Tuesday, October 5, 2010

Forefront Identity Manager 2010 and provisioning userfolders

As you might know Forefront Identity Manager 2010 (FIM) can be used to provision objects to lots different platforms. For synchronization to those different platforms FIM uses management agents. FIM 2010 comes with some management out of the box (see http://technet.microsoft.com/en-us/library/ff608275(WS.10).aspx). In case the platform you want to synchronize against isn’t listed (or in case it’s not fully satisfying your needs) FIM supports so called Extensible Connectivity Management Agent (ECMA). Using an ECMA you can use your own piece of code (ie C# or VB) to do the actual provisioning.
For example an ECMA can be used to provision userfolders (ie. Homedrive- and profile-folders. I’ve written an ECMA that provisions those folders (homedrive and profile) on a DFS share using C#. Of course the service account that FIM uses when provisioning needs the necessary rights on the share to actually create the folder. As we all know users need special permissions on their profilefolder. I used C# to actually give the useraccount in question the appropriate NTFS permission. Furthermore a user needs to be the owner of his profilefolder to actually make the roaming profile work. But, only administrative permissions are allowed to transfer ownership, and since we don’t want to give our FIM service account that much permissions we need another solution.
For the service account to be able to transfer the ownership you need to hand out the following privilege: “Restore files and directories” on the fileserver(s) in question. The best way to do this would be by making use of a GPO. This is where you can find the settings:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
For more information see about the privilege see also: http://msdn.microsoft.com/en-us/library/ms813998.aspx

1 comment:

  1. In regards to ECMA script execution, if the script fails can it be executed again upon the next provisioning cycle for example?

    ReplyDelete