Hi,
I am currently struggling to figure out a strategy to ensure that user attributes are unique.
I did some reading and found an article that recommended what attributes should be unique: https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/
When you create a new user manually by default you have to fill out the following properties:
Friendly Name | LDAP | additional details |
First Name | givenName | |
Last Name | sn | |
Full Name | cn | Must be unique |
Display Name | displayName | Doesn't have to be unique, but is recommended |
User login name | edsaUPNPrefix | Must be unique |
edsaUPNSuffix | edsaUPNSuffix | Your domain |
Pre-2000 | sAMAccountName | Must be unique |
Using policies (Property Generation and Validation) you can automatically fill in all of these attributes. This works great, until you want to deviate a bit from following a standard model. For instance, all of your attributes would be generated from First Name and Last Name.
What I am looking to be able to do is the following:
Friendly Name | LDAP | additional details |
First Name | givenName | |
Last Name | sn | |
Full Name | cn | Must be unique. Generated from a combination of first and last name, but if there is an existing user, a number would be added to make it unique |
Display Name | displayName | Doesn't have to be unique, but is recommended. Follows similar rules to that of Full Name |
User login name | edsaUPNPrefix | Must be unique. Follows similar rules to that of Full Name |
edsaUPNSuffix | edsaUPNSuffix | Your domain |
Pre-2000 | sAMAccountName | Must be unique. Has it's own uniqueness generator |
I thought I would be able to accomplish this by using a "onPreCreate" script. What I am finding though, at least when trying to create a user from the GUI, that the script doesn't appear to kick in when you hit "next" so you end up with an error saying that the certain values are not unique.
I have a feeling that even if you were to use the ARS Sync Engine to create users it would complain about the same thing.
When does the scripting engine kick in during the creation process? It seems the only way to accomplish this is using scripts as the Property Generation and Validation policies are limited.
This issue mainly stems from the fact that our HR system (synced via ARS Sync Engine) allows for duplicate user names to be created. And we are expected to handle the duplication on our end.
I know this is a loaded question, but if anyone has any examples of how they handled something similar it would be awesome!
Cheers