Sync and transform AD attributes with One Identity ARSS (Active Roles Sync Services)

While QMM (Quest Migration Manager) can handle plenty of very complex migration scenarios in terms of AD attributes synchronization tasks, sometimes even such variety is not enough. This is where ARSS comes to help. This Active Roles component was previously known as Quest Quick Connect but is now integrated with Active Roles One Identity suite. What it allows you to do is creating some simple or very elaborate AD attributes synchronization tasks, for example:

  • Sync specific AD attribute between different Domains / Forests, for example “description”, “telephoneNumber”, “extensionAttribute1”, “publicDelegates” and so on.

  • Sync one AD attribute into another provided that attribute format or AD system allows “porting” a certain value, for example “extensionAttribute1” to “extensionAttribute2”
  • Above scenarios while transforming the synchronized value like changing it per certain conditions / script (choices are limitless): capitalizing the text, modifying, replacing, taking the value from import file and pretty much anything that PowerShell script allows you to do.
  • Simply setting or modifying attribute value which comes very handy when you want to custom-match AD objects via “objectGUID to matching attribute” rule (uncheck all other matching rules) while using QMM. Or adding some additional secondary proxyAddress to the object based on certain condition like “mail” or “targetAddress” meets certain criteria.
  • It can sync passwords!
  • Sync a rich subset of mail based AD object attributes (users, DLs, contacts – does not matter) while QMM is configured to only sync AD attributes.

  • This list can go on an on, because ARSS is not only limited to Active Directory based systems, it can sync from / between:

    Microsoft Active Directory Domain Services
    Microsoft Active Directory Lightweight Directory Services
    Microsoft Exchange Server
    Microsoft Skype for Business Server
    Microsoft Azure Active Directory
    Microsoft Office 365
    Microsoft SQL Server
    Microsoft SharePoint
    Active Roles (limited to certain versions)
    Quest One Identity Manager version 6.1 or 6.0
    One Identity Manager version 7.0
    Data sources accessible through an OLE DB provider
    Delimited text files – CSVs

  • Regarding CSV I have a good example. Suppose you have a list of samAccountNames and certain attribute values. You will then map CSV to AD systems on samAccountName and sync any attribute field with its values to any AD attribute on the corresponding mapped AD object. So if you have CSV file with samAccountName,homeDrive you can then set “homeDrive” attribute on all these objects contained in your CSV into AD via running just one ARSS sync task.

Setting up the product is fairly straightforward – you just run ARS installer and select the corresponding component.

One important “gotcha” – it utilizes MS SQL for its database and depending on the number of tasks, AD size and overall complexity, you can look into couple TBs in size. Once the product is deployed and you created SQL Database via running ARSS Configuration Wizard, you would need to create:

  • Connectors to your corresponding synced systems, for example Connector to AD 1, Connector to AD 2, Connector to CSV
  • Mapping between connected systems, for example you want to map on samAccountName to samAccountName or msExchExtensionAttribute40 to samAccountName.
  • Workflows where you tell what attributes, on what objects and how you want to sync.

And finally, I will share with you the script which allows setting QMM matching attribute on the object. Simply select corresponding attribute as a “Target” and “Script” as a source when creating Forward Sync rule:

$QMMGuid = $srcObj[“objectGUID”]
$QMMGuid = [System.Guid]$QMMGuid
$result = [System.String]::Join(“”,($QMMGuid.ToByteArray() | ForEach-Object {$_.ToString(‘X2’)}))
$result

Tags:

Leave a Reply