How to update Active Directory user attributes from Dynamics AX 2012 R2 HRM tables

(0) Share

Report

Posted on by Community Member

Hi,

We have to implement an automatic workflow process in Dynamics AX 2012 R2 HRM such in a way that for example:

1. when a worker is retired in HRM then the user account is automatically disabled/removed in the Active Directory

2. when a worker is promoted or moved to another department, the position title or the new department is automatically updated in the corresponding user attributes in AD

I have been looking into the identity manager to connect SQL with AD but seems to me that it is not the right approach.

Any ideas,

Thanks,

Carlos Gabriel Lopez

*This post is locked for comments

I have the same question (0)

All responses (7)

Answers (0)

Community Member on at

Like (0)

Report

There is a solution called Adaxes that we are using and it seems to do exactly what you are asking for. So it can automatically trigger to remove users from AD and trigger in once user is updated to modify everything in AD according to predefined rules http://www.adaxes.com/active-directory_provisioning.htm

I'm pretty sure you can integrate something like this into your environment.

Was this reply helpful? Yes No
Brandon Wiese 17,788 on at

Like (0)

Report

I once did a customization that integrated contacts within AX as contact objects within AD, so that they would be available to Outlook using the LDAP provider. What you want to do is very close to that. If you're interested in doing your own customization, I could provide some sample code that would show you how to do individual tasks in AD. My approach was "inline" meaning that in the insert() and update() statements on the ContactPerson table, but a "batch" approach that runs once a day or whatever would work also.

Was this reply helpful? Yes No
Suggested answer

nunomaia 25 Moderator on at

Like (0)

Report

Hi,

You can query / edit objects using .NET, for example in C# to disable a user in AD, you could use

PrincipalContext principalContext = new PrincipalContext(ContextType.Domain);
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(principalContext, "username");
userPrincipal.Enabled = false;
userPrincipal.Save();

You can add an event in employee data to synchronize settings.

Please, take into consideration that this can be risky, because you need to elevate securities settings of the AOS services account to write into AD.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Simply disabling users in AD is generally not recommended. Especially if it's done automatically and no supervision or approval is implemented for that. If there are other systems and accounts associated with the user in AD, access could be retained even after employee leaves. And we all know what a disaster this can cause.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you. Your recommended solution looks very comprehensive for AD automation. I will see if through its task scheduler and scripting engine it could for instance read the worker status (past worker) and changes directly from HRM SQL tables. Other way I think of might be triggering SQL record downloads into CSV files that could be read from this tool. Also agree with you that fully automated 'behind'the scenes' solutions could be risky.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you Brandon, your sample code will be very useful to me.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you Nuno, actually I thought of implementing something like that but prefer a more secure option.

Was this reply helpful? Yes No