Managing User Identities with Forefront Identity Manager 2010 Test Lab Guide

  • Article

Updated: May 12, 2011

Applies To: Forefront Identity Manager 2010

This guide provides steps for configuring a test lab for the solution detailed in the Managing User Identities with Forefront Identity Manager 2010 guide lab. The following sections provide details about how to perform these tasks.

Test Lab Overview

In this test lab, Microsoft® Forefront® Identity Manager (FIM) 2010 is deployed with:

  • One preexisting server running FIM 2010.

  • One preexisting server running SQL Server® 2008 R2, named APP1.

  • One preexisting server running Microsoft Exchange Server 2010 with Service Pack 1, named EX1.

  • One preexisting client running Windows® 7 Ultimate, named CLIENT1.

The FIM test lab uses the following subnet:

Computers on each subnet connect using a hub or switch. See the following figure.

This test lab will guide you through the Forefront Identity Manager 2010 configuration process. The purpose of this test lab is to allow for the creation of a test lab environment that uses Forefront Identity Manager 2010 for end-to-end user identity management. This test lab guide builds upon previously released test lab guides.

Steps for Configuring the Managing User Identities with Forefront Identity Manager 2010 Test Lab

There are six steps to follow when configuring a Forefront Identity Manager 2010 test lab based on the Managing User Identities with Forefront Identity Manager 2010 Test Lab Guide.

  • Step 1: Completing the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.

  • Step 2: Completing the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for the FIM Service account.

  • Step 3: Completing the SQL Server 2008 R2 TLG—The third step is to complete the SQL Server 2008 R2 test lab guide. This provides the database server for your FIM 2010 installation.

  • Step 4: Completing the FIM 2010 TLG—The fourth step is to complete the FIM 2010 test lab guide. This provides the FIM installation.

  • Step 5: Configuring FIM 2010 to Manage User Identities—The fifth step includes configuring the environment.

  • Step 6: Verifying the Configuration—The sixth step includes verifying that everything is working.

Step 1: Completing the Base Configuration

Set up the Base Configuration test lab for both the Corpnet and Internet subnets using the procedures in the “Steps for Configuring the Corpnet Subnet” and “Steps for Configuring the Internet Subnet” sections of the Test Lab Guide: Base Configuration (https://go.microsoft.com/fwlink/?LinkId=198140).

Step 2: Complete the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)

Set up the Exchange Server 2010 with Service Pack 1 test lab using the procedures outlined in Test Lab Guide: Exchange Server 2010 with Service Pack 1 (https://go.microsoft.com/fwlink/?LinkId=206341).

Step 3: Complete the SQL Server 2008 R2 TLG

Set up the SQL Server 2008 R2 test lab using the procedures outlined in Test Lab Guide: SQL Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkId=206340).

Step 4: Complete the FIM 2010 TLG

Set up the Forefront Identity Manager 2010 test lab using the procedures outlined in Test Lab Guide: Forefront Identity Manager 2010 (https://go.microsoft.com/fwlink/?LinkID=205228).

Step 5: Configure FIM 2010 to Manage User Identities

Configuring FIM 2010 to manage user identities consists of the following:

  • Create Active Directory Organizational Units

  • Create and Populating the HR Database

  • Create an EmployeeStatus Attribute in the FIM Portal

  • Add EmployeeStatus to MPR

  • Create the HR Management Agent in the Synchronization Service

  • Create the Run Profiles for the HR MA

  • Configure the Object Deletion Rule

  • Create the FIM Management Agent

  • Create the Run Profiles for the FIM MA

  • Enable Synchronization Rule Provisioning

  • Enable the Required MPRs

  • Set Up an Inbound Synchronization Rule for the HR MA in the FIM Portal

  • Run Imports and Synchs on the MAs

  • Set the Attribute Precedence on Attributes

  • Run the HR and FIM Management Agents

  • Create the AD Management Agent

  • Create the Run Profiles for the AD MA

  • Set Up an AD Provisioning Synchronization Rule for the AD MA in the FIM Portal

  • Create an All Employees and Contractors Set

  • Set Up the AD User Provisioning Workflow

  • Set Up the AD User Provisioning MPR

  • Set Up an Inbound Synchronization Rule for the AD MA in the FIM Portal

  • Create an Inactive Employees Set

  • Set Up an AD Make User Inactive Synchronization Rule

  • Set Up an AD Make User Inactive Workflow

  • Set Up an AD Make User Inactive MPR

  • Set Up an AD Deprovision Workflow

  • Set Up an AD Deprovision MPR

  • Run the HR, FIM, and AD Management Agents

Create Active Directory Organizational Units

In this step you will be creating three organizational units within Active Directory. These OUs will be used to contain your Full-Time Employees, Contractors, and your Terminated employees.

To create Active Directory organizational units

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.

  4. In the Name text box, type the following text, and then click OK:
    FIM_FTE

  5. In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.

  6. In the Name text box, type the following text, and then click OK:
    FIM_Contractors

  7. In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.

  8. In the Name text box, type the following text, and then click OK:
    FIM_Inactive

  9. Close Active Directory Users and Computers.

Create and Populating the HR Database

In this step you will be creating and populating your HR database in SQL. This will simulate a real-world example of a Human Resources database.

To create and populate the HR database

  1. Log on to APP1 as corp\Administrator.

  2. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

  3. On the Connect to Server dialog box, under Server Type, select Database Engine.

  4. On the Connect to Server dialog box, under Server name, select APP1.

  5. On the Connect to Server dialog box, under Authentication, select Windows Authentication.

  6. Click Connect. This should be successful and the database information will be displayed on the left.

  7. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  8. Copy the following code into the center pane.

    USE [master]
GO
/****** Object:  Database [HR]    Script Date: 10/28/2010 14:55:39 ******/
CREATE DATABASE [HR] ON  PRIMARY ( NAME = N'HR', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\HR.mdf' , SIZE = 2048KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB ) LOG ON 
( NAME = N'HR_log', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\HR_log.ldf' , SIZE = 1024KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)
GO
ALTER DATABASE [HR] SET COMPATIBILITY_LEVEL = 100
GO
IF (1 = FULLTEXTSERVICEPROPERTY('IsFullTextInstalled'))begin EXEC [HR].[dbo].[sp_fulltext_database] @action = 'enable'
end
GO
ALTER DATABASE [HR] SET ANSI_NULL_DEFAULT OFF 
GO
ALTER DATABASE [HR] SET ANSI_NULLS OFF 
GO
ALTER DATABASE [HR] SET ANSI_PADDING OFF 
GO
ALTER DATABASE [HR] SET ANSI_WARNINGS OFF 
GO
ALTER DATABASE [HR] SET ARITHABORT OFF 
GO
ALTER DATABASE [HR] SET AUTO_CLOSE OFF 
GO
ALTER DATABASE [HR] SET AUTO_CREATE_STATISTICS ON 
GO
ALTER DATABASE [HR] SET AUTO_SHRINK OFF 
GO
ALTER DATABASE [HR] SET AUTO_UPDATE_STATISTICS ON 
GO
ALTER DATABASE [HR] SET CURSOR_CLOSE_ON_COMMIT OFF 
GO
ALTER DATABASE [HR] SET CURSOR_DEFAULT  GLOBAL 
GO
ALTER DATABASE [HR] SET CONCAT_NULL_YIELDS_NULL OFF 
GO
ALTER DATABASE [HR] SET NUMERIC_ROUNDABORT OFF 
GO
ALTER DATABASE [HR] SET QUOTED_IDENTIFIER OFF 
GO
ALTER DATABASE [HR] SET RECURSIVE_TRIGGERS OFF 
GO
ALTER DATABASE [HR] SET  DISABLE_BROKER 
GO
ALTER DATABASE [HR] SET AUTO_UPDATE_STATISTICS_ASYNC OFF 
GO
ALTER DATABASE [HR] SET DATE_CORRELATION_OPTIMIZATION OFF 
GO
ALTER DATABASE [HR] SET TRUSTWORTHY OFF 
GO
ALTER DATABASE [HR] SET ALLOW_SNAPSHOT_ISOLATION OFF 
GO
ALTER DATABASE [HR] SET PARAMETERIZATION SIMPLE 
GO
ALTER DATABASE [HR] SET READ_COMMITTED_SNAPSHOT OFF 
GO
ALTER DATABASE [HR] SET HONOR_BROKER_PRIORITY OFF 
GO
ALTER DATABASE [HR] SET  READ_WRITE 
GO
ALTER DATABASE [HR] SET RECOVERY FULL 
GO
ALTER DATABASE [HR] SET  MULTI_USER 
GO
ALTER DATABASE [HR] SET PAGE_VERIFY CHECKSUM  
GO
ALTER DATABASE [HR] SET DB_CHAINING OFF 
GO

  9. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

  10. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  11. Copy the following code into the center pane.

    USE [HR]
GO
/****** Object:  Table [dbo].[Employees]    Script Date: 10/28/2010 14:54:59 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
SET ANSI_PADDING ON
GO
CREATE TABLE [dbo].[Employees]([EmployeeNumber] [nchar](10) NULL,[FirstName] [char](10) NULL,[LastName] [char](20) NULL,[UserID] [char](21) NULL,[EmployeeType] [char](2) NULL,[EmploymentStatus] [char](2) NULL,[StartDate] [date] NULL,[EndDate] [date] NULL,[Manager] [char](100) NULL,[Department] [char](100) NULL) ON [PRIMARY]
GO
SET ANSI_PADDING OFF
GO

  12. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

  13. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  14. Copy the following code into the center pane.

    USE [HR]
GO
INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) 
VALUES ('1101', 'F', 'A', 'Test', 'User1', 'tuser1', 'IT', 'Britta Simon', '2009-10-28') 
INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) 
VALUES ('1102', 'F', 'A', 'Test', 'User2', 'tuser2', 'Accounting', 'Britta Simon', '1995-09-28') 
INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) 
VALUES ('1103', 'C', 'A', 'Test', 'User3', 'tuser3', 'Marketing', 'Lola Jacobson', '2006-08-28') 
INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) VALUES ('1104', 'C', 'A', 'Test', 'User4', 'tuser4', 'Legal', 'Lola Jacobson', '1999-07-28')

  15. At the top, click Execute. This will take a moment and you should see four lines that say (1 row(s) affected) in the lower part of the center pane.

  16. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  17. Copy the following code into the center pane.

    USE [HR]
GO
/****** Object:  View [dbo].[Active_Employees]    Script Date: 02/02/2011 08:21:00 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE VIEW [dbo].[Active_Employees]AS SELECT EmployeeNumber, FirstName,
LastName, UserID, EmployeeType, EmploymentStatus, StartDate, EndDate,
Manager, Department, EmployeeNumber AS Expr1,FirstName AS Expr2, LastName AS
Expr3, UserID AS Expr4, Department AS Expr5, Manager AS Expr6, EndDate AS
Expr7, StartDate AS Expr8,EmploymentStatus AS Expr9, EmployeeType AS
Expr10 
FROM dbo.Employees 
WHERE(EndDate <= DATEADD(day, 0, GETDATE())) AND (EndDate > DATEADD(day, - 45, GETDATE())) OR (EndDate IS NULL)
GO

  18. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

  19. Close SQL Server Management Studio.

  20. Log off APP1.

Create an EmployeeStatus Attribute in the FIM Portal

In this procedure, you will create the EmployeeStatus attribute in the FIM Portal.

To create an EmployeeStatus attribute in the FIM Portal

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will open the Forefront Identity Manager 2010 home page.

  3. On the right, under Administration, click Schema Management.

  4. Click All Attributes. The title bar should now show Schema Management—All Attributes.

  5. At the top, click New. This will bring up the Create Attribute screen.

  6. In the text box, next to System name, enter EmployeeStatus.

  7. In the text box, next to Display Name, enter Employee Status.

  8. From the drop-down, next to Data Type, select Unindexed string.

  9. In the text box, next to Description, enter Tracks an employee’s status as Active, Retired, or Terminated.

  10. Click Finish, and then click Submit.

  11. At the top, click All Bindings. The title bar should now show Schema Management – All Bindings.

  12. At the top, click New. This will bring up the Create Binding screen.

  13. In the box, next to Resource Type, enter User. Click the green check mark. User should resolve with an underline.

  14. In the box, next to Attribute Type, enter EmployeeStatus. Click the green check mark. EmployeeStatus should resolve with an underline.

  15. Click Finish, and then click Submit.

Add EmployeeStatus to the MPR

Now you will add the EmployeeStatus attribute to the Synchronization: Synchronization account controls users it synchronizes MPR.

To add EmployeeStatus to the MPR

  1. At the bottom of the left column, click Administration. This will bring up the Administration page.

  2. Click Management Policy Rules.

  3. In the list of MPRs, locate Synchronization: Synchronization account controls users it synchronizes and click it. This will open the Configuration page.

  4. Click the Target Resources tab.

  5. Down under Select specific attributes, use the up-down arrows and scroll to the bottom of the list.

  6. After Time Zone, enter EmployeeStatus. Click to select the green check mark. This should resolve with an underline.

  7. Click OK, and then click Submit.

Create the HR Management Agent in the Synchronization Service

Now you will create a SQL Server management agent (MA) named HR.

To create the HR management agent in the Synchronization Service

  1. Click Start, All Programs, Microsoft Forefront Identity Manager, and then Synchronization Service. This will launch the Synchronization Service Manager.

  2. At the top, click Management Agents.

  3. On the right, click Create. This will begin the Create Management Agent wizard.

  4. Under Management Agent for, select SQL Server from the drop-down list.

  5. In the box under Name, type the following text, and then click Next:
    HR

  6. On the Connect to Database page, in the Server text box, enter APP1.

  7. In the text box next to Database, type HR.

  8. In the text box next to Table/View, enter Active_Employees.

  9. In the box, next to the Authentication mode box, click Windows integrated authentication.

  10. In the text box next to User name, type Administrator.

  11. In the Password text box, enter the Administrators password.

  12. In the Domain text box, type the following text, and then click Next:
    CORP

  13. On the Configure Columns page, click Set Anchor. This will bring up a Set Anchor window.

  14. Under Available attributes, click EmployeeNumber, and then click Add. Click OK. Click Next.

  15. On the Configure Connector Filter page, click Next.

  16. On the Configure Configure Join and Projection Rules page, click Next.

  17. On the Configure Attribute Flow page, click Next.

  18. On the Configure Deprovisioning page, click Next.

  19. On the Configure Extensions page, click Finish.

Create the Run Profiles for the HR MA

Now that the HR MA has been created, you will create run profiles for the management agent.

To create the run profiles for the HR MA

  1. On the right, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name box, type the following text, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile.

  7. On the Profile Name page, in the text box under Name box, type the following text, and then click Next:
    Full Synchronization

  8. On the Configure Step screen, from the drop-down list under Type, select Full Synchronization, and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click Apply, and then click Close.

Configure Object Deletion Rule

Now we will configure the object deletion rule to delete the object from the metaverse once the HR connector is disconnected.

To Configure the Object Deletion Rule

  1. At the top, click Metaverse Designer.

  2. Under Object Types select Person.

  3. On the right, click Configure Object Deletion Rule. This will bring up the Configure Object Deletion Rule screen.

  4. Select Delete metaverse object when connector from any of the following management agents is disconnected. Place a check in the box next to HR.

  5. Click OK.

Create the FIM 2010 Management Agent

Now it is time to create the FIM 2010 management agent.

To create the FIM 2010 Management Agent

  1. At the top of the portal page, click Management Agents.

  2. On the right, click Create. This will begin the Create Management Agent wizard.

  3. Under Management Agent for, use the drop-down list and select FIM Service Management Agent.

  4. In the text box under Name, type the following text, and then click Next:
    FIM

  5. On the Connect to Database page, in the Server text box, enter APP1.

  6. In the text box next to Database, type FIMService.

  7. In the text box next to FIM Service base address, enter https://FIM1:5725.

  8. In the box, next to Authentication mode box, click Windows integrated authentication.

  9. In the text box next to User name, type FIMMA.

  10. In the Password text box, enter Pass1word$.

  11. In the Domain text box, type the following text, and then click Next:
    CORP

  12. On the Select Object Types page, place a check in the box next to Person, and then click Next.

  13. On the Select Attributes page, check the box at the top next to Show All, verify that all of the attributes are selected, and then click Next.

  14. On the Configure Connector Filter page, click Next.

  15. On the Configure Object Type Mappings page, click Person, and then click Add Mapping. This will bring up a mapping window.

  16. On the mapping window, make sure person is selected for Metaverse object type, and then click OK. This will close the mapping window. Click Next.

  17. On the Configure Attribute Flow page, from the drop-down list under Data source object type, select Person.

  18. From the drop-down list under Metaverse object type list, select person.

  19. For Mapping Type, select Direct.

  20. From the list below Data source attribute, select AccountName.

  21. From the list below Metaverse attribute, select accountName.

  22. For Flow Direction, select Export. Ensure that Allow Nulls is not selected. Click New.

  23. Repeat the above steps for each of the attribute entries in the following table.

Important

Be sure to change the Flow Direction where applicable. Also be sure to add the check to Allow Nulls where the column entry is marked Yes. 

<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Data source attribute</th>
<th>Flow direction</th>
<th>Metaverse attribute</th>
<th>Allow nulls</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>AccountName</p></td>
<td><p>Export</p></td>
<td><p>accountName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Department</p></td>
<td><p>Export</p></td>
<td><p>department</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>DisplayName</p></td>
<td><p>Export</p></td>
<td><p>displayName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeEndDate</p></td>
<td><p>Export</p></td>
<td><p>employeeEndDate</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>EmployeeID</p></td>
<td><p>Export</p></td>
<td><p>employeeID</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeStartDate</p></td>
<td><p>Export</p></td>
<td><p>employeeStartDate</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>EmployeeStatus</p></td>
<td><p>Export</p></td>
<td><p>employeeStatus</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeType</p></td>
<td><p>Export</p></td>
<td><p>employeeType</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>FirstName</p></td>
<td><p>Export</p></td>
<td><p>firstName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>LastName</p></td>
<td><p>Export</p></td>
<td><p>lastName</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Manager</p></td>
<td><p>Export</p></td>
<td><p>manager</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>AccountName</p></td>
<td><p>Import</p></td>
<td><p>accountName</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>DisplayName</p></td>
<td><p>Import</p></td>
<td><p>displayName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeEndDate</p></td>
<td><p>Import</p></td>
<td><p>employeeEndDate</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Department</p></td>
<td><p>Import</p></td>
<td><p>department</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeID</p></td>
<td><p>Import</p></td>
<td><p>employeeID</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>EmployeeType</p></td>
<td><p>Import</p></td>
<td><p>employeeType</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Manager</p></td>
<td><p>Import</p></td>
<td><p>manager</p></td>
<td><p></p></td>
</tr>
</tbody>
</table>

  1. Once all the attribute flows have been added, click Next.

  2. On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.

  3. On the Configure Extensions page, click Finish.

Create the Run Profiles for the FIM 2010 MA

Now that the FIM 2010 MA has been created, you will need to create run profiles for the management agent.

To create the run profiles for the FIM 2010 MA

  1. On the right of the portal page, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile.

  7. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Synchronization

  8. On the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click New Profile.

  11. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Import

  12. On the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.

  13. On the Management Agent Configuration page, click Finish.

  14. Click New Profile.

  15. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Synchronization

  16. On the Configure Step page, from the drop-down under Type, select Delta Synchronization, and then click Next.

  17. On the Management Agent Configuration page, click Finish.

  18. Click New Profile.

  19. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Export

  20. On the Configure Step page, from the drop-down under Type, select Export, and then click Next.

  21. On the Management Agent Configuration page, click Finish.

  22. Click Apply, and then click OK.

Enable Synchronization Rule Provisioning

Next you will enable Synchronization Rule Provisioning. This will enable the configured synchronization rules during a synchronization run.

To enable Synchronization Rule Provisioning

  1. In the Synchronization Service Manager, at the top of the portal page, click Tools, and then select Options.

  2. Select Enable Synchronization Rule Provisioning.

  3. Click OK.

Enable the Required MPRs

By default, FIM has several Management Policy Rules disabled.

To enable the required MPRs

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  3. On the right, under Administration, click Management Policy Rules.

  4. In the list of MPRs, locate General: Users can read non-administrative configuration resources and click it. This will open the Configuration page.

  5. Clear the check box next to Policy is disabled.

  6. Click OK, and then click Submit.

  7. Repeat the above steps for each of the MPR entries in the following table.

    Management policy rule Disabled

    General: Users can read nonadministrative configuration resources

    No

    User management: Users can read attributes of their own

    No

    User management: Users can read selected attributes of other users

    No

Set Up the Inbound Synchronization Rule for the HR MA in FIM Portal

Now you will create the Inbound Synchronization Rule for the HR MA in the FIM Portal.

To set up the Inbound Synchronization Rule for the HR MA in FIM Portal

  1. At the bottom of the left column on the portal page, click Administration. This will bring up the Administration page.

  2. Click Synchronization Rules.

  3. At the top of the portal page, click New.

  4. On the General tab, in the box next to Display Name, enter HR Inbound Synch Rule, and then click Next.

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: HR

    • External System Resource Type: person

  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): EmployeeNumber

    2. Create Resource in FIM: select the check box

  7. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  8. On the Source tab, from the drop-down list select Department. Click OK.

  9. On the Destination tab, from the drop-down list select department. Click OK.

  10. Repeat the above steps for each of the entries in the table below.

    Source Destination

    EmployeeNumber

    employeeID

    FirstName

    firstName

    LastName

    lastName

    UserID

    accountName

  11. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  12. On the Source tab, from the drop-down list select FirstName. At the top, click Concatenate Value.

  13. From the new drop-down list that appears, select String. In the text box that appears, enter a blank space.

Important

This can be done by clicking inside the box. Ensure that the cursor is in the box. Hit the Spacebar once.

  1. Click Concatenate Value.

  2. From the new drop-down list that appears, select LastName, and then click OK.

  3. On the Destination tab, from the drop-down list select displayName, and then click OK.

  4. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  5. On the Source tab, from the drop-down list select StartDate. At the top of the page, click Concatenate Value.

  6. From the new drop-down list that appears, select String. In the text box that appears, enter T08:00:00.000.

  7. Click OK.

  8. On the Destination tab, from the drop-down list select employeeStartDate, and then click OK.

  9. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  10. On the Source tab, from the drop-down list box select EndDate. At the top, click Concatenate Value.

  11. From the new drop-down list that appears, select String. In the text box that appears, enter T08:00:00.000.

  12. Click OK.

  13. On the Destination tab, from the drop-down list select employeeEndDate, and then click OK.

  14. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  15. On the Source tab, from the drop-down list select CustomExpression.

  16. In the box that appears, enter IIF(Eq(EmployeeType, “F”), “Full Time Employee”, “Contractor”).

  17. Click OK.

  18. On the Destination tab, from the drop-down list select employeeType. Click OK.

  19. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  20. On the Source tab, from the drop-down list select CustomExpression.

  21. In the text box that appears, enter IIF(Eq(EmploymentStatus, “A”), “Active”, IIF(Eq(EmploymentStatus, “R”), “Retired”, “Terminated”)).

  22. Click OK.

  23. On the Destination tab, from the drop-down list select employeeStatus, and then click OK.

  24. Click Finish. Click Submit.

Run Imports and Synchs on the MAs

Now you will run your management agents and bring information into the metaverse.

To run imports and synchs on the MAs

  1. In the Synchronization Service Manager, at the top, under Management Agents, click FIM.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left window and no errors.

  4. At the top, under Management Agents, click HR.

  5. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  6. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left window and no errors.

  7. At the top, under Management Agents, click FIM.

  8. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  9. From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.

  10. At the top, under Management Agents, click HR.

  11. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  12. From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.

Set Attribute Precedence on Attributes

Now you will need to set the attribute precedence on attributes.

To set the attribute precedence on attributes

  1. In the Synchronization Service Manager, at the top, click Metaverse Designer.

  2. From the list of Object types select person.

  3. Down under the list of attributes, select accountName, and on the lower right, click Configure Attribute Flow Precedence.

  4. From the list, select one with the HR management agent and use the arrow on the right to move it up to the first position.

  5. Repeat the above steps for each of the entries in the following list:

    • department

    • displayName

    • employeeEndDate

    • employeeID

    • employeeType

Run the HR and FIM Management Agents

Now that you have set the correct precedence for our attributes you will need to rerun your synchronizations and also do an export to populate the FIM Portal.

To run the HR and FIM management agents

  1. In the Synchronization Service Manager, at the top, under Management Agents, click FIM.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.

  4. At the top, under Management Agents, click HR.

  5. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  6. From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  7. At the top, under Management Agents, click FIM.

  8. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  9. From the list, select Export, and then click OK. This will take a moment. It should finish with Export Statistics in the lower left windows and no errors. You should see four adds and two updates.

  10. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  11. From the list, select Delta Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left windows and no errors.

  12. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  13. From the list, select Delta Synchronization, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left windows and no errors.

Create the AD Management Agent

In this procedure, you will create the AD DS management agent.

To create the AD DS management agent

  1. At the top, click Management Agents.

  2. On the right, click Create. This will begin the Create Management Agent wizard.

  3. Under Management Agent for, use the drop-down list and select Active Directory Domain Services.

  4. In the text box under Name, enter the following text, and then click Next:
    AD

  5. In the text box next to Forest name, enter corp.contoso.com.

  6. In the text box next to User name, enter Administrator.

  7. In the text box next to Password, enter the Administrators password.

  8. In the text box next to Domain, enter the following text, and then click Next:
    CORP

  9. In the Select directory partitions list, click DC=corp,DC=contoso,DC=com.

  10. Click the Containers button. This will bring up the Select Containers window.

  11. To deselect all selected nodes, click the check next to the DC=corp, DC-contoso,DC=com node.

  12. Select the FIM_Contractors node.

  13. Select the FIM_FTE node.

  14. Select the FIM_Inactive node.

  15. Click OK, and then click Next.

  16. On the Configure Provisioning Hierarchy page, click Next.

  17. On the Select Object Types page, under Object Types, click user.

  18. Click Next.

  19. On the Select Attributes page, at the top, click Show all.

  20. Select all of the following attributes:

    • cn

    • department

    • description

    • displayname

    • employeeID

    • employeeType

    • givenName

    • manager

    • objectSid

    • sAMAccountName

    • sn

    • unicodePwd

    • userAccountControl

  21. Click Next.

  22. On the Configure Connector Filter page, click Next.

  23. On the Configure Join and Projection Rules page, click Next.

  24. On the Configure Attribute Flow page, click Next.

  25. On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.

  26. On the Configure Provisioning Hierarchy page, click Next.

  27. On the Configure Extensions page, click Finish.

Create the Run Profiles for the AD MA

Now that the AD MA has been created, you will create run profiles for the management agent.

To create the run profiles for the AD MA

  1. On the right, under Actions menu, click Configure Run Profiles. This opens the Configure Run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile.

  7. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Synchronization

  8. On the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click New Profile.

  11. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Import

  12. On the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.

  13. On the Management Agent Configuration page, click Finish.

  14. Click New Profile.

  15. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Synchronization

  16. On the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.

  17. On the Management Agent Configuration page, click Finish.

  18. Click New Profile.

  19. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Export

  20. On the Configure Step page, from the drop-down list under Type, select Export, and then click Next.

  21. On the Management Agent Configuration page, click Finish.

  22. Click Apply, and then click OK.

Set Up AD Provisioning Synchronization Rule for the AD MA in the FIM Portal

Now you will create the codeless provisioning rule in the FIM Portal. This rule will be responsible for creating new users in Active Directory.

To set up the AD Provisioning Synchronization Rule for the AD MA in the FIM Portal

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  3. On the right, under Administration, click Synchronization Rules.

  4. At the top, click New.

  5. On the General tab, in the text box next to Display Name, enter AD Provisioning Synch Rule.

  6. Under Data Flow Direction, select Outbound, and then click Next.

  7. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: AD

    • External System Resource Type: user

  8. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

    2. Create Resource in External System: select the check box

  9. On the Workflow Parameters screen, click Next.

  10. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  11. On the Source tab, from the drop-down list select employeeID, and then click OK.

  12. On the Destination tab, from the drop-down list select employeeID, and then click OK.

  13. Repeat the above steps for each of the entries in the following table.

    Source Destination

    department

    department

    displayName

    displayName

    employeeType

    employeeType

    firstName

    givenName

    lastName

    sn

    manager

    manager

  14. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  15. On the Source tab, from the drop-down list select String. In the text box that appears, enter the following text, and then click OK:
    Pass@word1

  16. On the Destination tab, from the drop-down list select unicodePwd, and then click OK.

  17. Check the Initial Flow Only box next to “Pass@word1” -> unicodePwd.

  18. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  19. On the Source tab, from the drop-down list select CustomExpression.

  20. In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”),“cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).

Tip

You can copy and paste the above but be aware that the “” marks from the Word document are not part of the acceptable syntax. To work around this, copy the above into notepad and replace “” quotes from Word with “” marks from notepad then copy it into the Custom Expression box.

  1. Click OK.

  2. On the Destination tab, from the drop-down list select dn, and then click OK.

  3. Check the box Initial Flow Only next to this rule.

  4. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  5. On the Source tab, from the drop-down list select CustomExpression.

  6. In the box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”),“cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).

  7. Click OK.

  8. On the Destination tab, from the drop-down list select dn, and then click OK.

Warning

The following is not a typo. You want to add the same attribute flow twice. One is for the creation of the user account and is initial flow only and the second one, which is not marked initial flow, is responsible for moving your user between the FIM_FTE and FIM_Contractors OUs.

  1. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  2. On the Source tab, from the drop-down list select CustomExpression.

  3. In the text box that appears, type IIF(Eq(employeeStatus, “Active”), 512, 514).

  4. Click OK.

  5. On the Destination tab, from the drop-down list select userAccountControl, and then click OK.

  6. Check the Initial Flow Only box next to this rule.

  7. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  8. On the Source tab, from the drop-down list select accountName.

  9. Click OK.

  10. On the Destination tab, from the drop-down list select sAMAccountName, and then click OK.

  11. Check the Initial Flow Only box next to this rule.

  12. Check the Use as Existence Test box next to this rule.

  13. Click Finish, and then click Submit.

Create an All Employees and Contractors Set

Now you will create a set that includes all employees and all contractors.

To create an all employees and contractors set

  1. On the left side of the page, under Management Policy Rules, click Sets.

  2. At the top, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: _ All Employees and Contractors

Note

The “_” is used so that our newly created set will be at the top of the list in the FIM Portal.

  1. On the Criteria-based Members page, provide the following information, and then click Finish:

    1. Select Enable criteria-based membership in current set.

    2. In the Select statement, click all resources, and then, from the drop-down list select user.

    3. In the Select statement, click all, and then, from the drop-down list select any.

    4. Click Add Statement.

    5. Click <Click to select attribute>, and then, from the drop-down list select Employee Type.

    6. Click <click to select value>, and then type Full Time Employee in the text box.

    7. Click Add Statement.

  2. Click <Click to select attribute>, and then, from the drop-down list select Employee Type.

  3. Click <click to select value>, and then type Contractor in the text box.

  4. Click Finish.

  5. Click Submit.

Set Up the AD User Provisioning Workflow

Now you will create the AD User Provisioning workflow.

To set up the AD User Provisioning Workflow

  1. On the left of the page, under Management Policy Rules, click Workflows.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Workflow Name: _ AD User Provision Workflow

    • Workflow Type: Action

  4. Click Next.

  5. On the Activities tab, perform the following steps:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, from the drop-down list select AD Provisioning Synch Rule.

    3. In the Action Selection options, select Add.

    4. Click Save.

  6. Click Finish, and then click Submit.

Set Up the AD User Provisioning MPR

Now you will create the AD User Provisioning MPR.

To set up the AD User Provisioning MPR

  1. On the left side of the page, click Management Policy Rules.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Display Name: _ AD User Provisioning MPR

    • Type: Request

  4. Click Next.

  5. On the Requesters and Operations tab, perform the following steps:

    1. Select Specific Set of Requesters. In the text box below Requester is defined as the following user set type All People, and then click the green check mark.

    2. Under Operation, select Create resource and Modify a single-valued attribute.

  6. Click Next.

  7. On the Target Resources tab, perform the following steps:

    1. In the text box next to Target Resource Definition Before Request, type the following text, and then click the green check mark:
      _ All Employees and Contractors

    2. In the text box next to Target Resource Definition After Request, type the following text, and then click the green check mark:
      _ All Employees and Contractors

    3. Under Resource Attributes, select Select specific attributes and in the text box type Account Name. Click the green check mark.

  8. Click Next.

  9. On Policy Workflows, perform the following steps:

    • Under Action Workflows, select _ AD User Provision Workflow.

  10. Click Finish, and then click Submit.

Set Up the Inbound Synchronization Rule for the AD MA in the FIM Portal

Now you will create the codeless inbound synchronization rule. This allows the objectSid from AD DS to flow into the FIM Portal.

To set up the Inbound Synchronization Rule for the AD MA in the FIM Portal

  1. At the bottom of the left of the page , click Administration. This will bring up the Administration page.

  2. Click Synchronization Rules.

  3. At the top, click New.

  4. On the General tab, in the text box next to Display Name type AD Inbound Synch Rule.

  5. Under Data Flow Direction, select Inbound, and then click Next.

  6. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: AD

    • External System Resource Type: user

  7. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

  8. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  9. On the Source tab, from the drop-down list select objectSid, and then click OK.

  10. On the Destination tab, from the drop-down list select objectSid, and then click OK.

  11. Click Finish, and then click Submit.

Create an Inactive Employees Set

Now you will create the Inactive Employees set. Transitioning this set will cause the users in AD to be moved into the FIM_Inactive OU and disabled. Transitioning out of this set, say for example, in 30 days, will cause the user to be removed from AD.

To create an inactive employees set

  1. On the left side of the page, under Management Policy Rules, click Sets.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: _ All Inactive Employees

  4. On the Criteria-based Members page, provide the following information, and then click Finish:

    1. Select Enable criteria-based membership in current set.

    2. In the Select statement, click all resources, and then, from the drop-down list select user.

    3. Click Add Statement.

    4. Click <Click to select attribute>, and then, from the drop-down list select EmployeeEndDate.

    5. Click After, and then from the drop-down list select prior to.

    6. Click <click to select value>, and then from the drop-down list select today in the text box.

    7. Click Add Statement.

    8. Click <Click to select attribute>, and then from the drop-down list, select EmployeeEndDate.

    9. Click <click to select value>, and then, from the drop-down list, select x days ago in the text box. Click the 1 and change it to a 3. It should now read 3 days ago.

  5. Click Finish.

  6. Click Submit.

Set Up the AD Make User Inactive Synchronization Rule

In this procedure, you will set up the AD make user inactive synchronization rule.

To set up the AD Make User Inactive Synchronization Rule

  1. At the bottom of the left column, click Administration. This will bring up the Administration page.

  2. Click Synchronization Rules.

  3. At the top, click New.

  4. On the General tab, in the text box next to Display Name, enter AD Make User Inactive Synch Rule.

  5. Under Data Flow Direction, select Outbound, and then click Next.

  6. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: AD

    • External System Resource Type: user

  7. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

    2. Disconnect FIM resource from external system resource when this Synchronization Rule is removed: select the check box

  8. On the Workflow Parameters screen, click Next.

  9. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  10. On the Source tab, from the drop-down list select CustomExpression.

  11. In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”), “cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).

  12. Click OK.

  13. On the Destination tab, from the drop-down list select dn, and then click OK.

  14. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  15. On the Source tab, from the drop-down list select CustomExpression.

  16. In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), 512, 514).

  17. Click OK.

  18. On the Destination tab, from the drop-down list select userAccountControl, and then click OK.

  19. Click Finish, and then click Submit.

Set Up the AD Make User Inactive Workflow

Now you will set up the workflow for making a user inactive in Active Directory.

To set up the AD Make User Inactive Workflow

  1. On the left of the page, under Management Policy Rules, click Workflows.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Workflow Name: _ AD Make User Inactive Workflow

    • Workflow Type: Action

  4. Click Next.

  5. On the Activities tab, perform the following steps:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, from the drop-down list select AD Provisioning Synch Rule.

    3. In the Action Selection options, select Remove.

    4. Click Save.

    5. Click Add Activity.

  6. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

  7. In the Synchronization Rules list, from the drop-down list select AD Make User Inactive Synch Rule.

  8. In the Action Selection options, select Add.

  9. Click Save.

  10. Click Finish, and then click Submit.

Set Up the AD Make User Inactive MPR

Now you will create the MPR to associate with the workflow that will make your user inactive in AD.

To set up the AD Make User Inactive MPR

  1. On the left of the page, click Management Policy Rules.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Display Name: _ AD Make User Inactive MPR

    • Type: Set Transition

  4. Click Next.

  5. On the Transition Definition tab, perform the following steps:

    1. In the box next to Transition Set, type _ All Inactive Employees, and then click the green check mark.

    2. Under Transition Type, select Transition In.

  6. Click Next.

  7. On Policy Workflows, perform the following steps:

    • Under Action Workflows, select _ AD Make User Inactive Workflow.

  8. Click Finish, and then click Submit.

Set Up the AD Deprovision Workflow

Now you will set up the workflow removing a user all together from AD.

To set up the AD Deprovision Workflow

  1. On the left of the page, under Management Policy Rules, click Workflows.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Workflow Name: _ AD Deprovision Workflow

    • Workflow Type: Action

  4. Click Next.

  5. On the Activities tab, perform the following steps:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, from the drop-down list select AD Make User Inactive Synch Rule.

    3. In the Action Selection options, select Remove.

    4. Click Save.

  6. Click Finish, and then click Submit.

Set Up the AD Deprovision MPR

Now you will create the MPR to associate with the workflow that will remove your users from AD.

To set up the AD Deprovision MPR

  1. On the left side of the page, click Management Policy Rules.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Display Name: _ AD Deprovision MPR

    • Type: Set Transition

  4. Click Next.

  5. On the Transition Definition tab, perform the following steps:

    1. In the text box next to Transition Set, enter _ All Inactive Employees, and then click the green check mark.

    2. Under Transition Type, select Transition Out.

  6. Click Next.

  7. On Policy Workflows, perform the following steps:

    • Under Action Workflows, select _ AD Deprovision Workflow.

  8. Click Finish, and then click Submit.

Important

There has been some feedback that the AD Provisioning Synch Rule is not being applied to the pre-existing users in the FIM portal. Prior to running the management agents in the next step, verify that the AD Provisioning Synch Rule has been applied to our 4 test users. To do this do the following:

  1. On FIM1, click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  3. On the left side, click Users.

  4. On the Users page, in Search for, click the Magnifying Glass icon.

  5. In the list of users, double-click Test User1.

  6. At the top, click the Provisioning tab.

  7. Verify the AD Provisioning Synch Rule is under the Expected Rules List and the Synchronization Rules Status is pending.


If it is not there use the method below to work around this issue. This will not affect newly created users in the HR database.
  1. On Test User 1 click the General tab at the top.

  2. Scroll down and find Account Name.

  3. Change the value in Account Name from tuser1 to Tuser1.

  4. Click Ok. Click Submit. Repeat this for all four users.

  5. Verify that the AD Provisioning Synch Rule is under Expected Rules List and that the Synchronization Status is Pending.

Run the HR, FIM, and AD Management Agents

Now you are going to run your management agents. This will populate the FIM Portal and AD DS

To run the HR, FIM, and AD management agents

  1. In the Synchronization Service Manager, at the top, under Management Agents, click HR.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  4. Repeat the steps above for each item listed in the following table. You need to allow one management agent run to complete before doing the next one.

    Management agent Run

    HR

    Full Import

    FIM

    Full Import

    AD

    Full Import

    HR

    Full Synchronization

    FIM

    Export

    FIM

    Full Import

    FIM

    Full Synchronization

    AD

    Export

    AD

    Full Import

    AD

    Full Synchronization

Step 6: Verifying the Configuration

In this section, you will modify the attributes of a user and then observe how the policy rules and management agents that you defined previously affect the user’s state.

Test 1

In this test, you will change a user’s employee type from Contractor to Full Time, and then run management agents to move the user to the appropriate folder in AD DS.

Verifying the Current User State in AD DS

In this procedure, you will verify that Test User3 resides in the FIM_Contractors folder.

To verify the current user state in AD DS

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. Click FIM_Contractors and verify that Test User3 is in the folder.

Important

Do not log off of DC1, as you will need to refer to it in later steps.

Changing the Status of the User

In this procedure, you will change the employee type of Test User3 from Contractor to Full Time.

To change the status of the user

  1. Log on to APP1 as corp\Administrator.

  2. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

  3. On the Connect to Server dialog box, under Server Type select Database Engine.

  4. On the Connect to Server dialog box, under Server name select APP1.

  5. On the Connect to Server dialog box, under Authentication select Windows Authentication.

  6. Click Connect. This should be successful and the database information will be displayed on the left.

  7. At the top of the page, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  8. Copy the following code into the center pane.

    USE [HR]
GO

UPDATE Employees set EmployeeType = ‘F’ where EmployeeNumber = ‘1103’

  9. At the top of the page, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

Note

Do not log off of APP1, as you will need to refer to it in later steps.

Running the Management Agents

In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User3, and apply the appropriate policy rules to move the user to a new folder.

To run the management agents

  1. Log on to FIM1 as corp\Administrator.

  2. Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service. This will launch Synchronization Service Manager.

  3. At the top of the page, click Management Agents, and then click HR.

  4. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  5. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  6. Using steps 3 - 5 above, run the following management agent run profiles in order.

    Management agent Run profile

    HR

    Full Synchronization

    FIM

    Export

    FIM

    Full Import

    FIM

    Full Synchronization

    AD

    Export

    AD

    Full Import

    AD

    Full Synchronization

Note

Do not log off of FIM1, as you will need to refer to it in later steps.

Verifying the Changes in AD DS

In this step, you will verify that Test User3 was successfully moved to a new folder.

To verify the changes in AD DS

  1. On DC1, in Active Directory Users and Computers, click FIM_FTE and verify that Test User3 is now in that folder and is no longer in the FIM_Contractors folder.

Test 2

In this test, you will change a user’s employee status from Active to Inactive, and then run management agents to move the user to the appropriate folder in AD DS.

Verifying the Current User State in AD DS

In this procedure, you will verify that Test User1 resides in the FIM_FTE.

To verify the current user state in AD DS

  1. On DC1, in Active Directory Users and Computers, click FIM_FTE and verify that Test User1 is in the folder.

Changing the Status of the User

In this procedure, you will change the employee status of Test User1 from Active to Inactive, with a termination date of one day before today.

To change the status of the user

  1. On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  2. Copy the following code into the center pane.

Important

Replace the date in the following code with yesterday’s date using the format yyyy-mm-dd. 

``` 
USE [HR]
GO

UPDATE Employees set EmploymentStatus = ‘T’ where EmployeeNumber = ‘1101’
UPDATE Employees set EndDate = ‘2011-02-02’ where EmployeeNumber = ‘1101’

```
  1. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

Running the Management Agents

In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to move the user to a new folder.

To run the management agents

  1. In Synchronization Service Manager, at the top, click Management Agents, and then click HR.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  4. Using steps 1 - 3 above, run the following management agent run profiles in order.

    Management agent Run profile

    HR

    Full Synchronization

    FIM

    Export

    FIM

    Full Import

    FIM

    Full Synchronization

    AD

    Export

    AD

    Full Import

    AD

    Full Synchronization

Verifying the Changes in AD

In this step, you will verify that Test User1 was successfully moved to a new folder.

To verify the changes in AD

  1. On DC1, in Active Directory Users and Computers, click FIM_Inactive and verify that Test User1 is now in that folder and is no longer in the FIM_FTE folder.

Test 3

In this test, you will increase a user’s EndDate to five days, and then run management agents to remove the user from AD DS.

Changing the Status of the User

In this procedure, you will change the EndDate of Test User1, with a termination date of five days before today.

To change the status of the user

  1. On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  2. Copy the following code into the center pane.

Important

Replace the date in the following code with a date five days before today, using the format yyyy-mm-dd. 

``` 
USE [HR]
GO
UPDATE Employees set EndDate = ‘2011-01-27’ where EmployeeNumber = ‘1101’

```
  1. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

Running the Management Agents

In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to remove from AD DS.

To run the management agents

  1. In Synchronization Service Manager, at the top, click Management Agents, and then click HR.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  4. Using steps 1 - 3 above, run the following management agent run profiles in order.

    Management agent Run profile

    HR

    Full Synchronization

    FIM

    Export

    FIM

    Full Import

    FIM

    Full Synchronization

    AD

    Export

    AD

    Full Import

    AD

    Full Synchronization

Verifying the Changes in AD

In this step, you will verify that Test User1 was successfully removed from AD DS.

To verify the changes in AD

  1. On DC1, in Active Directory Users and Computers, click FIM_Inactive and verify that Test User1 has been removed from that folder and is no longer in AD DS.

Test 4

In this test, you will increase a user’s EndDate to at least 45 days, and then run management agents to remove the user from the FIMdatabase.

Verifying the User in the FIM Portal

In this procedure, you will verify that Test User1 is still in the FIM Service database.

To verify the user in the FIM Portal

  1. On FIM1, click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  3. On the left side, click Users.

  4. On the Users page, in Search for, click the Magnifying Glass icon.

  5. In the list of users, verify that Test User1 is there. Note that even though the user was removed from AD DS, it is still in the FIM Service database.

  6. Leave the FIM Portal on the Users page.

Changing the Status of the User

In this procedure, you will change the EndDate of Test User1, with a termination date of at least 45 days before today.

To change the status of the user

  1. On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  2. Copy the following code into the center pane.

Important

Replace the date in the following code with a date at least 45 days before today. 

``` 
USE [HR]
GO
UPDATE Employees set EndDate = ‘2010-01-27’ where EmployeeNumber = ‘1101’

```
  1. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

Running the Management Agents

In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to remove from AD DS.

To run the management agents

  1. In Synchronization Service Manager, at the top, click Management Agents, and then click HR.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.

  4. Using steps 1 - 3 above, run the following management agent run profiles in order.

    Management agent Run profile

    HR

    Full Synchronization

    FIM

    Export

    FIM

    Full Import

    FIM

    Full Synchronization

Verifying the Changes in the FIM Portal

In this step, you will verify that Test User1 was successfully removed from the FIM database.

To verify the changes in the FIM Portal

  1. On FIM1, in the FIM Portal on the Users page, in Search for, click the Magnifying Glass icon to refresh the list.

  2. In the list of users, verify that Test User1 has been removed.