Adventures in identity management
Maybe it’s because MIIS is a sort of infrastructure thing, so is given to a time-pressed system administrator to set up; or because it’s a sort of programming thing, so is given to a .NET developer with no clue about the connected directories; or because there’s a lack of good training; or no clear guidance…
A common requirement is that user accounts should go through a disabled stage of some length before being deleted. This makes excellent sense, particularly in AD with its fastidiousness concerning SIDs. In this post I outline a way to achieve this in AD using a datestamped attribute, export flow rules and provisioning code.
In some implementations, it makes sense (usually by improving performance) to separate your user and group provisioning into seperate MAs. One downside of this approach, however, is that you can run into export errors when trying to update a group with a member who doesn’t exist in the external directory – and this includes delete…