ARSS creating new AD Users: Attribute Conflicts handling

Question

Should be a standart user provisioning scenario, it works in my LAB but perhaps better conflicts handling ways exist and I "over-engineer" it? When building workflow to create new AD users I'm basically handling two conflicts: Name and SamAccountname. 
 1. Name: I'm handling it under "Rules to generate unique object name" screen with 2 rules 1) Name 2) Script to add PREFIX 
 
 $output = $null 
 $output = "DUP_ARSS_" + $srcObj["name"] 
 $output 
 2. SamAccountName: I'm doing it as Sync attribute rule where I query Target AD and add prefix if conflict on SamAccountName is found 
 $sam = $null 
 $output = $null 
 $objSearcher = $null 
 $ObjT = $null 
 
 $SDC = "DC1.Domain.com" 
 
 $sam = $srcObj["samAccountName"] 
 
 $objSearchRootSDC = [adsi]"LDAP://$SDC" 
 if ($($objSearchRootSDC.properties.distinguishedname) -eq $null) 
 { 
 $output = $sam 
 } else 
 { 
 #SAM Conflict check 
 $objSearcher = New-Object System.DirectoryServices.DirectorySearcher 
 $objSearcher.PageSize = 100 
 $objSearcher.Filter = "(samAccountName=$sam)" 
 $objSearcher.SearchRoot = $objSearchRootSDC 
 #"distinguishedname" | %{[void]$objSearcher.PropertiesToLoad.Add($_)} 
 $ObjT = $objSearcher.FindOne() 
 
 if ($ObjT) 
 { 
 $output = "DUP_ARSS_" + $sam 
 } else 
 { 
 $output = $sam 
 } 
 } 
 
 $output

JohnnyQuest · Answer

Unfortunately there isn't. FWIW, I try to avoid putting too much business logic in the ARSS attribute sync rules as for large environments, it slows down their execution too much. I prefer to either pre-process the source and/or (as I suggested) rely on business logic implemented in Active Roles whenever possible. For your situation, you don't have much choice.

ARSS creating new AD Users: Attribute Conflicts handling

Top Replies