Controlling Active Directory permitted work time from MIM

Hello everyone.

Today I want to announce a small GitHub project for a MIM workflow activity that allows taking control over Active Directory logonhours attribute and moving it to MIM.

LogonHoursActivity takes Allowed Logon Time value from a WorkflowData parameter (this value should be in a specific format), parse it, and converts it into a binary. The resulting binary value could be passed to Active Directory as is. Important point here is that during the conversion the activity honors person’s time zone as well.

Implementation path:

  1. Download/compile LogonHoursActivity and add it to your MIM installation.
  2. Add several attributes (AllowedLogonTime(string), PermittedWorkHoursTemplate(string), ADLogonHours(binary)) and bind them to Person resource type.
  3. Add a couple of workflows and MPRs.
  4. Set AllowedLogonTime attribute for your keeping in mind special syntax (example of a valid value: Mo:8:20|Tue:7:23|We:8:20|Th:0:24|Fri:8:20|Sa:-|Su:-)
  5. In addition, you can use an optional attribute (like PermittedWorkHoursTemplate) to allow assignment of some pre-defined logon hours through selecting from a drop-down list. This will allow you to simplify the logon hours management process.

The resulting Person’s form example:

The main workflow “Calculate Logon Hours” will look like the following (it’s simplified here – in real cases you would need to take care about possible empty values for TimeZone etc.):

  1. Prepare parameters
  2. Run AD logonhours calculation (here’s the LogonHoursActivity placed)
  3. Store logon hours to a MIM binary attributes for further transferring it to Active Directory through outbound synchronization

 

You can download and evaluate MIMLogonHoursActivity from here:
https://github.com/secpfe/MIMLogonHoursActivity

Leave a Reply

Your email address will not be published. Required fields are marked *