Adventures in identity management
The AD management agent uses an account to connect to AD and, more often than not, this account is a member of Domain Admins. However in some organisations this is not acceptable. So what rights does it actually need?
Since finally getting around to enabling blog stats I can see the Exchange posts continue to be popular so, to add to the series, here is a step-by-step guide to basic Exchange 2007 provisioning with ILM 2007.
Note June 2011: This post gets a lot of hits but is very old now. I haven’t revisited the powershell-Excel story since writing this post and it may well be a lot easier now. I would love nothing better than to do one ILM project after another, but it doesn’t always pan out like that,…
Maybe it’s because MIIS is a sort of infrastructure thing, so is given to a time-pressed system administrator to set up; or because it’s a sort of programming thing, so is given to a .NET developer with no clue about the connected directories; or because there’s a lack of good training; or no clear guidance…
A common requirement is that user accounts should go through a disabled stage of some length before being deleted. This makes excellent sense, particularly in AD with its fastidiousness concerning SIDs. In this post I outline a way to achieve this in AD using a datestamped attribute, export flow rules and provisioning code.
In some implementations, it makes sense (usually by improving performance) to separate your user and group provisioning into seperate MAs. One downside of this approach, however, is that you can run into export errors when trying to update a group with a member who doesn’t exist in the external directory – and this includes delete…
As promised, I am now making my ILM_Scheduler service source code available for download. In brief, the notion is to optimise ILM/MIIS scheduling through the use of a queue. You add jobs to the queue and they are executed, one at a time, and in order of priority. You can schedule a job by adding…
Here’s a trick that is worth knowing – though I’m only recommending it for TEST ENVIRONMENTS – consider yourself warned. You may have noticed the “test only” log file options on the import and export run profiles. Being able to stop the run at the log file is incredibly useful for testing what would have been exported, without…
Why oh why does MIIS have such an insatiable appetite for transaction log space? I’m afraid I can’t answer this, but I can share a few tips.
I won’t be round for a couple of weeks, in case anyone is wondering why I haven’t approved a comment. If you have questions don’t forget the MS ILM Forum which seems to be working really well, with Ahmad and Markus providing lots of great answers. Wish that had existed when I started out with…