Alex Tcherniakhovski - Security

Workflow based account reconciliation across multiple enterprise directories or how to deal with orphan accounts

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

 

This screencast explores a framework for using workflow to reconcile multiple directories within an enterprise.

By directory reconciliation I mean the ability to trace every account in any Enterprise directory to a record in the authoritative store (ex. HR). Also the mechanism of dealing with orphan accounts is considered as part of the solution.

 

 Please, follow this link to see the screencast.

 

Note: When originally working on this blog I suggested to use Active Directory Access Control List to protect employeeNumber attribute from un-authorized modifications.

After thinking about this more I believe that the use of a dedicated confidential attribute would be a better approach.

Read more about confidential attributes in AD here:

http://support.microsoft.com/kb/922836

 

References:

Adding workflow components into your MIIS solutions

Connecting ILM 2007 with SharePoint Services Lists

Building extensible management agent for MIIS

Published Thursday, November 01, 2007 9:02 PM by alextch
Filed under:

Attachment(s): WrkFlowEnforcement.zip

Comments

No Comments
Anonymous comments are disabled

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker