Month: January 2015

FIM 2010 Portal: Create Computer accounts direct in AD

/ Ike Ugochuku / Leave a comment

Okay, ideally we want to use a state based solution, creating objects in the remote system via the synchronization flow. But I had a request to create Computer accounts immediately in AD. If IT Support is troubleshooting a person’s PC and they feel the workstation trust is broken or the account is corrupted they may want to delete the workstation account and add it back. They are not ready to wait 30minutes or 1hr for the sync cycle. We can do that via PowerShell workflows.

In this scenario, I have the Computer AD MA and the FIM MA. I am using synchronization rules. There are 2 attributes, location and description that I would like to flow from the Portal to AD. Create a Powershell script to take the TargetID, get the Samaccountname, distinguishedname of the OU and displayname (using XPath) and create the Computer account. The flow logic is that the FIM MA will come first, the computer account from the FIM MA will get projected into the MV and then the Computer MA will import the new AD account and join it to the MV object. I have created a set called “All computers”, I have also created a set with all Workstation Administrators (excludes Portal service account) called “Computer Account Admin”

  • Step One: FIM Sync

Edit the AD Computer MA and add join of Samaccountname to MV.Samaccountname for Computer object.

  • Step Two: FIM Portal

Add a new workflow

Name:  Create Computer Account in AD

Description:Create Computer Account in AD

Type: Action

Activity: PowerShell

Command: powershell -version 3.0 CreateComputerAD.ps1 $fimwf.TargetId.Guid

MPRs

Creaate an MPR

The Name and Description “Create Computer Account in AD”

MPR Type: Request

Requestor: Computer Account Admin Set

Select Create Resource

Target Resource: All Computers

Attribute: Accountname

The Workflow attached is the “Create Computer Account in AD” workflow.

Synchronization Rule

Add dn => MV.DistinguishedName for the Comp Inbound rule (I want the DN to come into the MV, Optional, I just want it)

Edit the Comp Outbound Rule

  • Remove all outbound flows except for location and description.
  • Uncheck Create object in external system under the scope tab.

FIM Sync

  • Do Delta Import Delta Sync on the FIM MA to bring in the updated Inbound Rule
  • Attribute precedence, make location and description manual, put FIM MA at the top.
  • Go to the MV Designer and set the DistinguishedName to equal precedence