Design approach for Creating Home Directory in AD through SailPoint ISC

Identity Security Cloud (ISC) ISC Community Knowledge Base
, ,
1

Problem

Creation of Home Directory in the drive location is not possible only through configurations in AD source. We have to go beyond the configurations to perform the Home Directory creation post AD account creation.

Diagnosis

Through the OOTB connector of AD, its not possible to do it. Hence, we have to create couple of PowerShell scripts to perform home directory creation.

Solution

Introduction

In the world of Identity Governance, we deal with AD provisioning for most of the enterprises around the world and in case of some enterprises, along with AD provisioning, we also must create Home Directories for the Users in their Home Drive locations during provisioning of users to AD. This section will provide you some insights and high-level design on how to achieve it.

Flow Diagram

image
image1911×718 115 KB

Algorithm Steps

This algorithm outlines the logic for enabling the Home Directory Creation Post AD provisioning is as follows.

Pre-Requisites

  1. As a pre-requisite make sure you know the organization policy for creating home directory in Home Drive Location.

  2. Connectivity with AD is established

  3. IQ Service is up and running

  4. AD source is integrated with SailPoint ISC

Development

  1. Create 2 new attributes in AD – Create Profile named as below.

  • a. homeDrive

  • b. homeDirectory

  1. The Home Drive is Drive Name where the Folder must be created.

  2. Home Directory is exact folder structure with which directory must be created in Home Drive

  3. Create an AD After Create Connector rule which performs the following steps.

  • a. It takes the SamAccountName as input from Provisioning Plan of Account Creation.

  • b. Also, Home Directory Path is taken as input from Provisioning Plan of Account Creation.

  1. From the AD After Create Connector Rule, we will call the PowerShell script which will perform the Home Directory creation in Home Drive and to give proper permissions to it.

Key Technical Considerations for the Article

  1. The Corporate Policy for Home Directory Creation is known to you.

  2. If you have a complex Home Directory creation policy, then, make sure you are performing that dynamic logic inside the Create Policy of AD source rather than doing it on Connector Rule or PowerShell Script.

1 Like
2

We have experienced a similar case. Because I have an after create script inside AD anyways (for another case), I am using it to also create the directory, set the permissions, and set the user attributes with the relevant information.

3

Hello @rohit_wekhande @othornewill ,

I am currently trying to implement the above case within a customer context.

The After Create Connector Rule executes correctly and triggers the PS script that is hosted on the IQService machine to create the directory, set the permissions etc.

When simulating locally on the IQService machine, logged in with the AD Service account, I can manually trigger the script and it effectively works - so I would not consider a permission issue.

However, when being automated through SailPoint and the rule, the script does not go through the entire script and cannot execute the creation of the directory, even though I got traces it enters the script itself.

Has any of you came across such issue or could advise and - ideally, provide working anonymized script to compare with mine ?

Thanks a ton !

4

can you share your rule script to analyze.

5

Hello,

The Connector rule of AD calls the PowerShell Script using IQ Service user context. Hence, you need to make sure that Service Account which you are using for creating HOME DIRECTORY has got required permissions to create Home Directory on respective drive.

Regards,

Rohit Wekhande.

6

Hello Rohit,

In fact we tried to impersonate with the Service Account used in the Source, and we can execute the script to create the drive folder.

It is, when the script is executed from the IQService, using that service account, that the creation of the folder is not fulfilled.

If you have a working solution with specifc commands, I would be open to check on my end and compare with what has been developed at customer level.

7

Hello,

Yes, I will get back to my repository and provide you the exact commands that i used.

Regards,

Rohit Wekhande.