MPS Import::EnableUserForHosting
This procedureensures user is secured and configured for
hosting. This procedure attempts to prepare a user for hosting by
doing the following:
Text here.
- Renaming the user to comply with UPN = commonName
convention.
- Preserving the existing sAMAccountName.
- Setting the group memberships.
- Setting the security ACLs on object.
Prerequisites
The user must be located in an OU container that is compliant
with the hosting prescription. If the OU was created or processed
with any of the following, then it is valid:
- Managed Active Directory::CreateOrganization.
- HostedExchange::CreateBusinessOrganization.
- Hosted Messaging and Collaboration::CreateOrganization.
- MPS Import::ImportOrganization.
- MPS Import::EnableOrganizationForHosting.
Security
Impersonate caller.
Required Input
- <path>-The Lightweight Directory Access Protocol
(LDAP) path of the user.
- <preferredDomainController>
- <userPrincipalName> (optional) The new UPN for the user,
which will also become the users common name. If not supplied, then
the existing userPrincipalName will be used.
- <sAMAccountName>(optional) if not provided, the procedure
will use the existing users sAMAccountName:
sAMAccountName behavior When creating a user, it is necessary to
also ensure that the new user's sAMAccountName is unique within the
domain. If it is not, creation will fail.
The procedure will attempt to create the object with the
provided sAMAccountName. If this value is not unique in the
Also, interactions with Exchange make it undesirable for the '@'
character to appear in a sAMAccountName. Therefore, when creating
or renaming a user or group, the sAMAccountName will be similar to
the input name (or Universal principal name), except that illegal
sAMAccountName characters are removed, and '@' characters are
replaced with '_'. If the sAMAccountName collides with an existing
sAMAccountName, then a random string of digits will be appended to
the sAMAccountName to ensure uniqueness.
The algorithm for generating a sAMAccountName from the seed name
(Universal Principal Name for a user, or cn if the object is a
group), is as follows:
- Remove all of the following illegal characters from the seed
name: "/\[]:|<>+=;?,*
- Trim the seed name to a maximum of 20 characters
- If the last character is a '.', replace it with '_'
- Attempt to create the object with the trial sAMAccountName
- If there is a sAMAccountName collision in step 4, generate 3
trial names by limiting the seed name to 17 characters, then
appending a random 3-digit number to each. Generate 2 additional
trial names by limiting the seed name to 15 characters, then
appending a 5-digit random number to each. Attempt to create the
object using each of these 5 trial names in turn.
- <customerTypeName>(optional) if not provided, the
procedure will use the default customer type BusinessUser. Allowed
input is:
- BusinessUser: standard security model for hosted user,
appropriate for most types of SMB users including Hosted
Exchange.
- ConsumerUser: special security model for Hosted Exchange e-mail
consumer users. Primary difference is that users are not added to
the OU security groups.
- <policyName>(optional) if not provided, the procedure
will query the users organization root to determine the type of
customer (hosting, reseller, customer) and apply the appropriate
policy name. This behavior can be overridden by providing this
parameter. Allowed values are:
- Hosting.
- Reseller.
- Customer.
- default - not recommended as this applies no security setting
beyond what is inherited from the parent.
Procedure Steps
- Managed Active Directory::GetThisOrganizationRoot - get the
root organization for user being enabled.
- Managed Hosting::GetOrgType - retrieves the OWK for the
organization type (e.g. hosting, reseller, customer, or default).
This is used to set the policyName if a policyName is not provided
by the caller.
- Managed Active Directory::EnableUser - user object is renamed
to match.
- Managed Active Directory::RenameUser - user object is renamed
to match standard of UPN = commonName.
- Managed Active Directory::GetPolicy - get the policy structure
for the user.
- Managed Active Directory::SetGroupMemberships_ (conditional) -
if customerTypeName = BusinessUser.
- Managed Active
Directory::RemoveAllAuthenticatedUsersACEs_.
Typical Usage
<request>
<procedure>
<execute namespace="MPS Import" procedure="EnableUserForHosting" impersonate="1">
<executeData>
<path>LDAP://CN=jimc,OU=alpineskihouse,OU=consolidatedmessenger,OU=Hosting,DC=fabrikam,DC=Com</path>
<userPrincipalName>jimc@alpineskihouse.com</userPrincipalName>
<customerTypeName>BusinessUser</customerTypeName>
<preferredDomainController>AD01.fabrikam.Com</preferredDomainController>
</executeData>
<after source="executeData" sourcePath="user" destination="data"/>
</execute>
</procedure>
</request>
Typical Response
Shown for format only; content may vary.
<response>
<data>
<path>LDAP://CN=user@MPSImportOrg01.com,OU=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=Com</path>
<userPrincipalName>user@MPSImportOrg01.com</userPrincipalName>
<preferredDomainController>AD01-Wh.fabrikam.Com</preferredDomainController>
<policyName>customer</policyName>
<user path="LDAP://cn=user@MPSImportOrg01.com,OU=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"
name="user@MPSImportOrg01.com">
<memberOfGroup name="LDAP://cn=AllUsers@MPSImportOrg01,cn=_Private,OU=MPSImportOrg01,OU=MPSImportRes01,OU=Hosting,DC=fabrikam,DC=com"/>
</user>
</data>
</response>