoped by Data Source.group and metaverse.group).
Table 3.1 Export Attribute Mappings
Data Source Attribute | Metaverse Attribute | Mapping Type | Allow Nulls |
---|---|---|---|
displayName |
displayName |
Direct |
No |
Member |
Member |
Direct |
Yes |
sAMAccountName |
uid |
Advanced Rules Extension Type sAMAccountName for the FlowRuleName. |
No |
Grouptype |
<none> |
Advanced –-> Constant Type 8 as a value for the Constant mapping. The value of 8 indicates a Universal Distribution Group in Active Directory. |
No |
To remove group membership from the group in Active Directory, configure the Allow Nulls on export attribute flow mapping for the Member metaverse attributes.
Click Configure Join and Projection Rules. On the Configure Join and Projection Rules page, configure join rules for the user and group object types listed in Table 3.9.
Table 3.2 Join Rule Configuration for Group and Object Types
Data Source | Metaverse | ||
---|---|---|---|
Object Type |
Attribute |
Join Mapping |
Object Type |
Group |
sAMAccountName |
Direct to uid |
group |
User |
employeeID |
Direct to employeeID |
person |
Configure Metaverse Rules Extension to Create Groups
Configure the metaverse rules extension, which is provided by the HRGroupProvisioning.dll file.
To configure metaverse rules extension to create groups
Copy the new metaverse rules extension assembly to the \Extensions folder on the server running Microsoft Identity Integration Server 2003.
If you copied the scenario files into C:\ SCENARIOS\GroupManagement, copy the HRGroupProvisioning.dll to the extensions directory (for example, %Program Files%\Microsoft Identity Integration Server\extensions).
In Metadirectory Manager, from the Tools menu, click Configure Extensions.
In Configure Extensions, select Enable Metaverse Rules Extension, click Browse, and then select the HRGroupProvisioning.dll.
Initialize the GroupDefinitions Table
Initialize the GroupDefinitions table by running a script that creates and populates the table and then use SQL Query Analyzer to verify the results.
To initialize the GroupPopulator table
Open Command Prompt, and then change the directory to
C:\Scenarios\GroupManagement\SQLTable.Run InitGroupPopulator.cmd.
This script will create a new database with the name MIIS_Group_Populator and add the GroupDefinitions table to this database. The GroupDefinitions table is filled with six sample rows. Each row contains a group definition.
Use SQL Query Analyzer to verify that the table is created and populated.
In SQL Query Analyzer, under FABNOA-MIIS-01 (the name of the computer running SQL), click to expand the MIIS_Group_Populator database.
Click to expand UserTables.
Right-click dbo.GroupDefinitions, and then click Open.
The query results window contains 6 populated rows, as shown in Figure 3.1.
Create the GroupPopulator MA
Create the GroupPopulator MA that will be used to populate the group objects in the metaverse.
To create the GroupPopulator MA
In Metadirectory Manager, from the Tools menu, click Management Agents, and then click Import Management Agent.
In Open, browse to the scenario files (e.g. C:\SCENARIOS\GroupManagement).
Click GroupPopulatorUnicode.xml and click Open.
Click through the creation pages of the Create Management Agent wizard by using the Next button without changing any settings.
Click Finish.
Configure Metaverse Object Deletion Rule for Groups
In this step, you create a metaverse object deletion rule for the groups that you want to manage. If a group is not in the group definitions, you will delete the group from the metaverse by creating a metaverse object deletion rule. As a result, the GroupPopulator MA is authoritative for the group objects.
To create a metaverse object deletion rule
In the Metadirectory Manager, on the Tools menu, click Metaverse Designer.
Under Object types, click group.
On the Actions menu, click Configure Object Deletion Rule.
In Configure Object Deletion Rule, click Delete metaverse object when connector from this management agent is disconnected.
From the list of management agents, click the GroupPopulator management agent.
Click OK.