1.4 Default Driver Configuration

The Active Directory driver is shipped with packages. When the driver is created with packages in Designer, a set of policies and rules are created suitable for synchronizing with Active Directory. If your requirements for the driver are different from the default policies, you need to modify the default policies to do what you want. Pay close attention to the default Matching policies. The data that you trust to match users usually is different from the default. The policies themselves are commented and you can gain a greater understanding of what they do by creating a test driver and reviewing the policies with Designer or iManager.

1.4.1 User Object Name Mapping

Management utilities for the Identity Vault, such as iManager and Designer, typically name user objects differently than the Users and Computers snap-in for the Microsoft Management Console (MMC). Make sure that you understand the differences so the Matching policy and any Transformation policies you have are implemented properly.

1.4.2 Data Flow

Data flow between Active Directory and the Identity Vault is controlled by the filters, mappings, and policies that are in place for the Active Directory driver.


The driver filter determines which classes and attributes are synchronized between Active Directory and the Identity Vault, and in which direction synchronization takes place.

Schema Mapping

Table 1-1 through Table 1-6 list Identity Vault user, group, and Organizational Unit attributes that are mapped to Active Directory user and group attributes.

The mappings listed in the tables are default mappings. You can remap same-type attributes.

Table 1-1 Mapped User Attributes

eDirectory - User

Active Directory - user







Physical Delivery Office Name




Table 1-2 Mapped Group Attributes

eDirectory - Group

Active Directory - group



eDirectory’s L attribute is mapped to Active Directory’s physicalDeliveryOfficeName attribute, and eDirectory’s Physical Delivery Office Name attribute is mapped to Active Directory’s L attribute. Because similarly named fields have the same value, mapping the attributes this way enables the attributes to work well with iManager and the Microsoft Management Console.

Table 1-3 Mapped Organizational Unit Attributes

eDirectory - Organizational Unit

Active Directory - organizationalUnit



Physical Delivery Office Name


Table 1-4 Mapped Organization Attributes

eDirectory - Organization

Active Directory - organization



Physical Delivery Office Name


The driver maps the Locality class, but there are no attributes for the class.

Table 1-5 Mapped Locality Class


Active Directory



Table 1-6 Mapped Non-Class Specific Attributes


Active Directory







Facsimile Telephone Number


Full name


Given Name


Group Membership




Internet EMail Address


Login Allowed Time Map


Login Disabled


Login Expiration Time


Login Intruder Reset Time








Postal Code


Postal Office Box






See Also






Telephone Number




NOTE:The SYN_INTEGER64 attribute type is supported on both Subscriber and Publisher channels. Use this attribute type to represent the dates after 2037.

Name Mapping Policies

The Active Directory packages includes two name mapping policies that work together to help you reconcile different naming policies between the Identity Vault and Active Directory. When you create a user with the Active Directory Users and Computers tool (a snap-in for the Microsoft Management Console and abbreviated as MMC in this document) you see that the user full name is used as its object name. Attributes of the user object define pre-Windows 2000 Logon Name (also known as the NT Logon Name or sAMAccountName) and the Windows 2000 Logon Name (also known as the userPrincipalName). When you create a user in the Identity Vault with iManager or ConsoleOne, the object name and the user logon name are the same.

If you create some users in Active Directory by using MMC, and then create other objects in the Identity Vault or another connected system that is synchronized with the Identity Vault, the object can look odd in the opposite console and might fail to be created in the opposite system. However, you can use the name mapping policies to avoid this problem.

The Full Name Mapping policy is used to manage objects in Active Directory by using the MMC conventions. When this policy is enabled, the Full Name attribute in the Identity Vault is synchronized with the object name in Active Directory.

The NT Logon Name Mapping policy is used to manage objects in Active Directory by using the Identity Vault conventions. When it is enabled, the Identity Vault object name is used to synchronize both the object name and NT Logon Name in Active Directory. Objects in Active Directory have the same names as the Identity Vault, and the NT Logon Name matches the Identity Vault logon name.

When both of the policies are enabled at the same time, the Active Directory object name is the Identity Vault Full Name, but the NT Logon Name matches the Identity Vault logon name.

When both policies are disabled, no special mapping is made. The object names are synchronized and there are no special rules for creating the NT Logon Name. Because the NT Logon Name is a mandatory attribute in Active Directory, you need some method of generating it during Add operations. The NT Logon Name (sAMAccountName) is mapped to the DirMXL-ADAliasName in the Identity Vault, so you could either use that attribute to control the NT Logon Name in Active Directory or you could build your own policy in the Subscriber Create policies to generate one. With this policy selection, users created with MMC use the object name generated by MMC as the object name in the Identity Vault. However, this name might be inconvenient for login to the Vault.

Using the Name Mapping policies is controlled through Global Configuration Values. For information, see Global Configuration Values.

Active Directory Logon Name Policies

The Windows 2000 Logon name (also known as the userPrincipalName or UPN) does not have a direct counterpart in the Identity Vault. The UPN looks like an e-mail address (user@mycompany.com) and might in fact be the user’s e-mail name. The important thing to remember when working with the UPN is that it must use a domain name (the part after the @ sign) that is configured for your domain. You can find out what domain names are allowed by using MMC to create a user and looking at the domain name drop-down box when adding the UPN.

The default configuration offers several choices for managing userPrincipalName. If your domain is set up so that the user’s e-mail address can be used as a userPrincipalName, one of the options to track the user’s e-mail address is appropriate. You can make userPrincipalName follow either the Identity Vault or Active Directory e-mail address, depending on which side is authoritative for e-mail. If the user e-mail address is not appropriate, you can choose to have a userPrincipalName constructed from the user logon name plus a domain name. If more than one name can be used, update the policy after import to make the selection. If none of these options are appropriate, then you can disable the default policies and write your own.

Use of the Active Directory Logon Name policy is controlled through Global Configuration Values. For information, see Global Configuration Values.