Design approach for Creating Home Directory in AD through SailPoint ISC

Identity Security Cloud (ISC) ISC Community Knowledge Base
, ,
1

Problem

Creation of Home Directory in the drive location is not possible only through configurations in AD source. We have to go beyond the configurations to perform the Home Directory creation post AD account creation.

Diagnosis

Through the OOTB connector of AD, its not possible to do it. Hence, we have to create couple of PowerShell scripts to perform home directory creation.

Solution

Introduction

In the world of Identity Governance, we deal with AD provisioning for most of the enterprises around the world and in case of some enterprises, along with AD provisioning, we also must create Home Directories for the Users in their Home Drive locations during provisioning of users to AD. This section will provide you some insights and high-level design on how to achieve it.

Flow Diagram

image
image1911×718 115 KB

Algorithm Steps

This algorithm outlines the logic for enabling the Home Directory Creation Post AD provisioning is as follows.

Pre-Requisites

  1. As a pre-requisite make sure you know the organization policy for creating home directory in Home Drive Location.

  2. Connectivity with AD is established

  3. IQ Service is up and running

  4. AD source is integrated with SailPoint ISC

Development

  1. Create 2 new attributes in AD – Create Profile named as below.

  • a. homeDrive

  • b. homeDirectory

  1. The Home Drive is Drive Name where the Folder must be created.

  2. Home Directory is exact folder structure with which directory must be created in Home Drive

  3. Create an AD After Create Connector rule which performs the following steps.

  • a. It takes the SamAccountName as input from Provisioning Plan of Account Creation.

  • b. Also, Home Directory Path is taken as input from Provisioning Plan of Account Creation.

  1. From the AD After Create Connector Rule, we will call the PowerShell script which will perform the Home Directory creation in Home Drive and to give proper permissions to it.

Key Technical Considerations for the Article

  1. The Corporate Policy for Home Directory Creation is known to you.

  2. If you have a complex Home Directory creation policy, then, make sure you are performing that dynamic logic inside the Create Policy of AD source rather than doing it on Connector Rule or PowerShell Script.

2

We have experienced a similar case. Because I have an after create script inside AD anyways (for another case), I am using it to also create the directory, set the permissions, and set the user attributes with the relevant information.