A simple PowerShell way to do Rules-based groups in AD

I’ve been helping a customer along the path towards a proper IAM solution, which has involved a lot of data clean-up, as it so often does. Criteria groups in MIM can encourage data quality as users don’t get the groups they need if their attributes aren’t correct – so I thought, how about getting them…

Script: Compare-ADGroups.ps1

I recently wanted to do some analysis of existing groups in a well established AD that has a lot of groups (more groups than users in fact). I was hoping to find groups that looked like good candidates for conversion to role-based (aka criteria-based) groups.

Powershell script to generate test users in AD

I needed to set up a test AD with realistic looking test users. This script by Alex Tcherniakhovski was the type of thing I wanted as it starts with lists of OUs, first names and last names and then creates accounts across all OUs listed, and using a random selection of names. However Alex’s script…

Importing groups from AD to the FIM Portal using classic flow rules

My general negativity about FIM codeless sync aka “declarative provisioning” aka “Synchronization Rule Provisioning” is, I think, reasonably well-known by now. While Markus wrote an excellent document about importing AD groups into the FIM Portal using the codeless rules, I think there are still plenty of reasons to go old skool, and here’s how you’d…

A GALSync powershell script

Here is a script I wrote to do a simple GAL synchronization between two Exchange organizations. The script finds the mail-enabled  users in one domain, and creates contacts for them in the other domain. Existing contacts will also be updated and deleted as needed.

Creating user home directories – Windows version

I last blogged about provisioning home directories such a long time ago that I talked about Netware. I also used a SQL table alongside to keep track of a status field as I was doing some end-of-life management – zipping up the folder and stowing it in an archive location. But we don’t need to…

Renaming a 2003 AD domain that has Exchange 2007

Here’s an unpleasant little fact you only find out if you need to: while you could rename a domain that hosted Exchange 2003, this functionality has been removed with Exchange 2007. Hmm. So what if you need to? Well a customer is insisting that it must be done, so I’ve had to do some investigations.

Minimum AD permissions needed by ILM

The AD management agent uses an account to connect to AD and, more often than not, this account is a member of Domain Admins. However in some organisations this is not acceptable. So what rights does it actually need?

AD Group members

This is a repost of an article which was originally about multivalue attributes in general, but with a focus on group members. I realised I had made some generalisations about multivalue attributes which actually specifically apply only to attributes like member, which contain reference DN values. So I am now re-releasing the post, with a…