Group Creation and Provisioning Walkthrough: Additional Scenario Steps

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Overview

  2. Scenario Design

  3. Implementation Steps

Additional Scenario Steps

In this section, you will perform the following steps to learn more about the available functionality of the Group Creation and Provisioning scenario:

  1. Clean up the connector space of the Fabrikam HR MA, the Fabrikam AD MA, and the Fabrikam Telephone MA.

  2. Run the Fabrikam AD MA, Fabrikam HR MA, and the Fabrikam Telephone MA to populate the metaverse.

  3. Run the GroupPopulator cycle to create groups.

  4. Run the Fabrikam AD MA to export groups to Active Directory.

  5. Introduce a change to membership.

  6. Perform your own variations.

Note

In a real-world environment, you do not need to clean up the connector space and repopulate the metaverse. The GroupPopulator starts working immediately with existing data. The first step is needed only to provide a clean system for the scenario walkthrough.

Clean Up the Connector Space

Clean up the connector space for each management agent that was run during the Simple Account Provisioning scenario before you repopulate the metaverse.

Note

If you have just finished setting up the Simple Account Provisioning scenario and have not run a management agent, you can skip this section.

To cleanup the connector spaces

  1. In Metadirectory Manager, from the Tools menu, click Management Agents.

  2. Select the Fabrikam Telephone MA, and then click Delete.

  3. Ensure that Delete connector space only is selected, and then click OK.

  4. Repeat the previous two steps for the Fabrikam HR MA and the Fabrikam AD MA.

Repopulating the Metaverse

In this step, the metaverse is repopulated in order for groups to be used in subsequent steps.

To repopulate the metaverse

  1. From the Tools menu, click Configure Extensions, and then enable the metaverse rules extension.

  2. In Metadirectory Manager, from the Tools menu, click Management Agents.

  3. If you cleaned up the connector space, perform the following steps:

    1. Open the Fabrikam HR MA, and then run the Full Import run profile, followed by the Delta Synchronization run profile.

    2. Open the Fabrikam AD MA, and then run the Full Import run profile.

    3. Open the Fabrikam Telephone MA, and then run the Full Import run profile, followed by the Delta Synchronization run profile.

    4. Open the Fabrikam AD MA, and then run the Export run profile.

  4. If the Simple Account Provisioning scenario was just configured or the Fabrikam Active Directory does not contain any provisioned users from this scenario, then perform the following steps:

    1. Open the Fabrikam AD MA, and then run the Full Import run profile.

    2. On the Fabrikam HR MA, run the Full Import run profile, followed by the Delta Synchronization run profile.

    3. On the Fabrikam Telephone MA, run the Full Import run profile, followed by the Delta Synchronization run profile.

    4. On the Fabrikam ADMA, run the Export run profile.

  5. In Metadirectory Manager, from the Tools menu, click Metaverse Search.

  6. Enter a new search clause of employeeStatus Equals active.

  7. Click Search.

This should result in a list of 100 records.

Run the GroupPopulator Cycle to Create Groups

Now that the metaverse is repopulated, you will create the groups needed to continue with the scenario.

To create the groups from the GroupPopulator cycle

  1. Open a Command Prompt and then browse to the folder
    C:\SCENARIOS\GroupManagement.

  2. Run the GroupPopulatorSync.cmd batch file.

  3. Verify the results by using Metaverse Search in the Metadirectory Manager.

  4. Configure a search clause with displayname Starts with D

    Records are listed starting with Department.

  5. Select Department 001 from the search results and click Properties.

  6. In Properties, click the ellipsis () button of the member attribute.

    All of the group members of Department 001 are displayed.

  7. Return to Metaverse Search.

Export Groups to Active Directory

After creating the groups in the metaverse, export the groups to Active Directory by running the Fabrikam AD MA Export run profile.

To export groups to Active Directory

  1. In the Metadirectory Manager, click Management Agents.

  2. Click the Fabrikam AD MA, and then from the Actions menu, click Search Connector Space.

  3. In Connector Space Search, select Pending Export – Add as the search scope.

  4. Click the CN=Department 001 entry and use the Properties button to investigate the export changes that will be exported to Active Directory.

  5. Check that all export attributes and values are listed.

  6. Use the ellipsis () button to see values on the multi-valued member attribute.

  7. To export the groups to Active Directory, switch to Management Agents, and then run the ExportProfile on the Fabrikam AD MA.

  8. On the domain controller for the Fabrikam domain, verify that the groups’ organizational unit now has groups and that the membership for these groups is set.

Introduce a Change to Membership

In this step, the delta import on the Fabrikam HR MA moves one person in the scenario, Sheelah Basarah, from Department 002 to Department 004.

To change membership

  1. Using the Fabrikam HR MA, run the Delta Import Changes 5Profile, followed by the Delta Synchronization Profile.

  2. Verify that the statistics indicate 1 Connectors with Flow Updates.

    As a result of this department move, the departmental groups need to be updated to remove this person from the Department 002 group, and to add this person to the Department 004 group.

To re-calculate the groups

  1. Run the GroupPopulatorSync.cmd batch file.

  2. Using Metaverse Search, verify the search clause of displayName Starts with D:

    • The Department 002 should have one delete on the values of the member attribute.

    • The Department 004 should have one add on the values of the member attribute.

    After re-calculating the group memberships, export the group membership change to Active Directory.

To export the member to Active Directory

  1. In the Metadirectory Manager, click Management Agents.

  2. Click the Fabrikam Active Directory management agent, and then from the Actions menu, click Search Connector Space.

  3. In Search Connector Space, select Pending Export – Modify as the search scope.

    There will be four results.

  4. Click the CN=Department 002 entry and then click Properties to investigate the export changes that will get exported to Active Directory.

  5. Check that all export attributes and values are listed.

  6. Use the ellipsis () button to see values on the multi-valued member attribute.

    Note that only one delete of one member value will be exported to Active Directory.

  7. Perform the same steps for the CN=Department 004 entry.

    Note that only one member value was added and will be exported to Active Directory.

  8. To export the modifications to Active Directory, switch to Management Agents, and then run the ExportProfile on the Fabrikam AD MA.

  9. On the domain controller of the Fabrikam domain, verify that the groups and the memberships are correctly modified.

  10. You can verify the group modification performed in this step by using the Active DirectoryUsers and Computers console.

Perform Your Own Variations

To explore this scenario and the group creation and provisioning concepts of Microsoft Identity Integration Server 2003, perform the following operations:

  1. Change the PopulateGroups profile on the GroupPopulator MA.

  2. Change the Full Import step to do a Stage objects to connector space and stop run.

  3. Introduce some more changes on the Fabrikam HR MA and run the GroupPopulatorSync.cmd batch file.

  4. Use Search Connector Space to find the import changes.

  5. Use Preview to see how the changes are applied within the rules.

  6. To apply the import changes, run the ApplyPendingCSEntries profile on the GroupPopulator MA.

  7. Run the ExportProfile on the Fabrikam AD MA to export the modifications to Active Directory.

  8. Build your own group definitions by adding new entries to the GroupDefinitions table in the SQL Query Analyzer. Before making the changes to the table, test your SQL Query by using SQL Query Analyzer.

  9. Delete group definitions from the GroupDefinitions table.

  10. Use the GroupPopulatormanagement agent in other scenarios with your own queries.