FIM 2010 R2: Creating a Custom Metaverse Object Deletion Rule Using C#

Scope

This article will guide the reader how to create a custom object deletion rule, One must use caution when creating custom object deletion rules; your logic should be well thought out; properly designed and thoroughly tested.

Overview

Contoso is our sample multi-forest Exchange organization. There is an Exchange forest and two user account forests. The Exchange forest is known as Contoso and it also contains user accounts. There are mailboxes for users in the Contoso forests and linked mailboxes for users in other forests. Contoso uses FIM to synch all its forests with a remote system.

Contoso would like the following requirements for the Metaverse (MV) Person Object

  1. For mailboxes of users local to Contoso forest, delete the MV object if the user is deleted in Contoso
  2. For mailboxes in Contoso forest linked to users in non-Contoso forests, delete the MV object if user is deleted in Contoso
  3. For mailboxes in Contoso forest linked to users in non-Contoso forests, DO NOT delete the MV object if user is deleted in non-Contoso
  4. For user accounts without mailboxes in Contoso or non-Contoso forest, delete the MV object if the user is deleted in the forest
  5. Deleting the MV object will delete the user in the remote system.

Solution requirement

  1. We need an attribute to identify a Contoso user and a non-Contoso user.
  2. We need an attribute to identify a linked mailbox.

Contoso synchronization information

  1. Every Contoso user synced must have a valid User Principal Name (UPN) field.
  2. Each UPN value is unique to the local forest.
  3. For linked mailboxes the UPN from the user forest will overwrite in the MV the UPN supplied by Contoso forest.
  4. Every linked mailbox will have the MsExchMasterAccountSid attribute which will also be imported into the MV (You need to create a custom person attribute to flow this into the MV).

Proposed design

  1. The UPN field will be used to identify if a user is from Contoso or non-Contoso forest
  2. The MsExchMasterAccountSid attribute will be used to identify linked accounts
  3. Check if the MV object UPN value contains ?@Contoso.com?. If it does it is a local Contoso user.
  4. Check if the Connector Space (CS) object UPN value contains ?@Contoso.com?. If it does it is a local Contoso user.
  5. Check if the MV object has MsExchMasterAccountSid attribute is present. If it is present then it is a linked mailbox.

Code logic

The MV Object deletion extension code will be triggered whenever a CS object is deleted or disconnected. Based on design above.

  1. If (3) is true and (5) is false, it is a local Contoso forest mailbox or non-mailbox user, delete the MV object.
  2. If (3) is false and (5) is false, it is a non-Contoso forest non-linked mailbox user, delete the MV object.
  3. If (4) is true and (5) is true, it is linked mailbox in Contoso, delete the MV object
  4. If (4)  is false and (5) is true, it is a user from non-Contoso forest with linked mailbox, do NOT delete the MV object

MV Extension Object deletion code

bool IMVSynchronization.ShouldDeleteFromMV(CSEntry csentry, MVEntry mventry) 
{
    bool deleteNow = false
    bool IsMsExchMastPresent = false
    bool IsUPNValueContainContoso = false
    bool IsCSUPNContainContoso = false
  
    // Does the MVEntry have MsExchMasterAccountSid, if it doesn't then it is not a linked account  
    if (mventry["MsExchMasterAccountSid"].IsPresent)
    
        IsMsExchMastPresent = true
    
    Logging.Log("IsMsExchMastPresent is " + IsMsExchMastPresent, true, 2); 
  
    //Does the MVEntry UPN contain "@Contoso.com" 
    int stringsearchMVforContoso = mventry["userPrincipalName"].StringValue.IndexOf("@contoso.com"); 
    if (stringsearchMVforContoso > 0) 
    {
    IsUPNValueContainContoso = true
    }
    Logging.Log("IsUPNValueContainContoso is " + IsUPNValueContainContoso, true, 2); 
  
    //Does the CSEntry UPN contain "@contoso.com" 
    //Logging.Log("csentry userPrincipalName is " + csentry["userPrincipalName"].StringValue, true, 2); 
    int stringsearchCSforContoso = csentry["userPrincipalName"].StringValue.IndexOf("@contoso.com"); 
  
    if (stringsearchCSforContoso > 0) 
    
        IsCSUPNContainContoso = true
    }
    Logging.Log("IsCSUPNContainContoso is " + IsCSUPNContainContoso, true, 2); 
  
    // Delete it if not from Contoso and it isn't linked 
    if ((IsMsExchMastPresent == false) & (IsUPNValueContainContoso == false)) 
    {
        deleteNow = true
    
    //DO NOT Delete it if linked mailbox and the disconnected CS is from non-Contoso 
    else
    if ((IsMsExchMastPresent == true) & (IsCSUPNContainContoso == false)) 
    
        deleteNow = false
    
    //Delete it if linked mailbox and the disconnected CS is from Contoso 
    else
    if ((IsMsExchMastPresent == true) & (IsCSUPNContainContoso == true)) 
    
        deleteNow = true
    
    // Delete it if from Contoso and non-linked mailbox 
    else
    if ((IsMsExchMastPresent == false) & (IsUPNValueContainContoso == true)) 
    
        deleteNow = true
    
    //return value now. 
    return deleteNow
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s