Re: ADMT migrate not generating delete event
David Gersic wrote:
> On Tue, 03 Nov 2009 09:06:03 +0000, alexmchugh wrote:
>
>> Testing using Microsoft Active Directory Migration Tool (ADMT) to
>> migrate users in bulk from one domain to another domain within forest
>> (intra forest migration)
>
> Just curious, but why? What purpose does this ADMT serve? And why not
> implement whatever it is in IDM and let the drivers do the work?
One thing ADMT does that is unique and useful is it updates the
sidHistory attribute with the old SID in the previous trusted domain.
Thus this now moved user into the new domain maintains rights in the old
domain.
We wrote a Scripting driver to do this task, and my boss Rob Rawson
wants to present on this driver and using it, at Brainshare, if the
session gets accepted.
>
>> This is an intra forest migration ADMT and does not seem to generate a
>> delete event that the IDM driver can see. The object is no longer
>> available in the old domain, I can't find it via Active Directory Users
>> and Computers or a LDAP search.
>
> I can't test this here, but it sounds like they're doing something that
> the driver shim isn't expecting.
We have not used it here for moves, rather for copies. Dunno what a
Move does in ADMT. That does suck if it does not generate the delete.
In which case, when matching, and succeeding, test the target users
DirXML-Association values,
for-each dest attr DirXML-Associations
if XPATH true
$current-node/component[@name="volume"]=$THAT-AD-DRIVER-DN-IN-BACKSLASH-FORMAT
then do something. Maybe remove dest attr, DirXML-Associations,
structured, nameSpace=XPATH of
$current-node/component[@name="nameSpace"], volume, path the same basic
XPATH token.
Would that be sufficient?
|
Threaded Mode
