Import-Module LithnetRMA
Import-Module ACMAPS
Set-ResourceManagementClient -BaseAddress "http://{FIMService-Address}:5725"
Function CheckADObjectInFIM($monashobjectid, $objectclass)
{
try
{
$obj = Get-Resource -ObjectType $objectclass -AttributeName monashObjectID -AttributeValue $monashobjectid -AttributesToGet ObjectID
return ($obj.ObjectID.Value)
}
catch
{
throw "Resource Not Found in FIMService"
}
}
Function SearchACMAFSObject($fsobjectid)
{
$dbQuery = New-AcmaQuery -AttributeName fimServiceObjectID -Operator Equals -Value $fsobjectid
$acmaobjectid = Get-AcmaObjects -DBQuery $dbQuery
return ([guid]$acmaobjectid.objectId.Guid)
}
Function CreateACMAGroup($fsObjectID, $username, $idmExpiryDate, $samaccountname, $unixgid, $addn, $orgUnitFSObjectID, $ownerFSObjectID, $idmPreferredName, $idmSn, $adupn)
{
Connect-AcmaEngine Lithnet.acma localhost D:\madata\acma\acma-prod.acmax D:\MAData\acma\Logs\Add-ACMAAccount-$username.log Debug
$acmaaccount = Add-AcmaObject -ObjectClass account
$acmaaccount.fimServiceObjectID = [guid]$fsObjectID
$acmaaccount.displayName = $username
$acmaaccount.idmPreferredName = $idmPreferredName
if ($idmSn) { $acmaaccount.idmSn = $idmSn }
elseif ($idmPreferredName) { $acmaaccount.idmSn = $idmPreferredName }
else { $acmaaccount.idmSn = $username }
$acmaaccount.accountName = $samaccountname
$acmaaccount.userPrincipalName = $adupn
$acmaaccount.idmExpiryDate = $idmExpiryDate.ToUniversalTime()
$acmaaccount.idmOrganizationalUnit = SearchACMAFSObject($orgUnitFSObjectID)
$acmaaccount.owner = SearchACMAFSObject($ownerFSObjectID)
switch ($UserType)
{
service { $acmaaccount.accountType = 'service' }
custom { $acmaaccount.accountType = 'custom' }
external { $acmaaccount.accountType = 'external' }
test { $acmaaccount.accountType = 'test' }
external-student { $acmaaccount.accountType = 'external-student' }
default { Write-Warning “Account Type not found for $username .. Not migrating"; return }
}
$acmaaccount.monashADDN = $addn
if ($unixgid) { $acmaaccount.unixgid = $unixgid }
try
{
Write-Host "Creating ACMA Object" -ForegroundColor Cyan
Save-AcmaObject $acmaaccount
}
catch
{
Write-Warning ("Unable to create person in ACMA:" + $_.Exception.Message)
return
}
$acmaObject = Get-AcmaObject -ObjectType person -AttributeName accountName -AttributeValue $samaccountname
$Global:acmaObjectsList += ,$acmaObject.ObjectID
}
Function CreateFIMServiceUser
{
$adUser = Get-ADUser -Filter {samaccountname -eq $username} -Properties *
$Global:userADDN +=, $adUser.DistinguishedName
$FSUser = New-Resource -ObjectType Person
$FSUser.activationDisabled = $true
$FSUser.accountType = $UserType
$FSUser.idmPreferredName = $adUser.GivenName
if ($adUser.Surname) { $FSUser.idmSn = $aduser.Surname }
elseif ($adUser.GivenName) { $FSUser.idmSn = $aduser.GivenName }
else { $FSUser.idmSn = $adUser.Name }
$FSUser.DisplayName = $adUser.Name
$FSUser.Description = $adUser.Description
switch ($UserType)
{
service {
$FSUser.idmExpiryDate = [dateTime]"9999-12-31"
}
default {
$expirydate = (Get-Date).AddDays(730).ToUniversalTime()
$FSUser.idmExpiryDate = $expirydate
}
}
$FSUser.Domain = $env:USERDOMAIN
if ($UserOwners)
{
foreach ($owner in $UserOwners)
{
$adObj = Get-ADObject -Filter {sAMAccountName -eq $owner} -Properties *
if ($adObj.monashobjectid)
{
switch ($adObj.ObjectClass)
{
user { $objClass = "Person" }
group { $objClass = "Group" }
}
try
{
$ownerObjectID = CheckADObjectInFIM ($adObj.monashobjectid) ($objClass)
$FSUser.Owner.Add($ownerObjectID)
}
catch
{
Write-Warning ("Unable to retrive Owner: $adObj and will loose its membership" + $_.Exception.Message)
}
}
else
{
Write-Warning "Owner of AD Group not in I@M System: $adObj and will loose its membership"
}
}
$FSUser.DisplayedOwner = $FSUser.Owner[0]
}
else
{
if ($env:USERDOMAIN -eq 'MONASH')
{
#Default Value for FIM PROD (Unknown Owner Role Account)
Write-Warning "Setting Unknown Owner Account as Owner in PROD"
$FSUser.Owner.Add("<GUID OF THE DEFAULT OWNER>")
$FSUser.DisplayedOwner = "<GUID OF THE DEFAULT OWNER>"
}
}
if ($UserOrgUnit)
{
try {
$OrgUnitObjectID = Get-Resource organizationalUnit DisplayName "$UserOrgUnit"
$FSUser.idmOrganizationalUnit = $OrgUnitObjectID.ObjectID.Value
}
catch
{
Write-Warning "$OwningOrgUnit not found in I@M.. Defaulting to IDS in PROD else will have OR9999 for other Env"
if ($env:USERDOMAIN -eq 'MONASH')
{
$FSUser.idmOrganizationalUnit = "<GUID OF THE DEFAULT ORGUNIT>"
}
}
}
else
{
if ($env:USERDOMAIN -eq 'MONASH')
{
Write-Warning "OrgUnit not given in CSV.. Defaulting to IDS as Owning Org Unit in PROD"
$FSUser.idmOrganizationalUnit = "<GUID OF THE DEFAULT ORGUNIT>"
}
}
try
{
Write-Host "Creating FIMSerivce Person:” $FSUser.DisplayName -ForegroundColor Cyan
Save-Resource $FSUser
}
catch
{
Write-Warning ("Unable to create person in FIMService:" + $_.Exception.Message)
return
}
$fimServiceObject = Get-Resource -ObjectType Person -AttributeName DisplayName -AttributeValue $FSUser.DisplayName
$Global:fimServiceObjectsList += ,$fimServiceObject.ObjectID
if ($adUser.MemberOf)
{
foreach ($member in $adUser.MemberOf)
{
$adObj = Get-ADObject $member -Properties *
if ($adObj.monashobjectid)
{
switch ($adObj.ObjectClass)
{
user { $objClass = "Person" }
group { $objClass = "Group" }
}
try
{
$parentgroupObjectID = CheckADObjectInFIM ($adObj.monashobjectid) ($objClass)
$parentgroup = Get-Resource -ID $parentgroupObjectID -AttributesToGet ExplicitMember, DisplayName
$parentgroup.ExplicitMember.Add($fimServiceObject.ObjectID.Value) | Out-Null
Save-Resource $parentgroup
Write-Host "Added person to its memberOf Group:" $parentgroup.DisplayName -ForegroundColor Cyan
}
catch
{
Write-Warning ("Unable to retrive memberOf Group: $adObj " + $_.Exception.Message)
}
}
else
{
Write-Warning ("memberOf AD Group not in I@M System:" + $adObj.Name)
}
}
}
CreateACMAGroup ($fimServiceObject.ObjectID) ($fimServiceObject.DisplayName) ($fimServiceObject.idmExpiryDate) ($adUser.SamAccountName) ($adUser.gidNumber) ($adUser.DistinguishedName) ($fimServiceObject.idmOrganizationalUnit.Value)($fimServiceObject.DisplayedOwner.Value)($fimServiceObject.idmPreferredName)($fimServiceObject.idmSn)($adUser.UserPrincipalName)
}
Function SyncMIMObjects()
{
Write-Host "Disabling MRE Provisioning" -ForegroundColor Cyan
Set-MVProvisioningRulesExtension -Enabled $false;
write-host "Delta import FIMService MA" -ForegroundColor Cyan
Start-ManagementAgent FIMService DI
$count = 0
write-host "Sync group FIMService object" -ForegroundColor Cyan
foreach ($item in $fimServiceObjectsList)
{
Get-CSObject -MA FIMService -DN $item.Value | Sync-CSObject -Commit | Out-Null
$count++
Write-Host "Sycned $count of" $fimServiceObjectsList.Count
}
write-host "Delta import ACMA MA" -ForegroundColor Cyan
Start-ManagementAgent ACMA DI
$count = 0
write-host "Sync group ACMA Object" -ForegroundColor Cyan
foreach ($item in $acmaObjectsList)
{
Get-CSObject -MA ACMA -DN $item.Guid | Sync-CSObject -Commit | Out-Null
$count++
Write-Host "Sycned $count of" $acmaObjectsList.Count
}
write-host "Delta import MonashAD MA" -ForegroundColor Cyan
Start-ManagementAgent MonashAD DI
$count = 0
write-host "Joining AD Object" -ForegroundColor Cyan
foreach ($item in $userADDN)
{
Get-CSObject -MA MonashAD -DN $item | Sync-CSObject -Commit | Out-Null
$count++
Write-Host "Joined $count of" $userADDN.Count
}
Write-Host "Enabled MRE Provisioning" -ForegroundColor Cyan
Set-MVProvisioningRulesExtension -Enabled $true;
$count = 0
Write-Host "Doing Full Provision Cycle" -ForegroundColor Cyan
foreach ($item in $acmaObjectsList)
{
Get-CSObject -MA ACMA -DN $item.Guid | Sync-CSObject -Commit | Out-Null
$count++
Write-Host "Provisioned $count of" $acmaObjectsList.Count
}
write-host "Clearing Full Sync Warnings" -ForegroundColor Cyan
Clear-FullSyncWarning
Write-Host "DONE!!!" -ForegroundColor Cyan
}
Function CheckUserInAD
{
try
{
$adUser = Get-ADUser -filter {samaccountname -eq $username} -Properties monashobjectid
}
catch
{
Write-Warning -Message "User not found in AD: $username"
return;
}
if ($adUser.monashobjectid)
{
write-warning "User $username has a monashobjectid Might already exist in I@M.. Exiting"
return;
}
Write-Host "User Found in AD: $username" -ForegroundColor Cyan
CreateFIMServiceUser
}
Function MoveADUsers
{
try
{
$domain = (Get-ADDomain).DistinguishedName
switch ($UserType)
{
service { $targetOU = "OU=ServiceAccounts,OU=Accounts,OU=IdM Managed Objects," + (Get-ADDomain).DistinguishedName }
custom { $targetOU = "OU=OtherAccounts,OU=Accounts,OU=IdM Managed Objects," + (Get-ADDomain).DistinguishedName }
external { $targetOU = "OU=External,OU=Accounts,OU=IdM Managed Objects," + (Get-ADDomain).DistinguishedName }
test { $targetOU = "OU=TestAccounts,OU=Accounts,OU=IdM Managed Objects," + (Get-ADDomain).DistinguishedName }
external-student { $targetOU = "OU=External,OU=Accounts,OU=IdM Managed Objects," + (Get-ADDomain).DistinguishedName }
default { Write-Warning "Group Type not found for $username .. Not migrating"; break }
}
$currentDN = (Get-ADUser -Filter {samaccountname -eq $username}).DistinguishedName
$currentOU = $currentDN.Substring($currentDN.IndexOf("OU="))
if ($currentOU -ne $targetOU)
{
Move-ADObject $currentDN -TargetPath $targetOU
Write-Host "Moved $username to" $targetOU -ForegroundColor Yellow
}
else
{
Write-Host "$username already in" $targetOU -ForegroundColor Green
}
}
catch
{
Write-Error "Unable to move Group" + $_.Exception.Message
return
}
}
Function Get-File($initialDirectory)
{
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.initialDirectory = $initialDirectory
$OpenFileDialog.filter = "CSV (*.csv)| *.csv"
$OpenFileDialog.ShowDialog() | Out-Null
$OpenFileDialog.filename
}
function MigrateADUsers
{
$ServiceStatus = (Get-Service miisautosync).Status
if ($ServiceStatus -ne "Stopped")
{
Write-Warning "Autosync still running. Make sure Autosync is stopped and no MA are running any profiles"
exit
}
$inputFile = Get-File
$users = Import-Csv $inputFile
$leaf = Split-Path $inputFile -Leaf
Start-Transcript -Path D:\ADUserMigration-$leaf.log -Append
foreach ($item in $users)
{
$Global:username = $item.Name.Trim()
$Global:UserType = $item.Type.Trim()
$Global:UserOrgUnit = $item.OrgUnit.Trim()
$Global:UserOwners = $item.Owners.Split(";").Trim()
try
{
if (!$UserType)
{
Write-Warning "Group $username is missing Type in CSV.. Not Migrating"
continue
}
MoveADUsers
CheckUserInAD
}
catch
{
write-host "An error occurred with $username";
}
}
if ($fimServiceObjectsList)
{
SyncMIMObjects
}
}
$acmaObjectsList = @()
$fimServiceObjectsList = @()
$userADDN = @()
Measure-Command { MigrateADUsers }
Stop-Transcript