Hi
One of the most important facts when Using Provisioning roles and Account Templates is the simple fact that if an account object in the provisioning directory does not have an account template associated with it, no downstream updates will happen when a sync operation is being triggered.
In some cases, an out-of-bound move of an account by a system owner from one location to another will cause the inclusion object to be removed from the account object in the provisioning directory which will cause them to not to be updated on downstream sync.
In order to fix/prevent this problems, follow these instructions:
Provisioning Manager
Make the following two changes:
And:
By selecting these two settings. you are "telling" the CAIM to use automatic correlate account on creation if the account exist on the same container location in the Account Template or use any existing account on the end point with the same account name regardless of the account template container.
Once you have this two settings, the only operation you need to do is to run the "Sync User with Roles" operation.
and then select the "Add missing accounts and account template assignments" option
When the operation is launched, the system will try to create a new account based on the Provisioning Role and account template.
now, as the account already exists in the system but on a different container, the settings above will cause the CAIM to "ignore" the container part in the account template and assign the account template the already existing account.
Before:
After:
you can mechanized this procedure using bulk task or custom TEWS call
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">
<soapenv:Header/>
<soapenv:Body>
<wsdl:DoSynchUserRoles>
<wsdl:DoSynchUserRolesSearch>
<wsdl:Subject index="0">
<wsdl:UID>samforest</wsdl:UID>
</wsdl:Subject>
<wsdl:Filter index="0">
<wsdl:Field>%USER_ID%</wsdl:Field>
<wsdl:Op>equals</wsdl:Op>
<wsdl:Value>samforest</wsdl:Value>
</wsdl:Filter>
</wsdl:DoSynchUserRolesSearch>
<wsdl:DoSynchUserRolesDoSynchUserRolesTab>
<wsdl:addMissing>true</wsdl:addMissing>
</wsdl:DoSynchUserRolesDoSynchUserRolesTab>
</wsdl:DoSynchUserRoles>
</soapenv:Body>
</soapenv:Envelope>
Sample command line using the ETAUTIL command (thanks ealaney!!):
etautil" -u <admin user> -p ********* update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=<domain>' eTGlobalUser eTGlobalUserName='<Global User Name>' to eTSyncUsers=1
I hope this will help you
Itamar Budin