Configuring an Inbound Group Synchronization Rule

Forefront Identity Manager 2010 Installation & Configuration

Anthony Marsiglia & Kristopher Tackett

Microsoft Premier Field Engineering

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering

Forefront Identity Manager 2010 Installation & Configuration

Configuring an Inbound Group Synchronization Rule

Thus far, we have created a means for getting users out of Active Directory and into the portal, as well as provisioned from the Portal to Active Directory. Now we will address groups. Though the process is similar (SR, MPR, WF), there is some added complexity with regard to the custom expressions that are required for groups to flow correctly.

To begin, navigate to the Portal home screen:

In the right-hand menu, select “Synchrnonization Rules”

This will open the Synchronization Rules menu.

In the top menu, click “New”

In the “General” tab, enter a display name and description, then select “Inbound” for “Data Flow Direction”. Click “Next” to continue.

Under the “Scope” tab, for “Metaverse Resource Type” select “group”. For “External System”, select the Active Directory management agent you wish to use. For “External System Resource Type”, select “group”. Click “Next” to continue.

For the “Relationship” tab, use the drop-down menu below “MetaverseObject:group(Attribute)” to select “accountName”. For “ConnectedSystemObject:group(Attribute)”, select “sAMAccountName”.

If you would like to create the object in the FIM Portal if it does not exist, Be sure to place a check in the box next to “Create resource in FIM”, then click “Next” to continue.

Now we must configure “Inbound Attribute Flows”. Most of these are straight forward, with two exceptions.

For destination attribute “Type”, on the “Origin” tab, select “Custom Expression” and enter the following:

IIF(Eq(BitOr(14,groupType),14),"Distribution","Security"))

For destination attribute “Scope”, on the “Origin” tab, select “Custom Expression” and enter the following:

IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal","Universal")))

Also note, “member”, “membershipLocked” and “membershipAddWorkflow” are all string values.

Page 8

Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering