My first post was on the 18^th of May 2007. I’d been working with MIIS for about two years and found it both heavy going and completely absorbing – in fact I was obsessed! I was also on the verge of a big move: London to Geneva via 3 months in Australia. I started the blog as a memory-aid for myself, as something that might help my employment prospects in Geneva, and of course with the thought that it might help out others, just as I have always found great tips and explanations on other people’s blogs.

So, 4½ years in, what can I say about missmiis?

Content

• I’ve stuck to my original intention of posting only what I’ve actually done myself – with any theorising or speculation noted clearly,
• I also try to post only what can’t easily be found elsewhere – at least, I couldn’t find it.
• If someone else’s blog post or forum entry has helped me I acknowledge and link it.

Reader Stats

My stats don’t go back to the very beginning, but I definitely can say readership has climbed steadily, except for the year following the Great ILM2 Delay. You can see pretty clearly when that was from looking at my stats!

Posts of Note

• A GALSync powershell script because it is far and above my most popular posting ever.
• Powershell Activity because, while no great piece of code, it represents when I finally understood how to develop a custom activity – the usual minimalist MS documentation having left me mostly in the dark.
• ILM 2 release date put back – A WHOLE YEAR! This was the post where, without realising it, I “broke” the news on the internet. This was actually my most-read post for quite some time, especially considering the readership dive that followed.
• Exchange 2007 Cross-Forest Migration Up until about 18 months ago I was still working as an Exchange, as well as FIM, consultant. There just wasn’t enough FIM work to keep me fully occupied (there is now!) This is my most-read Exchange post.

What this blog has given me

• A convenient place to put stuff so I know where to find it,
• Speaking opportunites, starting with TechDays Geneva 2008 where I presented ILM 2007,
• Three MVP awards,
• The chance to meet some great people, and
• A job!

And why is the blog still named after an eight year old product?

No reason I should rename my blog every time Microsoft rename their product.

However, even if I don’t use it, I have permanent dibs on FIM fatale.

Ingredients

• A host computer – in my case my Win7 laptop running Oracle VirtualBox,
• An Office 365 trial,
• A real live domain name that is resolvable on the internet and which you (or someone who likes you) has admin access to (this will be necessary for the verification process),
• A SSL certificate for said domain name,
• The following VMs:
• DC + ADFS: Win2008R2, 1024 MB of RAM (I couldn’t get ADFS to install with only 512MB), virtual network and internet access
• DirSync: Win2008x32, 512 MB of RAM, virtual network and internet access
• Workstation: Win7, 512 MB of RAM, virtual network and internet access

Note: there is now a 64 bit version of DirSync so it should be possible to install that on the DC as well.

AD

The name of my virtual AD domain did not match the external domain I had to use for ADFS. This does not matter – just add the external domain as a UPN suffix to AD.

You then also need to make sure any account you want to test with has a UPN of accountname@myrealdomain.com.

Certificate

I was under the impression that I’d need a public cert so Microsoft would trust my ADFS server, so I got a free one month cert from freessl. However I can see now that the cert is only used for internal communication between my ADFS server and my client, so I think now if I’d generated one in my own CA it would have been fine. The only provisio is the name of the cert must match myrealdomain.com.

ADFS

The instructions walk you through a proper setup with NLB and federation proxies. With a laptop lab I did none of this. I just have the one federation server running on my DC. Pretty much all I did was:

1. Installed ADFS – make sure you choose “first server in a farm”,
2. Installed the SSL certificate for myrealdomain.com onto the default IIS website,
3. Ran the ADFS wizard,
4. Ran the powershell cmdlets to add and federate the domain in Office 365 (documentation).

Internet Firewall

Another thing I was mistaken about was thinking the Microsoft Federation gateway would need to talk directly to my ADFS server but actually it doesn’t – the communication is between the client browser and ADFS. I’m not allowing external devices to access Office 365 via my lab, so I don’t need to grant access to my ADFS VM through the network firewall. Which is a relief!

DNS

The domain myrealdomain.com has a real, live ip address on the internet, however in my virtual network I want it to resolve to the internal ip address of my ADFS server. To do this I:

• Created a Primary Zone for myrealdomain.com in my domain’s DNS service,
• Created an A record in the zone pointing to the internal ip address of the ADFS server,
• Set a forwarder to the external DNS server, and
• Made sure all VMs in my virtual network used the virtual DC for DNS, rather than going straight to the external DNS.

DirSync

As I noted above, when I wrote this article there was only 32 bit DirSync. Now we finally have a 64 bit version. It should run on the DC but I haven’t tried it.

DirSync is damn easy to install. Just follow the instructions.

Activate an account

Once you have accounts DirSync’d up to Office 365, with the correct UPN matching the real domain that you federated, you can now activate one or two of them to use as tests.

Test

To test I logged in to my virtual workstation. This has a bridged internet connection in addition to the virtual network connection, and all DNS goes via the virtual DC.

I went to https://portal.microsoftonline.com and entered the user’s UPN. When I clicked the Password box it was greyed out and a link appeared telling me to authenticate against myrealdomain.com. I clicked this link and, after a few URL changes flicked across the address bar, I’m in!

Troubleshooting

The main mistake I made was to install the ADFS server in standalone mode the first time. Login actually worked, but it wasn’t SSO – the user had to re-enter their username and password. Checking the Security log on the DC showed NTLM auth being used.

So I re-ran the ADFS wizard (as the link had dissappeared from the Mnagement console I ran C:\Program Files\Active Directory Federation Services 2.0\FsConfigWizard.exe) and chose server farm. I then re-ran the powershell cmdlet Convert-MsolDomainToFederated.

Everything looked good, but wasn’t. I kept getting “Your organization could not sign you in to this service”. In the event logs I could actually see the user successfully logging in with Kerberos, but at the same time a KDC_ERR_BADOPTION error.

After much troubleshooting and hair-tearing I decided to run the powershell cmdlet Update-MsolFederatedDomain – and it fixed the problem!

As I’d had the foresight to run a Get-MsolFederationProperty both before and after the Update cmdlet I could actually compare and see what changed. The problem was the TokenSigningCertificate – it looks like the Convert cmdlet did not overwrite this so it still had the old thumbprint. After I ran Update the thumbprint changed to the new cert.

Three years now – must be doing something right

So while they rename I’m staying historical. And besides, I don’t just post about FIM.

I just posted this article in the Greatest Hits series of the ILM Technet forum. It describes some of the methods and considerations around disabling and deleting users accounts with ILM.

In Identity Management, deprovisioning is every bit as important as provisioning – in fact the security guys would say it is more important.

End-of-life management may have been one of the determining factors that got the IdM project started in the first place – while most
organizations have a variety of scripts and processes they use to create accounts and assign permissions, the cleanup when a person leaves is often not handled so well.

General rules for object deletion have been already well covered in Markus’ article
Understanding Deletions in ILM; however there is more that can be said on the subject of user accounts, for which an immediate delete is often not appropriate.

This article shows how you can use ILM to configure a flexible deprovisioning solution that is customized to your technical, organizational and compliance needs.

Account Deprovisioning Scenarios in this document

We are going to look at the following types of account deprovisioning:

1. Simple deletion
2. Disabling the account
3. Deleting the account on a time-delayed basis
4. Stopping ILM from managing the account without actually deleting it (disconnection)

Parts to the Account Deprovisioning Puzzle

Depending on your needs, you will most likely have to piece together a number of different elements to achieve the desired result.

Account Disabling:

Deactivating an object normally involves changing one or more of its attributes (eg.: setting userAccountControl on an AD user), and the usual way to do this is with an export attribute flow (EAF).

See code example “Disabling Flow Rules” below.

Moving deactivated accounts:

• A common practice is to put disabled accounts in a particular place, such as a “Disabled” OU.For AD this is a “Rename” activity, and is typically done in the metaverse
  extension code.
• For the “Stop management” scenario it is also possible to move the account just prior to disconnecting it in the MA Extension Deprovision method.

See code example “Metaverse Deprovisioning” below.
 

Deleting the connector space (CS) object:

• The first step to deleting an account is to delete the object that represents it in the connector space.This can happen in one of the following two ways:
  • The joined Metaverse object is deleted
  • The joined Metaverse object was disconnected, either manually or by using the
    CSEntry.Deprovision() method in the
    metaverse extension code.
• In both cases a deletion will only happen if the “Configure Deprovisioning” tab on the MA configuration has been set as follows:
  • “Stage a delete on the object for the next export run”, or
  • “Determine with a rules extension” AND the rules extension code returns
    DeprovisionAction.Delete.

 
See code example “MA Deprovision Sub” below
 
See “Metaverse Deprovisioning” for an example of the CSEntry.Deprovision() method.
 

Deleting the account in the connected data source (CDS):

• To delete the actual object in the CDS, we must first delete the connector space object using the methods above, after which we should find an export of type “delete” ready in the connector space.It is then just a matter of running an Export.
  • Note that the account used by the MA must have permission to delete objects of this type in the CDS.
  • Note also that if the MA is of type “Extensible Connectivity” you must write a Delete method in the Connected Data Source extension (see example below).

 
See code example “XMA Delete Method” below.
 

Time dependant deletion:

• Sometimes you want to delete an object on a certain date – perhaps an expiration date, or 3 months after the account was disabled.To do this you need the date available on the Metaverse object, which means you have to flow it into the Metaverse from somewhere.
  • An example for AD accounts is to use a spare attribute on the account, such as info or one of the extensionAttributes, to write the date at the same time as you disable the account.Flow this value back into the Metaverse and the information will be available.

 
See code example “Metaverse Deprovisioning” below.
 

Deprovisioning Scenarios

Simple Deprovision based on disappearance

The simplest deprovisioning scenario, and the one that can be executed without writing any code, is the “disappearance” scenario.

Here an object (or database line, or text file line) disappears from a source MA and is imported as a delete.

In the Metaverse we have configured our Object Deletion Rule as “Delete Metaverse object when connector from this management agent is disconnected” and selected our source MA.

Finally we have configured our other MAs to delete the CS objects when the Metaverse object is deleted.

In this way we could, for example, delete an AD account because the person’s record disappeared from the HR data source.

Caution: This method may lead to unexpected loss of accounts, temper and job!

As a general rule, it is a bad idea to make destructive decisions based on an absence of information. All sorts of errors, both human and machine, could happen to cause data to be unavailable at the time an Import runs. If you do use this simple approach, only use it for low-priority objects that can be deleted and recreated without much impact.

Deprovision based on attribute change

It is a much better practice to make deprovisioning decisions based on positive data.

So, with the HR data source, we continue to import resigned people, but with a status flag that indicates they are now inactive.

We then write some code in the metaverse extension which reacts to the person’s “inactive” status.

The great advantage to this method is the flexibility it gives us.

For example, we may deal with the person’s connected objects in different ways, deleting contacts and application accounts immediately
but, just disabling the AD user account until further notice.

Deprovisioning a connector space object from metaverse extension code is trivial – all you have to do is add the line

CSEntry.Deprovision()

The bulk of the code before this will be spent in testing attribute values, and connections to different MAs, to determine when conditions are right to issue this command.

Disable then delete

It is simple enough to disable an account using an EAF (see example “Disabling Flow Rules” below).

You could also move the account to a special location (see example “Metaverse Deprovisioning” below).

However what do you do if you want to remove the account at some point in the future?

The first thing to be aware of is you must not delete the metaverse object.

To be able to delete the disabled account in the future it has to be connected to something in the
metaverse.

ILM can only manage connectors.

Next, you will need some kind of datestamp on the metaverse object so your
metaverse extension code will know when it’s OK to delete the account.

The only way to write a value to a metaverse object is with an IAF – so this implies writing the
datestamp outside ILM, on a CDS object, and then importing it back in.

The method in the code examples below works like this:

1. Based on the status attribute in the Metaverse, I export the userAccountControl to disable the AD user account,
2. Based on the same rules, I also export today’s date to the user’s info attribute,
3. II import info back to a metaverse attribute called disableDate,
4. I can then use disableDate in my metaverse extension to decide when the time is right to issue a CSEntry.Deprovision().

There are a couple of points to note about this method:

• While disables will happen on a delta sync, deletions will only happen on a
  full sync.
• The CDS attribute used to hold the date could be modified in the CDS (though you can use this to your advantage if you want to extend the disabled life of an account).

Stop Managing an Object

In some cases object deletion is handled in the CDS itself and all you need to do is to stop managing the object.

In ILM terminology the object becomes a “disconnector” and, while it may still exist in the MA’s connector space, it is no longer connected to a Metaverse object, and ILM can no longer impact it in any way.

To disconnect rather than delete you actually use exactly the same CSEntry.Deprovision() method, but with the correct option selected on your MA’s Configure Deprovisioning page.

You could choose to:

• “Make them disconnectors”. The object is disconnected but remains in the CS and CDS.It will be reassessed for possible joins at each Full Sync,
• “Make them explicit disconnectors”.Like the above, but it will not be reassessed for possible joins, or
• Decide with a Rule Extension (see example “MA Deprovision Sub” below).

The “explicit” option needs a bit more discussion.

If ever you delete and re-import the CS all “explicit” tags will be lost and the objects become regular disconnectors again, and available for joins.

This option should only be chosen in particular circumstances, such as when there is a regular and reliable deletion of redundant objects happening in the CDS.

If you are sure that you will not need to rejoin to an object once it has been disconnected then another idea is to export a blocking attribute before disconnecting.

For example you export the string “Unmanaged” to an attribute on the CDS object, and only disconnect it once the attribute value is confirmed.

You can then use this attribute in a Connection Filter to prevent future re-connections.

Some Common Problems and Questions

I staged some Deletes but I don’t want to export them now

Perhaps there was an error in your code or your import data and you have a bunch of Deletes waiting to go out – but you really don’t want to do that!

Even after correcting the code and re-syncing you may find they turn into Delete-Adds – these should also not be exported as the actual CDS objects will be deleted and recreated – not great for AD accounts!

Unfortunately, the only full-proof fix in this case is a delete and re-import of the connector space.

I have some old accounts with no HR reference – will ILM delete them?

ILM can only delete objects that it is connected to, so if it never connected to the object it can never delete it.

If you plan to tidy up unmanaged objects in your CDS then have a look at the tool csexport.exe (from the MIIS\bin folder) which can be used to export lists of disconnectors.

How can I block an Export if there are too many Disables?

The Export run profile contains an option to stop the job if there are more than a certain number of Deletes queued to go out.

Unfortunately it is not possible to do something similar for disables with native functionality.

If something like this is needed then it should be possible to increment a count in a file from the EAF which deactivates the account, and then modify the script which runs the Export profile to first check the count.

Sideways Joins

A scenario you need to watch out for is what I call a “sideways join”.

Take a situation where the “person” object type has one source MA (eg.: HR) and multiple target MAs (AD, Notes, some other applications).

The source object has been deleted, but one or more of the target objects have remained and are still joined to a
metaverse object.

The problem here is that these objects won’t show up in lists of disconnectors and so can remain, unobserved, for some time.

If deprovisioning logic is based on a value from the source MA then, in a default configuration, this value would have been recalled and is no longer present on the Metaverse object – so your code is probably just skipping it.

When writing your metaverse extension code, it is a good idea to test for unexpected situations – like an object with no connector in the primary source MA – and then throw an error or otherwise deal with the object.

I can see Deletes staged in the connector space, but the objects don’t get deleted in the external system

First, look for error messages in Identity Manager and in the Event Log that may indicate the problem.

Make sure the account used by the MA has the correct permissions in the CDS.

If it’s an “Extensible Connectivity” MA, check that a Delete method has been written in the Connected Data Source Extension.

I disabled an AD user – now how do I remove it from groups?

This is one with no short answer.

You cannot manage the memberOf attribute on AD users as it is a backlinked attribute.

So group membership can only be managed through the member attribute of groups.

This is fine if you are already managing AD groups with ILM – but not ok if they are managed manually in AD.

One of the reasons to keep an account in a disabled state for a while is to allow it to be restored quickly with all its previous rights intact – so removing it from groups may not be the best idea anyway.

If it is necessary then the choices are to fully take over group management with ILM, or to write a script that removes disabled users from groups, and is run outside of ILM.

Code Examples

MA Deprovision Sub

In this example, when the Metaverse object is deleted or disconnected, accounts in the “Student” OU are deleted while accounts in the “Staff” OU become disconnectors.

This sub is located in the Management Agent Extension code.

Public Function Deprovision(ByVal csentry As CSEntry) As DeprovisionAction Implements IMASynchronization.Deprovision
   If csentry.DN.ToString.Contains("OU=Students") Then
      Return DeprovisionAction.Delete
   ElseIf csentry.DN.ToString.Contains("OU=Staff") Then
      ' Optionally, rename the cs object or change attributes
      ' just prior to disconnecting
      Return DeprovisionAction.Disconnect
   Else
      Throw New UnexpectedDataException("DN does not contain " _
      & "'OU=Staff' or 'OU=Students' so I don't know " _
      & "which deprovision action to perform.")
   End If
End Function

Metaverse Deprovisioning

In this example we use the user’s status attribute in the Metaverse to decide if the account should be moved to a “Disabled” OU.

(The actual account disabling is done by an EAF and the disableDate and
userAccountControl are flowed back by IAFs – see below.)

We then use the disableDate attribute on the metaverse object to decide when to perform the final deletion.

This example subroutine has been called from Sub Provision which is located in the Metaverse Extension code.

Private Sub User_Provisioning(ByVal mventry As MVEntry)
   Dim ADMA As ConnectedMA = mventry.ConnectedMAs("MyDomain")
   Dim expectedDN As ReferenceValue
   Dim ShouldExist As Boolean
   Dim DoesExist As Boolean
   Const OU_USERS As String = "OU=Users,OU=MyOrg,DC=mydomain,DC=com"
   Const OU_DISABLED As String = "OU=Disabled,OU=Users,OU=MyOrg,DC=mydomain,DC=com"
   Const KEEP_DISABLED_DAYS As Integer = 90

   '' Should the account exist?
   '' Inactive accounts should exist for KEEP_DISABLED_DAYS after being disabled.
   If mventry("status").IsPresent AndAlso mventry("status").StringValue = "Active" Then
      ShouldExist = True
   Else
      ShouldExist = False

      If MVEntry("userAccountControl").IsPresent AndAlso _
         MVEntry("disableDate").IsPresent Then

         If (MVEntry("userAccountControl").IntegerValue And ADS_UF_ACCOUNTDISABLE) = _
             ADS_UF_ACCOUNTDISABLE Then

            'Account disabled – allow to exist until deletion date
            ShouldExist = True

            Dim disabledDate As DateTime
            disabledDate = Convert.ToDateTime(MVEntry("disableDate").StringValue)
            If Now.Subtract(disabledDate).Days > KEEP_DISABLED_DAYS Then
               ShouldExist = False
            End If
         Else
            'Account enabled
            ShouldExist = True
         End If
      End If
   End If
   '' Check if the AD account already exists
   Select Case ADMA.Connectors.Count
      Case 0
         DoesExist = False
      Case 1
         DoesExist = True
      Case Else
         Throw New UnexpectedDataException("Multiple connectors in MA " & ADMA.Name)
   End Select

   '' Generate the expected DN for the user - to use in renaming or moving
   Dim RDN As String = "CN=" & mventry("displayName").StringValue

   If mventry("status").StringValue = "Active" Then
      expectedDN = ADMA.EscapeDNComponent(RDN).Concat(OU_USERS)
   Else
      expectedDN = ADMA.EscapeDNComponent(RDN).Concat(OU_DISABLED)
   End If

   '' Take action based on values of ShouldExist and DoesExist

   If ShouldExist And DoesExist Then
      'Check if account should be renamed or moved
      Dim CSEntry As CSEntry = ADMA.Connectors.ByIndex(0)
      If CSEntry.DN.ToString.ToLower <> expectedDN.ToString.ToLower Then
         CSEntry.DN = expectedDN
      End If

   ElseIf ShouldExist And Not DoesExist Then
      'Provision Account
      <...>

   ElseIf Not ShouldExist And DoesExist Then
      'Deprovision Account
      CSEntry.Deprovision()

   End If
 End Sub

Disabling Flow Rules

With these flow rules I disable an AD account and also write a date onto the object (I’m using info but you can use any free attribute) to indicate when it was disabled.

I also flow userAccountControl and info back into the metaverse so I have access to the values in my
metaverse extension code (above).

Public Sub MapAttributesForExport(ByVal FlowRuleName As String, ByVal mventry As MVEntry, ByVal csentry As CSEntry) Implements IMASynchronization.MapAttributesForExport

   Const ADS_UF_NORMAL_ACCOUNT As Long = &H200
   Const ADS_UF_ACCOUNTDISABLE As Long = &H2

   Select Case FlowRuleName

      Case "export_userAccountControl"
         Dim currentValue As Long

         If csentry("userAccountControl").IsPresent Then
            currentValue = csentry("userAccountControl").IntegerValue
         Else
            currentValue = ADS_UF_NORMAL_ACCOUNT
         End If

         If mventry("status").IsPresent AndAlso mventry("status").Value = "Active" Then
            ' Enable account
            csentry("userAccountControl").IntegerValue = _
            (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not ADS_UF_ACCOUNTDISABLE)

         Else
            ' Disable account
            csentry("userAccountControl").IntegerValue = _
            currentValue Or ADS_UF_ACCOUNTDISABLE
         End If

      Case "export_info"
         If mventry("status").IsPresent AndAlso mventry("status").Value = "Active" _
            AndAlso csentry("info").IsPresent Then
            csentry("info").Delete()
         ElseIf mventry("status").Value = "Inactive" AndAlso _
            Not csentry("info").IsPresent Then
            csentry("info").StringValue = Now.ToString
         End If

      End Select
End Sub

XMA Delete Method

For an MA of type “Extensible Connectivity” you need to write your own routines for the export types
Add, Modify and Delete.

This example shows the Delete step for an XMA which manages home folders for user accounts.

The sub is found in the Connected Data Source Extension.

This example is a very simple deletion of the folder, but you could easily add extra code to, for example, move the folder to an archive location.

(If you want to see an example of the Add method see my blog:
Creating Home Directories)

 Public Sub ExportEntry(ByVal modificationType As ModificationType, ByVal changedAttributes As String(), ByVal csentry As CSEntry) Implements IMAExtensibleCallExport.ExportEntry

If modificationType = Microsoft.MetadirectoryServices.ModificationType.Add Then
' Create the folder

ElseIf modificationType = _
Microsoft.MetadirectoryServices.ModificationType.Delete Then
System.IO.Directory.Delete(csentry("path").StringValue, True)
End If

End Sub

About the Author

Carol Wapshere has been working in IT since 1990, and has since worked in many different organizations, across four different countries. She started out in Netware then moved into Microsoft server products, picking up an assortment of skills in other non-Microsoft systems along the way. She first started working with MIIS in 2005 and loved how it could be used to tie together disparate systems, bringing in much-needed order, and making lots of tedious jobs just disappear.

Thanks to Markus Vilcinskas and Peter Geelen for their help with this document.

If anyone happens to notice any weird content or broken or inappropriate links I’d be much obliged for a heads-up.

Thanks,  Carol.

I only hope I can find myself some good ILM 2 projects in 2009. The last few months of 2008 was all about Exchange, and next week I’m off on a SCOM course. Still, I’ve always said I love working in IT because I’m always learning something new!

Wishing all my readers a happy 2009, filled with the things that are really important.

If you have questions don’t forget the MS ILM Forum which seems to be working really well, with Ahmad and Markus providing lots of great answers. Wish that had existed when I started out with MIIS!