R0lGODlhYgBPANU/AHl3bvjOkVBQTgAAAP///5WTiOXl5fbVpB4eHtnZy9e1is/LtvXryj08Nvjz27m1pNjY2I2JfcbJwnplS7e7tbKSba6olIJwVrrDuCgoJ6eqollMOfLu1Ky2rPT09Lmfcsuwez03KGpaRffguezo0efizKm+tuTdxA4NDJmcly4oHpp/X+TEmKGekPT17KO2rjMuI01AL66trfn5+dDRyu7u7r/OxaClnuTBg+3t52RjX7+/vhkYFzAwLUBAQP///yH5BAEAAD8ALAAAAABiAE8AAAb/wJ9wSCwaj8ikcpk07CI6Xy/jEwA0EA9zy+16txBAZjDgZRpSBGqAElC+8LjcWAMgBpkrzeCZGSAUET5kAhJzh4hLND1lKQYEkJGSNTuDPDeJmZoSdzo1kqCgMylrKZqnchAZKAWhrqASPAMyqLVcBIMRoJQ3EQAAERoSn5I7KDw0tspJBQMCM8W+wBEFBRERKRKgKc4zy99DHgg82pAeMsAFKRoy7TIaKQUUHpEzgx3g4BEDOpLo2DIoSJBAg8ZACjJS7CjWDYkEKAJ8SJxIsaLFixgzZhSAIgOESDuA3RBIA4KBk38MUrhBI5IHHyggGIGgQ9YABDhz6tzJs6fP/59AETQoR6CGtZElDdTwwNRDjZQU5kVqpqGIDFk9HC1tyrWr169gw4ptKulhCgp7lkKr59QADQofIRnTQYQCChQR1r7ay7ev374aCsiQAKGGXlE1IAyMpMrHEAhqKPydTLmyK3Vo+fD14JZojQYZhMwAMEBXXwgJUqtezVp1wdc0WsueXfCRpGCEDfOdkZiovQxaDKDokYNvAgs6dPxazrz5r+TQlTuf3jy6cnpTB2vuy7mlOdA1fsgozffB8mvV0qtXj369+/fwq12LC+mGjD3YN/+JVGOKgR8AoCDZK+YB04IFFjyg4IIMLnjDDQ1GKOGEC1rQgneQIISfX5zZRv8AZD38pwMC9IGSwC8FJIjBAiy26KKLUb0o44w0tojBAwtFQoN2+e3FWXGQjCdADj8IgICHoFgAQIoPLJDACSVEKeWUUZ7AIpVYZqlllQkssEN+HghU2GGh8GaAXqRFEJ6RSEbiwjUtNHkCCRzUaeeddp6QGp589umnnSUkQJgkgGzoo1L89YCCDN6w6UoO1MhJpwOUVlppnQw4MEJqlnbq6aefcmClBIcZNOYrvBETpDOGFHnkoxHESUMJHIBKKQO4MrBpArb22isHge6AIQEzQJBWH5LM4JRu5qwSwX+utgkJpBYsMKevI2SbbQIl+OrtpyRYKSwof5i0FVM1LAX/ig7O7DCEo6FQa22tneaa7QH4HjBClN/2e2mgGBRQIrE5oGRADmqBsk8GGkAbLaxy0nurvfcGgO++JPjrLwfhLlANUZRFcEw2RMALCqQRV5qrrtoGYHG2k2rcL8cn3GCNDNK+QgO7PESwgzfvvhpvBAL00MACKjPQQgMNKDBBCC7rO0LMMvdaQAMCAKvBDVHoQIGqrhgAAFYKhVey0CdHkIEsETiwMgx3gPD0xdnWWbXV/OTBQQcCxKpDDwAoBDIBHuiwBgo6yPClESZLAqkKMITAQ74H4DDABAN8ELW+utp9N6ikOcC0A4H78HcEDSx3GGkICIAU0EU0HsnjMKww/4AC+V7AwweZiyCCvifo0IAOJVy9gAg6OFACAFg/UOnVIiBN6dUNFEBpA3c0cBcaCwhwtQZ9+8KBJDWl0AENZh8h+7QRQM7CABvky4MIvH8QQggjnICACBb0APgAPdBBAUrQAwE8oACsIB0KLCACFHRLBD1AUA9E4IAHiGAAD/DfA3SwsxQ0gAICaEE1xheJmsiAHkpYHwFox4INoABfILhd/e43ApHp6gENuKDzHLCPbjnAcKJrgANO1KUBWIBSFhgA0kI3OnVw0ActEMDWWkBCSNTkDUtQIQsrMIAKHGADKjjADPG3gQZ0jgOho5QAhEipByiRNNXj1T4sVRrSDf8giEMEgA56IcUHyMACVSTAFZmgxfbBgAUH4EEMAoCCFYgxczRk2hnTiMc2YtABBeAIPyjpgAEAwI54TM0C4iSBDihIA4EcZBbR5jhDIvKCtsNBAMY4AhHAQFc0AMAFKzWi5w2gBCyiFGlIw6shGhGUo1uNQUz5AFSSjwdYTCErZ+fKACiADRtwGS2b8YARBIiSbtzh6ESAgG7tYwEo+KQCu8VEIa5mIMy8QSqhSchpss99+FJBF7UJyRDgynDaKwAnEYi9BnRrAThpQB0R6j8ESC90cIyAauCpIHk+M5pJKOQKKsACiylAcy7DwQdwAAIQjABXC7BAAkiQgB1WqgT/TerUAlzaRpq2lFIzpUBqDIKBeM4To0go5AcUgMgDuOyoR70YrmCWsc99KwGvkQAFOrC1Avy0njmD1FA7alSkJpVz2iJBU53qK6jytANUFeFVV5nVCAz1AxOIq1c3py2Y/YKmZPVUQQbS07Ra9aJYhdVQN0CGAYBgrnQbgQWmRgZ15vVTBpEABqZKVZutVZpt/QAI1iCLbHr1Yha4w7408IBiPtZTksXAZNGqAbUClq2CvUAZLoiCo4LgAhOoQAAiEAIyXEADv5AGr070yeItyYcyS+1qK/vXEtITtkP7AAwGQD8y6BZzhVVBbwtLGuqSwXqkEQA603kX0/pLtaql/2xrU3DZjNpzhRGwXeYOsIYYxLCL962AbAewqcYKwBmiG0Am60gaCspsspNV7w3Y+1rMwuqCmfuAPi9HBqSOYL/99WQzHEiGEpDBaHdAQNUSvFwNBKa9QX0vpGxSWDLYRJsfYMF+D5CAxnrYk9R1wBpEwJwRI1jBDHYuUNWn4u6KIK4TWENhK8C7zO2XBTX2pAP+u4Yj/veTF+zBiKOyXKoG2YrPdXC8eouCogYgBmTYLhniJ19+NBaTZEABTpXMBult7MeU9TKKiZxVAWzgAmaG6wQ0G9fDGrUCcYXrBRZ74QtEQFsnEGgBTsCyulr60iNYwI/RqucGu7etGzhyXP8rIEtrxlUBc03qCBKLaUxT7tWvXoAJugyPPTNOxftosW9nSQaQpnpzrM4Woyn362JrmrIIsaiQAzu0NX9gBTYZ6QdG6rKOppqrll4BCvCHr2J722ULmCoFeqpsMA/51jkzQK4ngC8c1NdpE4B3BSqwggDgYAUTWIEs7z2BC+BuArLgQbz5fYEYBwDfK5CbXAOA6AsgFcHktnXscE2GCVgsAIRVARe7SAZ9wqACd2kgCirA4gG02bd0HoAPOsAIHtD5LAr1WlS4rNoOlFuQYf70o5pxuaNid+Mbp+4K0HwBHGB3AGFEcxh7G4JEDiAGHeA5ABgxgOGtQQcYIIMG0Kv/Wr7aXOJna2vFL57xJm98AziwHNIlV1h252sETL9m5jpgguy1fCD/7cE+fDCQvvc94p5Osdip21EW1NfsFU/7GjaA5DWw+6MfgPsAQiD3D9Dd7gAcyHhU7km/+x3wy4Zu2tZMb5vM27qJP/PlcEDYjh+A6ZKHwQjusAEKcMOTjOhB36mOAs97ngLODL2YT8ZzXQMa6GMXKZ0buXwF1LKwImuxDzCQ+9fkmoOwyT4GZAD2oOXMBRbYQKjjugKimjreo047DhSAcFSzAN8R4FykfxEl5OggBSZ4iA4kmhoKkEGntNFT3ScERgIkopBSGLBSp9UrJtCA+dca7NIAszFR/xQwgA/jCjD1ALMiMQvYKQ5oAjbQGr9wAxMIVTuQAIehSkowIsMiCS5wAk2yUp7TgZXygVx3gzjIdSbQARIQSLiAAO6yBHYwIK4gKizCLWKVhEq4hEzYhEz4AlAYhVI4hR/YgFG4AD5IAAiQAcmwBONhGq/gNicwhmRYhmZ4hmiYhjO3hmzIZeN2gxsYCnbRADKxBAbAAwhggK4wA5iyMn74h4AYiII4iH/IAS7gCuwCAESyBASQJpbxiJAYiZFgF9AEO0oAAYwgA5K4iZy4FzQwBgBQh1tAAbIAADnTiahIGR6gAZ2gDV6wA2OQARGQGQZTi7Z4i7iYi7q4iwYDAU47kAKDgDiL8wXqpmRBcYzImIzKmBNk4AMRIAFakArApRHUWI3WeI0XIQACRAFnogl+AAHgGI7iOI7kWI7meI7oiI6Ikg/s2I7u+I6oEAQAOw0K

Show driver authentication options. These parameters control how the driver shim authenticates to the Active Directory domain controller. show hide show Select a method to authenticate with Active Directory: [Negotiate] - Use Microsoft security package to negotiate logon type. Typically Kerberos or NTLM is selected. [Simple] - LDAP style simple bind for logon. Negotiate Simple Negotiate When enabled, communication between the driver shim and Active Directory is digitally signed. This does not hide the data from view on the network but reduces the chance of security attacks. Signing only works when you use the [Negotiate] authentication method and the underlying security provider selects NTLM2 or Kerberos for its protocol. Do not use this option with SSL. yes no no When enabled, communication between the driver shim and Active Directory is digitally encrypted. Sealing only works when you use the [Negotiate] authentication method and the underlying security provider selects NTLM2 or Kerberos for its protocol. Do not use this option with SSL. yes no no When enabled, communication between the driver shim and Active Directory is digitally encrypted. This option can be used with either the [Negotiate] or [Simple] authentication option. SSL requires that the Microsoft server running the driver shim has had the domain controller server certificate imported. yes no no Logon and impersonate driver authentication account for CDOEXM and Password Set support. If no, the driver performs a network logon only. If yes, the driver performs a local logon. The authentication account must have right assignments as described in the Administration Guide. yes no yes

Show Microsoft Exchange options. These parameters control whether the driver shim uses the Microsft CDOEXM Exchange management APIs and whether to interpret changes in the homeMDB attribute as a move or delete of the mailbox. show hide show Exchange mailboxes can be controlled by calls into the Microsoft Exchange management system instead of regular attribute synchronization. When enabled, the driver shim intercepts changes to the Active Directory homeMDB attribute and calls into the CDOEXM (Collaboration Data Objects for Exchange Management) subsystem. The value you choose here is recorded in the driver shim configuration. yes no no When enabled, the driver shim intercepts modifications to the Active Directory homeMDB attribute and calls into CDOEXM to move the mailbox to the new message data store. yes no no When enabled, the driver shim intercepts removal for the Active Directory homeMDB attribute and calls into CDOEXM to delete the mailbox. yes no no

Show domain controller access options. These parameters controls the scope of Active Directory queries along with several publisher polling and timeout parameters. show hide show Enter the number of minutes to delay before querying Active Directory for changes. A larger number reduces the load on Active Directory, but also reduces the responsiveness of the Identity Manager driver. 1 >Configures the driver shim to send a periodic status message on the publisher channel when there has been no publisher traffic for the given number of seconds. 0 Specify the number of minutes for the driver to attempt to sync a given password. The driver will not try to sync the password once this interval has been exceeded. It is recommended that this value be set to at least three times the polling interval. For example, if the poll interval is 10, the password sync timeout value should be set to 30 or higher. 5 Ordinarilly the shim will read specific information from other domains when objects in those domains are referenced. If the account you use for authentication has no rights in the other domain, the read may fail. Enable this option if you get access errors during regular operations. yes no no

The name of the connected system, application or Identity Manager driver. This value is used by the e-mail notification templates to identity the source of notification messages. Active Directory Choose a method for managing Exchange mailboxes: [Entitlements] assign the user to the entitled message data store [Implement in policy] assign the user to a message data store based on driver policy [None] do not manage Exchange mailboxes policy none none

show hide show If true, allows passwords to flow from the Identity Manager data store to the connected system. true If true, allows passwords to flow from the connected system to the Identity Manager data store. true Use the password from the connected system to set the non-reversible NDS password in eDirectory. true Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization. false If true, applies NMAS password policies during publish password operations. Password is not written to the data store if it does not comply. true If true, on a publish Distribution Password failure, attempt to reset the password in the connected system using the Distribution Password from the Identity Manager data store. true true

show hide show When Full Name Mapping is selected for user accounts, the driver will keep the Identity Vault Full Name synchronized with the Active Directory object name and display name. This policy is useful when creating user accounts in Active Directory using the Microsoft Management Console Users and Computers snap-in. true When Logon Name Mapping is selected for user accounts, the driver will keep the Identity Vault object name sychronized with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName). This policy is useful when creating user accounts in Active Directory using the Microsoft Management Console Users and Computers snap-in. true Choose a method for managing the Active Directory Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, as in 'user@domain.com' and can be used instead of the traditional NT Logon Name for identification. Although the shim can place any value into userPrincipalName, it will not be useful as a logon name unless the domain is configured to accepts the domain name used with the name. [Follow Active Directory e-mail address] When selected, userPrincipalName follows the value of the Active Directory mail attribute. This option is useful when you want the user's e-mail address to be used for authentication and Active Directory (and likely Microsoft Exchange) is authoritive for e-mail addresses. [Follow Identity Vault e-mail address]This option is useful when you want the user's e-mail address to be used for authentication and the vault (and perhaps Groupwise or another integrated e-mail system) is authoritive for e-mail addresses. [Follow Identity Vault name] This option is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in policy. [None]This option is useful when you do not want to control userPrincipalName or want to implement your own policy. ad-mail-auth edir-mail-auth edir-name-auth none none setup for move validation Gather information needed for move validation. move setup for rename validation Gather information needed for rename validation. rename move or rename validation The driver shim cannot tell the difference between a move and a rename in Active Directory so publishes both. The last known object DN is cached in the Identity Vault and then used to decide whether a given move or rename operation is real. This rule will veto moves and renames that are already reflected in the cached value. .* $cached-object-value = $current-object-value move or rename cached context update Update cached context when move or rename is valid. .* veto move Gather information needed for move validation. move Find a matching unassociated object in the Identity Vault. Copy OUmapAD GCV into a local variable Copy OUmapAD GCV into a local variable User # remember relative position in hierarchy The default policy assumes that you want to synchronize a subset of Active Directory with the Identity Vault. this rule marks events in the given containers for processing by adding the unmached-src-dn operational property. You can add subtrees in Active Directory t for inclusion by adding if-src-dn conditionals here. If you are using mirrored placement, the unmatched-src-dn is used later in the placement rule. If you do not use container based scoping, this rule may be modified or removed. If you change this rule, the placement rules must also be changed to reflect your policy. OU=Users,OU=Quebec,DC=domain,DC=com veto out-of-scope events When scoping by container, events outside of the Active Directory containers defined in the above rule will not have a unmatched-src-dn operational property and will be vetoed. If you do not want to use container based scoping, this rule should be modified or removed. $inScope=$OUmapAD match users based on NT logon name Logon name policy: match object name from the Identity Vault to the NT logon name in Active Directory. Objects are matched anywhere in the destination hierarchy, not just the relative position in the hierarchy. This match is not performed if a matching object was found in a previous rule. User true \ match users based on full name Full name policy: User true match everything else Match objects in Active Directory based on the object name and relative position in the hierarchy. This match is not performed if a matching object was found in a previous rule. User OU=Users,OU=Quebec,DC=domain,DC=com deltaguitars\quebec\users \ add attributes for all objects DirXML-AppliationAttrs is an aux class that holds attributes generally useful to drivers. DirXML-ADContext is used by this driver to track the Active Directory object name which is useful for telling whether a publisher move or rename is redundant. DirXML-ApplicationAttrs add attributes for user objects User UNKNOWN set user default password Sets a default password for the user if none exists. If you have enabled password sync, the default password will be replaced on the next password change operation. If the driver shim has cached a password from a recent add event in Active Directory, it will be published shortly after this command completes. Otherwise, the default password will remain in effect until the password is changed in either the Identity Vault or Active Directory. User @Dirxml1 update Active Directory logon name Update Active Directory logon name (userPrincipalName) when logon name is configured to follow e-mail address and e-mail address is present. ad-mail-auth placement for all objects Construct a destination DN for all object types assuming simple object name mapping. deltaguitars\quebec\users \ optional logon name mapping Logon name mapping: Modify the destination DN so that the NT Logon Name (sAMAccountName) names the object. User true \ A set of rules that implement the user name mapping options consider user objects when name mapping is enabled Skip processing if event is not of interest to name mapping policy. User false false none full name mapping: discard unwanted renames When mapping Full Name, renames are vetoed. true rename logon name mapping: map NT logon name to Identity Vault object name Logon name policy: Keep destination object name in sync when logon name (sAMAccountName) changes. true modify CN= map e-mail address to Active Directory logon name Update Active Directory logon name (userPrincipalName) when logon name is configured to follow Active Directory e-mail address and e-mail address is being added. ad-mail-auth unmap e-mail address from Active Directory logon name Update Active Directory logon name (userPrincipalName) when logon name is configured to follow Active Directory e-mail address and e-mail address is being removed. ad-mail-auth .+ set cached context value on merge modify @from-merge='true' DirXML-ApplicationAttrs Set Equivalent To Me when adding object to a group The Identity Vault gives group members the rights of the group by adding the object to the "Equivalent to Me" attribute. Add the object now. Group Remove Equivalent To Me when removing object from a group The identity Vault gives group members the rights of the group by adding the object to the "Equivalent to Me" attribute. Remove the object now. Group .+ remove managed attributes when object disassociated Remove the attributes used to manage the state of the object for this driver when it is disassociated. Since the driver does not maintain the state of a disassociated object, these values are not reliable. remove-association Prevent unassociated users from being removed from groups modify Group On User add, provide default password of @Dirxml1 if no password exists add User @Dirxml1 Publish Passwords Block publishing passwords to Identity Manager data store when adding a object false add Block sending modify-password changes to the Identity Manager data store false modify-password Publish passwords to NMAS distribution password Add nspmDistributionAttribute attribute to add operation true add Change modify-password operations to a modify true modify-password pwd-publish Publish passwords to NDS password. Block publishing passwords to NDS password false add Block sending modify-password changes to the NDS password false modify-password Publish password payloads Add operation-data element to password operations add operation-data add add-attr[@attr-name='nspmDistributionPassword'] operation-data modify-password operation-data modify modify-attr[@attr-name='nspmDistributionPassword'] operation-data Add payload data to password operations addPayloadToPassword add add-attr[@attr-name='nspmDistributionPassword'] modify-password modify modify-attr[@attr-name='nspmDistributionPassword'] Find matching object in Active Directory Copy OUmapAD GCV into a local variable Copy OUmapAD GCV into a local variable User # remember relative position in hierarchy The default policy assumes that you want to synchronize a subset of the Identity Vault with Active Directory. this rule marks events in the given containers for processing by adding the unmached-src-dn operational property. You can add subtrees in the Identity Vault for inclusion by adding if-src-dn conditionals here. If you are using mirrored placement, the unmatched-src-dn is used later in the placement rule. If you do not use container based scoping, this rule may be modified or removed. If you change this rule, the placement rules must also be changed to reflect your policy. deltaguitars\quebec\users veto out-of-scope events When scoping by container, events outside of the Active Directory containers defined in the above rule will not have a unmatched-src-dn operational property and will be vetoed. If you do not want to use container based scoping, this rule should be modified or removed. $inScope=$OUmapAD generate full name if not in Identity Vault Full name policy: Generate a Full Name from Given Name + Surname if one does not already exist. The value is set in the Identity Vault and in the current operation to Active Directory. This policy assumes that Full Name synchronization is enabled in the subscriber filter. If you disable Full Name in the subscriber filter you should not use Full Name mapping. User true match users based on NT logon name Logon name policy: Match object name from the Identity Vault to the NT logon name in Active Directory. Because sAMAccountName (DirXML-ADAliasName) is unique in the domain, objects are matched anywhere in the destination hierarchy, not just the relative position in the hierarchy. User true match users based on full name Full name policy: Match user objects in Active Directory whose object name matches the Identity Vault Full Name. Because objects names are only unique within a container, this rule only looks for objects in the same relative position in the hierarchy. This match is not performed if a matching object was found in a previous rule. User true CN= match everything else Match objects in Active Directory based on the object name and relative position in the hierarchy. User , OU=Users,OU=Quebec,DC=domain,DC=com Create User objects Special processing for users. A DirXML-ADAliasName is generated which becomes the NT logon name (sAMAccountName) in Active Directory. Also, a default password is generated. If the user has a distribution password and you have enabled password sync, the distribution password will override the password generated here. The generated password passes the default Active Directory '3 of 4' rule by appending 'Dirxml1' to the password. You can make this more secure by using data that varies by user. User DirXML-ApplicationAttrs Dirxml1 map user name to Windows logon name Windows logon name mapping: When userPrincipalName is configured to follow the eDirectory user name, set userPrincipalName to the eDirectory object name plus the name of the Active Directory domain. edir-name-auth User @ domain.com Create Group objects assign an NT group name to the group. by default this value is capped at 20 characters to meet mixed-mode domain requirements. this number can be increased if your domain functional level allows longer names. Group Identity Vault accounts are enabled if Login Disabled does not exist User false default Exchange assignment Provision Exchange mailbox policy User Copy OUmapAD GCV into a local variable Copy OUmapAD GCV into a local variable User # placement for all objects All objects are placed in the given container. By default the Active Directory scoping container and the subscriber placement container are the same. You can change the value here if you want to place objects in a different container than the one used for scoping. If you change the scoping rules in the matching rules of either the publisher or subscriber channel, you should also review and change this rule as needed. , Use Full Name for naming user objects When User Full Name mapping is enabled, the destination object name is changed to the user's Full Name User true CN= , default Exchange assignment Provision Exchange during merge operations. Skip provisioning if the Active Directory user is already mail enabled (e-mail contact only) or mailbox enabled (e-mail user account) policy modify @from-merge='true' A set of rules that are executed when any one of the user name mapping options are selected. consider user objects when name mapping is enabled Skip processing if event is not of interest to name mapping policy. User false false none generate full name on merge Full name policy: This policy option requires a Full Name in the Identity Vault to be used as the object name in Active Directory. If one is not present during a merge operation, generate it by concatenating Given Name (if present) with Surname. true .[@from-merge='true'] map full name to destination object name Full name policy: Keep destination object name in sync when Full Name changes. true modify escape source object name Logon name policy: Remove characters unsuitable for Active Directory logon name from source object name. rename map rename to NT logon name Logon name policy: Keep destination sAMAccountName in sync with source object name. true rename map rename to Active Directory logon name Active Directory logon name (userPrincipalName) policy: keep destination userPrincipalName in sync with source object name. edir-name-auth rename @ domain.com map e-mail address to Active Directory logon name Active Directory logon name (userPrincipalName) policy edir-mail-auth unmap e-mail address from Active Directory logon name Active Directory logon name (userPrincipalName) policy edir-mail-auth .+ map e-mail address to Active Directory logon name on merge edir-mail-auth .[@from-merge='true'] unmap e-mail address from Active Directory logon name on merge edir-mail-auth .[@from-merge='true'] discard unwanted renames When mapping Full Name, the original rename is vetoed after all rename-triggered policy completes. true rename Transform NMAS attribute to password elements Convert adds of the nspmDistributionPassword attribute to password elements add Block modifies for failed password publish operations if reset password is false false modify modify-attr[@attr-name='nspmDistributionPassword' and @failed-sync='true'] Convert modifies of a nspmDistributionPassword attribute to a modify password operation modify pwd-subscribe Block empty modify operations modify modify-attr On User add, provide default password of Surname if no password exists add User Subscribe to password changes Block subscribing to passwords when objects are added false add Block subscribing to password modifications false modify-password Payloads for subscribe to password changes Add operation-data element to password subscribe operations add operation-data modify-password operation-data Add payload data to a reset password from a failed password publish operation modify-password self::modify-password[@event-id = 'pwd-publish-failed'] Add payload data to password subscribe operations add modify-password self::modify-password[@event-id != 'pwd-publish-failed'] Convert selected attributes to a form most commonly used in the Identity Vault. streetAddress: Convert CR-LF to LF The Identity Vault Street Address typically uses the Unix end-of-line convention (a single new line character) while Active Directory uses the Windows convention (carriage return plus new line characters). This rule converts values to the Identity Vault format so that the synchronized values display properly in both systems. logonHours: Convert to Login Allowed Time Map form The Identity Vault Login Allowed Time Map is an octet string holding one bit for each half-hour period in a week. Users can logon when the bit representing the current half-hour is a 1. The Active Directory logonHours works similarly except that there is one bit for each 1 hour period in a week. This rule converts to the Login Allowed Time Map format. accountExpires: Convert to Identity Vault time format The Identity Vault uses a 32 bit value to store certain time values while Active Directory uses a 64 bit time value. Reformat the 64 bit value to fit within the vault's 32 bit syntax. lockoutTime: Convert to Identity Vault time format The Identity Vault uses a 32 bit value to store certain time values while Active Directory uses a 64 bit time value. Reformat the 64 bit value to fit within the vault's 32 bit syntax. Email notifications for failed password subscriptions Send e-mail on a failure when subscribing to passwords true status self::status[@level != 'success'][text() != '']/operation-data/password-subscribe-status/association[text() != ''] Send e-mail on failure to reset connected system password using the Identity Manager data store password true status self::status[@level != 'success']/operation-data/password-reset-status Convert selected attributes to a form most commonly used in Active Directory. Street Address: Convert LF to CR-LF The Identity Vault Street Address typically uses the Unix end-of-line convention (a single new line character) while Active Directory uses the Windows convention (carriage return plus new line characters). This rule converts values to the Windows format so that the synchronized values display properly in both systems. logonHours: Convert to Active Directory form The Identity Vault Login Allowed Time Map is an octet string holding one bit for each half-hour period in a week. Users can logon when the bit representing the current half-hour is a 1. The Active Directory logonHours works similarly except that there is one bit for each 1 hour period in a week. This rule converts to the logonHours format. Logon is allowed for any 1 hour period in Active Directory if logon is allowed in the Identity Vault for at least one of the two 1/2 hour periods. Use jadutil:translateTimMap2ADStrict for a conversion policy where logon is granted in Active Directory only if both 1/2 hour periods allow logon in the Identity Vault. Although this is a subscriber policy it can effect the Identity Vault. If the Active Directory value is synchronized back to the Identity Vault, the 1/2 hour granularity in the vault is lost. accountExpires: Convert to Active Directory form lockoutTime: Convert to Active Directory form Add: User - convert multi-valued Telephone to single value add User update Active Directory logon name When Active Directory logon name (userPrincipalName) is set to follow the Active Directory e-mail address, changes to the e-mail address are set as an operational property and are acted on when the overall operation succeeds. self::status[@level = 'success']/operation-data/windows-2000-logon-name Email notifications for failed password publications Send e-mail for a failed publish password operation true status self::status[@level != 'success']/operation-data/password-publish-status User user DirXML-ADAliasName sAMAccountName Group group DirXML-ADAliasName sAMAccountName Organizational Unit organizationalUnit Organization organization Locality locality CN cn Description description DirXML-EntitlementRef DirXML-EntitlementRef DirXML-EntitlementResult DirXML-EntitlementResult Facsimile Telephone Number facsimileTelephoneNumber Full Name displayName Given Name givenName Group Membership memberOf Initials initials Internet EMail Address mail L physicalDeliveryOfficeName Login Allowed Time Map logonHours Login Disabled dirxml-uACAccountDisable Login Expiration Time accountExpires Login Intruder Reset Time lockoutTime Member member OU ou Owner managedBy Physical Delivery Office Name l Postal Code postalCode Postal Office Box postOfficeBox S st SA streetAddress See Also seeAlso DirXML-SPEntitlements DirXML-SPEntitlements Surname sn Telephone Number telephoneNumber Title title nspmDistributionPassword nspmDistributionPassword