MIIS and AD userAccountControl

In most of the projects run with MIIS, AD is one of the master data sources.
 
Also, in most case the user status (disable/enabled, …) needs to be propagated to other systems.
AD stores the user "disabled/enabled" status in the userAccountControl attribute.
But the userAccountControl attribute is an (hexidecimal) number value.
Cfr http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
 
Other sources like ADAM (AD LDS) use a single attribute.
FYI htttp://msdn2.microsoft.com/en-us/library/aa772124.aspx
 
I’ve created a small Excel sheet to translate some values out of and into a userAccountControl value.
http://identityunderground.be/downloads/useraccountcalculator.xls
You can easily get the useraccount-disabled value out of the hex value.
 
First create boolean attributes in the MIIS metaverse like :
ms-DS-UserAccountAutoLocked
msDS-UserAccountDisabled
msDS-UserDontExpirePassword
ms-DS-UserEncryptedTextPasswordAllowed
msDS-UserPasswordExpired
ms-DS-UserPasswordNotRequired
At AD import flow create an advanced import flow from sAMAccountControl to your new attributes
(Example in VB.Net)
 
Create an AD extension, load the "Active DS Type Library" as reference in your code project and add on top of your extension
"Imports ActiveDs.ADS_USER_FLAG"
Next use an extension to handle the import flow like:
    Public Sub MapAttributesForImport( _
    ByVal FlowRuleName As String, _
    ByVal csentry As CSEntry, _
    ByVal mventry As MVEntry) _
    Implements IMASynchronization.MapAttributesForImport
        ‘ TODO: write your import attribute flow code
        Select Case FlowRuleName
            Case "mail"
                mventry(FlowRuleName).Value = csentry(FlowRuleName).StringValue.ToLower
            Case "msDS-UserAccountDisabled"
                mventry("msDS-UserAccountDisabled").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_ACCOUNTDISABLE) = _
                    ADS_UF_ACCOUNTDISABLE
            Case "ms-DS-UserAccountAutoLocked"
                mventry("ms-DS-UserAccountAutoLocked").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_LOCKOUT) = _
                    ADS_UF_LOCKOUT
            Case "msDS-UserDontExpirePassword"
                mventry("msDS-UserDontExpirePassword").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_DONT_EXPIRE_PASSWD) = _
                    ADS_UF_DONT_EXPIRE_PASSWD
            Case "ms-DS-UserPasswordNotRequired"
                mventry("ms-DS-UserPasswordNotRequired").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_PASSWD_NOTREQD) = _
                    ADS_UF_PASSWD_NOTREQD
            Case "msDS-UserPasswordExpired"
                mventry("msDS-UserPasswordExpired").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_PASSWORD_EXPIRED) = _
                    ADS_UF_PASSWORD_EXPIRED
            Case Else
                ‘ TODO: remove the following statement and add your default script here
                Throw New EntryPointNotImplementedException()
        End Select ‘flowrulename
    End Sub ‘mapattributes for import
 
Now you have the different separate values stored in the MV and you can work with each value…
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s