MPS Import::EnableOrganizationForHosting

Article
06/17/2010

This procedure ensures that a specified organization contains all the necessary child objects, security groups, and security settings to be recognized as a hosted organization by the MPS system. This procedure attempts to configure an existing organization as a hosted organization by doing the following:

Creating all necessary child OUs for Hosting configuration.
Creating security groups.
Setting group memberships with parent organizations.
Setting security ACLs on object.

Arguments

Input argument	Required	Description
<path>	Yes	The Lightweight Directory Access Protocol (LDAP) path of the container where the organization is located.
<preferredDomainController>	Yes
<policyName>	No	Determines the security policy to apply to the object. The default is customer, which is appropriate for all hosted organizations beneath a reseller organization. Valid values are: Reseller. Customer. Default - not recommended as this creates an OU with no security setting beyond those inherited by parent. Generally the supplied value should be reseller or customer. Default is used for child containers (such as departments), which simply inherit security policy from parent.

<path>

Yes

The Lightweight Directory Access Protocol (LDAP) path of the container where the organization is located.

<preferredDomainController>

Yes

Determines the security policy to apply to the object. The default is customer, which is appropriate for all hosted organizations beneath a reseller organization. Valid values are:

Reseller.
Customer.
Default - not recommended as this creates an OU with no security setting beyond those inherited by parent.

Generally the supplied value should be reseller or customer. Default is used for child containers (such as departments), which simply inherit security policy from parent.

Remarks

Prerequisites

Organization must be located in the hosting Active Directory tree at the proper level in the hierarchy depending on whether it is a reseller or customer.

Procedure Steps

Managed Active Directory::GetThisOrganizationRoot - get the root organization for organization being enabled
Managed Active Directory::GetPolicy - get the policy structure for the organization.
MPSImport::CreateOrgChildren - create child containers and security groups.
MPSImport::CreateOrgChildren - create child containers
MPSImport::CreateOrgGroups - create org groups (admins and allusers)
Managed Active Directory::SetSecurity_
Managed Active Directory::SetOtherWellKnownObjects_
Managed Active Directory::SetGroupMemberships_ 9. Managed Active Directory::RemoveAllAuthenticatedUsersACEs_

Security

Impersonate caller.

Sample Code

Example XML Request

<request> 
  <procedure> 
    <execute namespace="MPS Import" procedure="EnableOrganizationForHosting" impersonate="1"> 
      <executeData> 
        <path>LDAP://OU=alpineskihouse,OU=consolidatedmessenger,OU=Hosting,DC=fabrikam,DC=Com</path> 
        <preferredDomainController>AD01.fabrikam.Com</preferredDomainController> 
        <policyName>customer</policyName> 
      </executeData> 
      <after source="executeData" destination="data" mode="merge"/> 
    </execute> 
  </procedure> 
</request>

Example XML Response

Shown for format only; content may vary.

<response> 
  <data> 
    <path>LDAP://OU=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com</path> 
    <preferredDomainController>AD01-Wh.fabrikam.Com</preferredDomainController> 
    <policyName>customer</policyName> 
    <org path="LDAP://ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="MPSImportOrg01"> 
      <otherWellKnownObjects> 
        <obj wkName="ThisOrganizationRoot" name="LDAP://ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
        <obj wkName="ForeignOwnerOrg" name="LDAP://OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
        <obj wkName="UserCreators" name="LDAP://cn=Admins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
        <obj wkName="ChildOrgCreators" name="LDAP://cn=CSRAdmins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
        <obj wkName="OrgType" name="LDAP://cn=customer,cn=WatOrgTypes,cn=_Private,ou=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
        <obj wkName="MultiGroupPointer" name="LDAP://cn=MultiGroup,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
        </obj> 
      </otherWellKnownObjects> 
      <orgs> 
        <org path="LDAP://cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="_Private" class="container"> 
          <otherWellKnownObjects> 
            <obj wkName="ThisOrganizationRoot" name="LDAP://ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
            </obj> 
            <obj wkName="OrgType" name="LDAP://cn=private,cn=WatOrgTypes,cn=_Private,ou=Hosting,DC=fabrikam,DC=com"> 
            </obj> 
          </otherWellKnownObjects> 
          <orgs> 
            <org path="LDAP://cn=MultiGroup,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="MultiGroup" class="container"> 
              <orgs> 
                <org path="LDAP://cn=UserN,cn=MultiGroup,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="UserN" class="container"> 
                  <orgs> 
                    <org path="LDAP://cn=AllUsers@MPSImportOrg01,cn=UserN,cn=MultiGroup,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="AllUsers@MPSImportOrg01" class="container"> 
                      <otherWellKnownObjects> 
                        <obj wkName="MultiGroupPointer" name="LDAP://cn=AllUsers@MPSImportOrg01,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
                        </obj> 
                      </otherWellKnownObjects> 
                    </org> 
                  </orgs> 
                </org> 
                <org path="LDAP://cn=ChildOrgN,cn=MultiGroup,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="ChildOrgN" class="container"> 
                </org> 
              </orgs> 
            </org> 
          </orgs> 
          <groups> 
            <group path="LDAP://cn=AllUsers@MPSImportOrg01,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="AllUsers@MPSImportOrg01"> 
              <memberOfGroup name="LDAP://cn=AllCustomers@MPSImportRes01,cn=_Private,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
              </memberOfGroup> 
            </group> 
          </groups> 
        </org> 
      </orgs> 
      <groups> 
        <group path="LDAP://cn=Admins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="Admins@MPSImportOrg01"> 
          <memberOfGroup name="LDAP://cn=AllCustomerAdminsGroups@MPSImportRes01,cn=_Private,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
          </memberOfGroup> 
        </group> 
        <group path="LDAP://cn=CSRAdmins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com" name="CSRAdmins@MPSImportOrg01"> 
          <memberOfGroup name="LDAP://cn=AllCustomerCSRAdminsGroups@MPSImportRes01,cn=_Private,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"> 
          </memberOfGroup> 
          <dacl> 
            <ace> 
              <inheritance>NO_INHERITANCE</inheritance> 
              <permission>ADS_RIGHT_READ_CONTROL</permission> 
              <trusteeType>0</trusteeType> 
              <trusteeForm>0</trusteeForm> 
              <trustee>S-1-5-10</trustee> 
              <mode>GRANT_ACCESS</mode> 
            </ace> 
          </dacl> 
        </group> 
      </groups> 
      <dacl> 
        <ace> 
          <permission>ADS_RIGHT_DS_LIST_OBJECT</permission> 
          <trustee>LDAP://cn=AllUsers@MPSImportOrg01,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
        <ace> 
          <permission>ADS_RIGHT_ACTRL_DS_LIST</permission> 
          <permission>ADS_RIGHT_DS_READ_PROP</permission> 
          <inheritance>SUB_CONTAINERS_AND_OBJECTS_INHERIT</inheritance> 
          <trustee>LDAP://cn=AllUsers@MPSImportOrg01,cn=_Private,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
        <ace> 
          <permission>ADS_RIGHT_READ_CONTROL</permission> 
          <inheritance>SUB_CONTAINERS_AND_OBJECTS_INHERIT</inheritance> 
          <trustee>LDAP://cn=Admins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
        <ace> 
          <permission>ADS_RIGHT_READ_CONTROL</permission> 
          <permission>ADS_RIGHT_DS_WRITE_PROP</permission> 
          <permission>ADS_RIGHT_WRITE_DAC</permission> 
          <permission>ADS_RIGHT_DS_SELF</permission> 
          <permission>ADS_RIGHT_DS_CONTROL_ACCESS</permission> 
          <permission>ADS_RIGHT_DS_CREATE_CHILD</permission> 
          <permission>ADS_RIGHT_DS_DELETE_CHILD</permission> 
          <permission>ADS_RIGHT_DS_DELETE_TREE</permission> 
          <permission>ADS_RIGHT_DELETE</permission> 
          <inheritance>SUB_CONTAINERS_AND_OBJECTS_INHERIT</inheritance> 
          <trustee>LDAP://cn=CSRAdmins@MPSImportRes01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
        <ace> 
          <permission>ADS_RIGHT_DS_WRITE_PROP</permission> 
          <permission>ADS_RIGHT_READ_CONTROL</permission> 
          <permission>ADS_RIGHT_WRITE_DAC</permission> 
          <permission>ADS_RIGHT_DS_SELF</permission> 
          <permission>ADS_RIGHT_DS_CONTROL_ACCESS</permission> 
          <permission>ADS_RIGHT_DS_CREATE_CHILD</permission> 
          <permission>ADS_RIGHT_DS_DELETE_CHILD</permission> 
          <permission>ADS_RIGHT_DS_DELETE_TREE</permission> 
          <inheritance>SUB_CONTAINERS_AND_OBJECTS_INHERIT</inheritance> 
          <trustee>LDAP://cn=Admins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
        <ace> 
          <permission>ADS_RIGHT_GENERIC_ALL</permission> 
          <inheritance>11</inheritance> 
          <inheritedObjectTypeName>{BF967ABA-0DE6-11D0-A285-00AA003049E2}</inheritedObjectTypeName> 
          <trustee>LDAP://cn=CSRAdmins@MPSImportOrg01,ou=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com</trustee> 
          <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
          <trusteeForm>TRUSTEE_IS_OBJECTS_AND_SID</trusteeForm> 
          <mode>GRANT_ACCESS</mode> 
        </ace> 
      </dacl> 
    </org> 
  </data> 
</response>

Applies To

MPS Import Namespace API for:

Hosted Messaging and Collaboration version 3.5

MPS Import::EnableOrganizationForHosting

Arguments

Remarks

Procedure Steps

Sample Code

Applies To

See also

Tasks

Additional resources