Monday, April 16, 2007

TIM 4.6 AD Adapter

I've spent some time with the TIM AD Adapter this weekend. It's pretty easy to setup and get users provisioned with when you want some simple functionality. However, I'm having a problem in a few areas. Some of the AD attributes such as 'Group' and 'Primary Group' appear to be search types in TIM. So if you were provisioning someone manually from TIM to have an AD account, you would click on the search button on the AD account form and choose the Primary Group as well as any other groups you want the user to belong to. My problem is that when I try to set these in the Advanced Parameters section of the entitlement form, I always get warnings when the users are provisioned that these attributes cannot be set. The AD installation guide gives no clues as to how these attributes should best be set from TIM.

The other thing I haven't figured out is setting the person's Home directory. There are a couple ways to do this. On the user profile tab in the Active Directory Users and Computers UI you can choose a static Home directory. Something like c:\users\cahart. So in my TIM provisioning policy on the advanced parameter list I place a c:\users\%username% for the Home directory, this works fine. However if I want to use a UNC instead there are different attrs to set. One for the drive letter you wish to map and one for the UNC path of the share. So on my ad server (ad1) I create a share called users. In my AD user profile it might look like \\ad1\users\cahart and the drive letter mapped would be H:. When I try to set these attributes in TIM they do not get set at all when the user is created in AD. I don't get any errors, but the attributes in the user profile just end up blank.

In the TIM AD Adapter there are some registry options you can set to TRUE. I've set 3 or 4 of these and so far I haven't seen any difference. As I work with this some more I'll follow up this post.


Anonymous said...


We've been doing some similar work and found your blog quite useful. We were wondering if you could help us out with some problems we're facing.

We installed the AD adapter and tried creating a user in AD thru TIM. The user got created, but some attributes could not be set, mainly, "Allow Logon".
Any suggestions?
We're running the adapter on a Windows 2003 server machine.
And we haven't made any changes to the Provisioning policy Advaced Parameters except setting "Allow Logon" to be TRUE.

Thanks and Regards
Arjun Ramakrishnan

Charles Ahart said...

I've seen this before. You have to enable processing of Windows Terminal Services attributes. See my latest post.

Anonymous said...

hello Charles

I am new to ITIM and still have a lot of troubles with it :).

Could you please advice how to check whether AD Adapter works correctly? From ITIM service configuration page, test button always says "Test Successful".

And could you please explain how Adapter resolves what directory server (IP address) it has to connect to?

I have installed adapter, but I can't import any users. And log files don't show anything.


FAli said...

Hello Dear!

i am doing the same thing and getting the following error;

Unable to set some attributes. Some attributes were not modified: Password

any help

FAli said...

hello charles!

did you tried the UNC Home directory thing?

i have enabled the registry settings.

it goes into ad.
shows up in ad.

but the directory isnt created.


Anonymous said...

Companies House Webcheck
Webcheck Companies House
Company House Webcheck
Companies House Webcheck Service

[url=]companies house webcheck[/url]

Anonymous said...