Scoping the Active Directory Management Agent in MIM

Microsoft Identity Manager Series

Part 1: Automating MIM User Profile Synchronization with SharePoint 2016

Part 2: Using MIM to Import Custom Attributes into SharePoint 2016

Part 3: Using MIM to Export Custom Attributes from SharePoint 2016

Part 4: Default MIM to SharePoint 2016 Attribute Mappings

Part 5: Basic MIM Configuration to Support SharePoint 2016

Part 6: Scoping the Active Directory Management Agent in MIM

Many companies may not want to synchronize their entire directory to the SharePoint User Profile Service. This will guide through scoping the Active Directory Management Agent in MIM. Scoping will allow you to specify specific Organization Units to synchronize.

Using the Synchronization Service Manager, go to the Management Agents tab and double click on the Active Directory Management Agent (ADMA). In Configure Directory Partitions, make sure to highlight the Domain Naming Context partition (that is, the one that does not begin with “CN=Configuration”).

MIM_DirectoryPartitions

Click on Containers. You will be prompted for the synchronization account password to continue. Here, we can make our selections for what OUs are synchronized.

MIM_Containers

On the next full synchronization, the accounts outside of the scope of the selected OUs will be deleted from the ADMA, Metaverse, and SharePoint Management Agent (SPMA), which includes the User Profile Service.

To filter out additional users, for example, those users that are disabled in Active Directory, again go back into the ADMA. In Select Attributes, select the attribute you wish to filter on. In this example, we will be filtering out disabled users, so we’ll choose the attribute ‘userAccountControl’. This attribute is not selected by default. Click OK to exit the ADMA. This is needed for the next step.

MIM_FilterAttribute

Reopen the ADMA and go to Configure Connection Filter. In the right hand pane, highlight the ‘user’ object type. Select the desired attribute, or userAccountControl in this case, with “Bit on equals” with a value of 0x2 (‘2’). Click Add Condition, then OK, and exit the ADMA. Start a full synchronization, and the user will be deleted from the Metaverse as well as the SPMA.

MIM_DisableUserFilter

And that is it. I hope you enjoyed this series on MIM! Any further questions about MIM as it relates to SharePoint 2016, let me know!

2 Comments

  1. Wonderful series! Was about to pull my hair out even being somewhat familiar with using FIM in 2010 the last 7 years. I have 2 questions.

    1) Can the “CN=Configuration” step be dropped if the NetBIOS name of the domain DOES NOT differ from the domain name? AD team is hesitant to grant my sync account the required container permissions since currently doesn’t require that in 2010.
    2) Are the UPS synchronization settings supposed to be External Identity Manager or Active Directory? I have read many conflicting articles that it’s not what it seems.

    Thank you!

    • 1) I haven’t personally tested (it takes just a minute or two to implement).

      2) Depends on your patch level! This was fixed earlier this year (2017) to allow you to set it to External Identity Manager. Keep your installation up-to-date with the SharePoint 2016 PUs and you should be set without having to implement a workaround for the Manager field or Audiences.

Leave a Reply