Group Creation and Provisioning Walkthrough: Implementation Steps

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

1. Overview

2. Scenario Design

In this section you will perform the following procedures:

• Prepare the Fabrikam Active Directory to receive groups.

• Prepare the Fabrikam Active Directory management agent to export groups to Active Directory.

• Configure a metaverse rules extension to create groups.

• Configure a metaverse object deletion rule for groups.

• Initialize the GroupPopulator table.

• Create the GroupPopulator management agent.

Prepare the Fabrikam Active Directory to Receive Groups

For the first step in the scenario configuration, prepare the Fabrikam Active Directory to receive groups by creating the appropriate OU structure in Active Directory.

To prepare the Fabrikam Active Directory to receive groups

1. On the Fabrikam Active Directory domain controller (fabnoa-dc-01), open Users and Computers.

2. Locate the organizational unit (OU) that was used for the Simple Account Provisioning scenario (OU=Fabrikam,OU=SimpleAccountProvisioning,OU=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com).

3. Under this organizational unit, create a new OU with the name Groups.

   Following is the organizational unit structure:

   DC=fabcorp,DC=fabrikam,DC=com

      OU=FABNOA-DC-01

         OU=SimpleAccountProvisioning

            OU=Fabrikam

               OU=Users

               OU=Disabled Users

               OU=Groups

Prepare Fabrikam AD MA to Export Groups to Active Directory

In this step, you will configure the Fabrikam AD MA for the export of groups to Active Directory.

To prepare the Fabrikam AD MA to export groups to Active Directory

1. In Management Agents, double-click Fabrikam AD MA.

2. Click the Select Object Types page, and select group as an additional object type.

3. Click Select Attributes. In the Select Attributes page, ensure that the Show All check box is selected, and then select grouptype and member as additional attributes.

4. Click Configure Attribute Flow. In the Configure Attribute Flow page, add the export attribute mappings listed in Table3.8 to the group object type (scoped by Data Source.group and metaverse.group).

Table 3.1   Export Attribute Mappings

1. To remove group membership from the group in Active Directory, configure the Allow Nulls on export attribute flow mapping for the Member metaverse attributes.

2. Click Configure Join and Projection Rules. On the Configure Join and Projection Rules page, configure join rules for the user and group object types listed in Table 3.9.

Table 3.2   Join Rule Configuration for Group and Object Types

Configure Metaverse Rules Extension to Create Groups

Configure the metaverse rules extension, which is provided by the HRGroupProvisioning.dll file.

To configure metaverse rules extension to create groups

1. Copy the new metaverse rules extension assembly to the \Extensions folder on the server running Microsoft Identity Integration Server 2003.

2. If you copied the scenario files into C:\ SCENARIOS\GroupManagement, copy the HRGroupProvisioning.dll to the extensions directory (for example, %Program Files%\Microsoft Identity Integration Server\extensions).

3. In Metadirectory Manager, from the Tools menu, click Configure Extensions.

4. In Configure Extensions, select Enable Metaverse Rules Extension, click Browse, and then select the HRGroupProvisioning.dll.

Initialize the GroupDefinitions Table

Initialize the GroupDefinitions table by running a script that creates and populates the table and then use SQL Query Analyzer to verify the results.

To initialize the GroupPopulator table

1. Open Command Prompt, and then change the directory to
   C:\Scenarios\GroupManagement\SQLTable.

2. Run InitGroupPopulator.cmd.

   This script will create a new database with the name MIIS_Group_Populator and add the GroupDefinitions table to this database. The GroupDefinitions table is filled with six sample rows. Each row contains a group definition.

3. Use SQL Query Analyzer to verify that the table is created and populated.

4. In SQL Query Analyzer, under FABNOA-MIIS-01 (the name of the computer running SQL), click to expand the MIIS_Group_Populator database.

5. Click to expand UserTables.

6. Right-click dbo.GroupDefinitions, and then click Open.

   The query results window contains 6 populated rows, as shown in Figure 3.1.

Create the GroupPopulator MA

Create the GroupPopulator MA that will be used to populate the group objects in the metaverse.

To create the GroupPopulator MA

1. In Metadirectory Manager, from the Tools menu, click Management Agents, and then click Import Management Agent.

2. In Open, browse to the scenario files (e.g. C:\SCENARIOS\GroupManagement).

3. Click GroupPopulatorUnicode.xml and click Open.

4. Click through the creation pages of the Create Management Agent wizard by using the Next button without changing any settings.

5. Click Finish.

Configure Metaverse Object Deletion Rule for Groups

In this step, you create a metaverse object deletion rule for the groups that you want to manage. If a group is not in the group definitions, you will delete the group from the metaverse by creating a metaverse object deletion rule. As a result, the GroupPopulator MA is authoritative for the group objects.

To create a metaverse object deletion rule

1. In the Metadirectory Manager, on the Tools menu, click Metaverse Designer.

2. Under Object types, click group.

3. On the Actions menu, click Configure Object Deletion Rule.

4. In Configure Object Deletion Rule, click Delete metaverse object when connector from this management agent is disconnected.

5. From the list of management agents, click the GroupPopulator management agent.

6. Click OK.

Next

• Additional Scenario Steps