Using Existing AD Users as Templates in IDM



By: coolguys

September 20, 2006 12:00 am

Reads: 200

Comments:0

Rating:0

Problem

A Forum reader asked this question:

“Currently we copy users created in AD, instead of adding a new user. The helpdesk copies a user to create a new user; the new user will automaticaly inherit all groups that the old user had, and the new user will have a new username, new password and new first/last name.

Now we want to create users using IDM 3, and the new user should be copied from an existing user instead of being added as a fresh new user. The new user should have the same groups that the user that it is being copied from had.

Is this possible?”

And here’s the reply from Father Ramon …

Solution

The only way to use an existing user in AD as a template would be to have policies that read the relavent attributes from the template user and add them to the user being created. This isn’t particularly difficult to do in a policy, except for the group part (which unfortunately appears to be mostly what you are interested in). That’s because it involves references and because group membership is actually manipulated on the group object in AD, rather than on the User object.

For most attributes I recommend something like the following in a subscriber creation policy:

<rule>
   <description>Add template attribute</description>
   <conditions>
    <and>
     <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
   </conditions>
   <actions>
    <do-for-each>
     <arg-node-set>
      <token-dest-attr class-name="User" name="someADAttribute">
       <arg-dn>
        <token-text xml:space="preserve"><dn of template object in 
AD></token-text>
       </arg-dn>
      </token-dest-attr>
     </arg-node-set>
     <arg-actions>
      <do-add-dest-attr-value name="someADAttribute">
       <arg-value>
        <token-local-variable name="current-node"/>
       </arg-value>
      </do-add-dest-attr-value>
     </arg-actions>
    </do-for-each>
<!-- repeat for each attribute -->
   </actions>
  </rule>

For group membership I would do something more like this in the output transformation:

<rule>
   <description>Add template groups</description>
   <conditions>
    <and>
     <if-operation op="equal">add</if-operation>
     <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
   </conditions>
   <actions>
    <do-for-each>
     <arg-node-set>
      <token-dest-attr class-name="User" name="memberOf">
       <arg-dn>
        <token-text xml:space="preserve"><dn of template object in 
AD></token-text>
       </arg-dn>
      </token-dest-attr>
     </arg-node-set>
     <arg-actions>
      <do-add-dest-attr-value name="member" when="after">
       <arg-dn>
        <token-local-variable name="current-node"/>
       </arg-dn>
       <arg-value type="dn">
        <token-dest-dn/>
       </arg-value>
      </do-add-dest-attr-value>
     </arg-actions>
    </do-for-each>
   </actions>
  </rule>
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , ,
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment