How do I only sync the users that are listed as active in Active Directory to Maximo using VMMSYNC?
Cause
When disabled users are not needed to be in Maximo as person and users, you can filter out the disabled users via the VMMSYNC in order to help alleviate extra information that is not needed as well as increase performance times for syncs running.
Answer
Users in Active Directory by default are determined the the userAccountControl parameter in AD on each particular user. For example, a basic Enabled Account has a userAccountControl value of 512, and disabled is 514. These numbers change based on the type of account, authentication, password requirements and other factors. If you wish to know what values to use for the userAccountControl you can use an LDAP browser to do a look up on your users, or consult Microsoft's documentation on what values correspond to what time of user.
In order to use the userAccountControl property with VMM, it needs to be added to the WebSphere repository as a supported entity type. Here are the steps to follow:
1. In the WebSphere server console, stop the MXServer
2. Stop Node(s) that your Maximo is running on.
3. In command prompt, navigate to Websphere\appserver\bin\
4. Run the command wsadmin.sh or wsadmin.bat (depending on your OS)
5. In the admin prompt, run this command (Note it is case sensitive):
$AdminTask addIdMgrPropertyToEntityTypes {-name useraccountcontrol -dataType string -entityTypeNames PersonAccount}
6. Restart cell Manager, either through the command line or the service.
7. Sync the WebSphere node manually to the dmgr node. Do this with the syncnode command in the appsrv01 profile bin folder.
8. Start the node.
9. Start MXServer and Maximo.
In order to use the userAccountControl property with VMM, it needs to be added to the WebSphere repository as a supported entity type. Here are the steps to follow:
1. In the WebSphere server console, stop the MXServer
2. Stop Node(s) that your Maximo is running on.
3. In command prompt, navigate to Websphere\appserver\bin\
4. Run the command wsadmin.sh or wsadmin.bat (depending on your OS)
5. In the admin prompt, run this command (Note it is case sensitive):
$AdminTask addIdMgrPropertyToEntityTypes {-name useraccountcontrol -dataType string -entityTypeNames PersonAccount}
6. Restart cell Manager, either through the command line or the service.
7. Sync the WebSphere node manually to the dmgr node. Do this with the syncnode command in the appsrv01 profile bin folder.
8. Start the node.
9. Start MXServer and Maximo.
Once the property has been added to the WebSphere repository, we can now set the filter in the VMMSYNC to use this property. In your usermapping XML on the VMMSYNC cron task, you will want to change your filter to look like this:
<filter>PersonAccount' and useraccountcontrol='512' and useraccountcontrol='66048</filter>
Note: This will sync all users that have a useraccountcontrol value of 512, which is a basic enabled account, and 66048 which is an enabled account with no password expiration. If you wish to add multiple types of enabled accounts, simply follow the the provided syntax and add more of the corresponding values.
No comments:
Post a Comment