Okay, ideally we want to use a state based solution, creating objects in the remote system via the synchronization flow. But I had a request to create Computer accounts immediately in AD. If IT Support is troubleshooting a person’s PC and they feel the workstation trust is broken or the account is corrupted they may want to delete the workstation account and add it back. They are not ready to wait 30minutes or 1hr for the sync cycle. We can do that via PowerShell workflows.
In this scenario, I have the Computer AD MA and the FIM MA. I am using synchronization rules. There are 2 attributes, location and description that I would like to flow from the Portal to AD. Create a Powershell script to take the TargetID, get the Samaccountname, distinguishedname of the OU and displayname (using XPath) and create the Computer account. The flow logic is that the FIM MA will come first, the computer account from the FIM MA will get projected into the MV and then the Computer MA will import the new AD account and join it to the MV object. I have created a set called “All computers”, I have also created a set with all Workstation Administrators (excludes Portal service account) called “Computer Account Admin”
- Step One: FIM Sync
Edit the AD Computer MA and add join of Samaccountname to MV.Samaccountname for Computer object.
- Step Two: FIM Portal
Add a new workflow
Name: Create Computer Account in AD
Description:Create Computer Account in AD
Command: powershell -version 3.0 CreateComputerAD.ps1 $fimwf.TargetId.Guid
Creaate an MPR
The Name and Description “Create Computer Account in AD”
MPR Type: Request
Requestor: Computer Account Admin Set
Select Create Resource
Target Resource: All Computers
The Workflow attached is the “Create Computer Account in AD” workflow.
Add dn => MV.DistinguishedName for the Comp Inbound rule (I want the DN to come into the MV, Optional, I just want it)
Edit the Comp Outbound Rule
- Remove all outbound flows except for location and description.
- Uncheck Create object in external system under the scope tab.
- Do Delta Import Delta Sync on the FIM MA to bring in the updated Inbound Rule
- Attribute precedence, make location and description manual, put FIM MA at the top.
- Go to the MV Designer and set the DistinguishedName to equal precedence