ODM AD Attribute Mapping Examples

ODM AD Attribute Mapping Examples

A customer recently wanted to do some significant re-mapping as part of their ODM AD migration.  They were looking to normalize a few attributes as part of their AD Migration.  They were looking to Change the sAMAccountName, the DisplayName, the CN, and the DistinguishedName.  That all meant delving into the advanced ODM AD attribute mapping in my Template.

If you haven’t looked at the Advanced Mapping in the ODM Templates, then I would recommend looking at the Directory Sync Advanced Mapping Guide for some clarity on what is available to you.  Unfortunately, the mapping language, though not complex, is yet another language we all have to learn. To make matters worse, it isn’t based on PowerShell, .Net, or even the advanced mapping format found in the on-prem version of the tool (Migrator Pro for Active Directory).

Enough of all of that.  Let’s get down to business.

sAMAccountName Changes

There are three conditions for sAMAccountName Changes.  The first condition is to translate the existing sAMAccountName format into a more fairly typical First.Last format.  Further, this format needs to be limited to twenty characters lon.  The second condition is for user objects, including Devices, that don’t have a First and/or Last name specified, to retain their existing sAMAccountName, at least during the initial synchronization.  And the final change is to change the prefix of any group objects.  The good news is that Users and Groups can have separate rules as this is allowed via the Target Type check boxes on the Advanced Mapping screen of ODM AD attribute mapping.

Users, and by consequence, Devices

To change the User accounts to first.last name format, you just need to enable Advanced Mapping.  This is done by going into the Templates sections, selecting the Mapping tab, searching for the attribute in question, in this case, sAMAccountName, double click on said attribute, and finally, clicking the Advanced button at the top of ODM AD attribute mapping.  Then, enter your mapping formula.

In our case, we want to take the first name, concatenate it with a dot and the last name.  Of course, there is no “Firstname” nor “Lastname” field in Active Directory, so instead you must use the fields SN (short for sur name) and givenName.  So the basics of the formula looks like this:

givenName + “.” + SN

You could also use, as they are synonymous:

S.givenName + “.” + S.SN     [or]     Source.givenName + “.” + Source.SN

 

That’s great, of course, but there are two problems with that.  What if they don’t have a SN and/or GivenName specified?  Unfortunately that could lead to some basic problems of trying to create accounts with just a dot, and or a .Name or a Name., neither of which would be good.  So lets add a check in for that condition.

if((empty(givenName) or empty(SN)),sAMAccountName,givenName + “.” + SN)

The “empty” function should return true if the value is Null or if the value is “”, which, unfortunately in AD, are not the same.  This condition should solve our other problem as well, which is for Computer accounts, which are of course Users (no Computers or Devices check box on the “Target Object Type).

Last, but not least, ODM AD requires the sAMAccountName be limited to 20 characters, which is silly, of course, but hey, they won’t give me the code so I can’t fix it.  For that reason, we need to truncate the results, leaving us with the final full formula.

trunc(if((empty(givenName) or empty(SN)),sAMAccountName,givenName + “.” + SN),20)

ODM AD MappingsNote:  Don’t forget, if you change your template, then you need to refresh it in the Stage part of the work flow.  Just selecte your Stage section and “Next” your way to the end to update it in your workflow.  I know, annoying, but there you have it.

Group sAMAccountName Changes

For this customer we also need to change the sAMAccountName of certain groups.  They had a series of groups that were prefixed with ABCD- and wanted to change them, for application purposes, to VWXYZ- (obviously, those aren’t the read prefix names, just making it generic for the public posting.  For brevity sake, we won’t go through all the steps as we did before and just skip to the end formula in ODM AD attribute mapping.

 

Here we use the following functions:  IF, Starts and Replace.

if(starts(S.sAMAccountName,”ABCD-“),replace(s.sAMAccountName,”ABCD-“,”VWXYZ-“),S.sAMAccountName)

Changing the DisplayName, CN and distinguishedName / ODM AD Attribute Mapping Examples

Changing the DisplayName, CN and distinguishedName

For the displayName, CN and distinguished Name we are using a very similary approach.

Users

For users, we are going with first <space> last, or if no first/last, then bring the default forward.

displayName if(empty(s.givenName) or empty(s.sn),displayName,s.givenName+” “+s.sn))
CN if(empty(givenName) or empty(sn),cn,givenName+” “+sn)
distinguishedName if(empty(s.givenName) or empty(s.sn),GetDN(cn),replace(GetDN(cn),s.SN+”\, ” + s.givenName,s.givenName+” “+ s.sn))

 

Note the use of the “replace” function in the distinguishedName.  There is a caveat where this will break: if the givenName and SN don’t align with how the distiguishedName is specified, it is a corner case, but it can happen.  If so, it is easier to fix it in the source than to wrap another IF statement into the formula of ODM AD attribute mapping.

 

Groups

Again, for groups, we need to fix the displayName, CN and DistinguishedName for any groups we renamed.

displayName if(starts(S.Name,”ABCD-“),replace(cn,”ABCD-“,”VWXYZ-“),cn)
CN if(starts(S.Name,”ABCD-“),replace(cn,”ABCD-“,”VWXYZ-“),cn)
distinguishedName if(starts(S.Name,”ABCD-“),replace(GetDN(cn),”ABCD-“,”VWXYZ-“),s.distinguishedName)

 

Notes and Issues

At the time of the writing of this document there was no checkbox for Computer on the advanced mapping.   Unfortunately, for me, I had to sync computer objects because there were computers  that were members of groups.  Given that, I had different rules for sAMAccountName and Distinguished names in ODM AD attribute mapping, I didn’t have an “All” checkbox to pick up the computer objects.  This resulted in errors on creation of computer objects as there was not a sAMAccountName for them.  To work around that problem, I had check the All box and combine my rules in ODM AD attribute mapping.

This is what I ended up with for sAMAccountName:

if(starts(S.Name,”PPFA-“),replace(GetDN(cn),”PPFA-“,”PPNATL-“),if(empty(s.givenName) or empty(s.sn),GetDN(cn),replace(GetDN(cn),s.SNd+”\, ” + s.givenName,s.givenName+” “+ s.sn)))

And, just to be different, this is what I did for distinguishedName, which might be a better approach, if a bit clunkier:

case(GetObjectType()=”group”,if(starts(S.Name,”PPFA-“),replace(GetDN(cn),”PPFA-“,”PPNATL-“),GetDN(cn)),GetObjectType()=”user”,if(empty(s.givenName) or empty(s.sn),GetDN(cn),replace(GetDN(cn),s.SN+”\, ” + s.givenName,s.givenName+” “+ s.sn)),GetObjectType()=”computer”,GetDN(cn))

Conclusion

Though the ODM AD attribute mapping ability is strong, and can do many things, it is limited in its scope.  My favorite “sync” tool is Active Roles Sync Service, available from Quest.  It allows you to run Powershell as an action for any attributes you want. However, we don’t get that in ODM, so we will take what we do get and do our best from there.

By Michael Gastright