MIM 2016: Perform AD Functions in FIM/MIM Workflow without importing the AD PS Module – Part III (Multiple domains/forests)

Suppose you have users in multiple domains or multiple forests. MIM is managing across forests and domains. By default directory services will connect to the local domain of the MIM server. Lets look at how you can specify what domain or forest for the directory service to connect to.

For DisableADUser use

Function DisableADObject





$strFilter = $FilterString




$objDomain = New-Object System.DirectoryServices.DirectoryEntry($MyDomain)

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.PageSize = 1000

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = “Subtree”

$existingObject = $objSearcher.FindAll()

If ($existingObject.count -ne 1)


throw (“Error getting the user in AD, User not found or more than one: ” + $strFilter)




#This works only in PS 3 or greater – $myuser=$existingObject.GetDirectoryEntry()

#use this –



$MyUser.userAccountControl = 514





#Dispose the searcher to prevent memory leak

if ($objDomain -ne $null)




if ($objSearcher -ne $null)






************************* End of Function definition **********************

********************* MAIN ***************************

$Domain = “TLKNET”

$strFilter = “((samaccountname=$myAccountName))”

If($Domain -eq “TLKNET”){

$myDomainLdap=”LDAP://DC=tlknet, DC=tlkenterprise, ,DC=net”


If($Domain -eq “TLKLOCAL”){

$myDomainLdap=”LDAP://DC=tlklocal, DC=tlkenterprise, ,DC=local”


DisableADUser StrFilter $MyDomainLdap