Directory Sync Pro: Using Overrides to Modify Group Names

Views Comments

Let’s talk about Overrides.

By now everyone knows that Binary Tree’s Directory Sync Pro solution is the best available for all sorts of directory synchronization.  Whether it’s for Active Directory migrations, or Exchange migrations, or interoperability between AD and IBM Domino, Directory Sync Pro should be your tool of choice.

One of the most powerful features of Dir Sync Pro is its ability to change data as it’s being transferred using Overrides. Overrides use a SQL statement format to manipulate data before transfer.

We recently had a customer who had a bunch of Domino group names that were prepended with a ‘#’ symbol (e.g. #IT-Admins). As part of their migration strategy and directory clean up, the wanted to remove the ‘#’ from all the group names. Keep in mind they also had many groups that didn’t include the #, so we needed to account for those. Enter the power of Overrides.

To accomplish this, we needed to change several AD values that were keying off the Domino group name. We created one override for the basic name values, one for the mail, and a final special one used to create the actual AD object.

This technique would work regardless of source and target. In this case it happened to be a Domino address book as the source, but the same ideas would apply in an AD-to-AD scenario.

We’ll be using the Sync Report feature extensively to check what is going to happen before we actually apply the Sync.  It’s a great way to simulate changes without actually touching your target directory.

Let’s get to work.

First, we’ll run a Sync Report with the default settings (Mappings and Overrides) to see what the extent of the problem is. Click Sync Report, then Run Simulation. Depending on the size of your source directory it may take a few moments for the sync to complete. Use the Refresh button on the Sync Report to update the display table.

Sync Report before Override

As you can see in the screen shot, we’ve got # symbols in the following locations:

Source Name, Source Object, Target Name, Target Object, Object DN, mail, displayName, mailNickname, sAMAccountName

We don’t need to worry about fixing Source Name and Source Object. Obviously, those values are being pulled from the source and should remain. Target Name can remain as well: this is a name used internally by the SQL server behind Dir Sync Pro. The rest of the values we will need to address. We’ll start by using a custom field in an Override to provide values for sAMAccountName and mailNickname.

  • Return to the main Dir Sync Pro console and go to the Mapping tab for the profile you’d like to work on.
  • Click the Overrides button to create a new Override.
  • Click Add to create a new Override.
  • Change the View value to Groups
  • Set the field name to be a custom field. We’ll use BTCustom006 in this case, but be sure your custom field isn’t already in use.
  • The Field value is where the magic happens. We’ll enter a SQL statement to trim off the leading # sign.

CASE WHEN sAMAccountName LIKE '#%' THEN RIGHT (sAMAccountName, LEN (sAMAccountName) -1) ELSE sAMAccountName END

 This statement says, “If you see a sAMAccountName with a # sign followed by any number of characters, give me the right side of the string subtracting 1 from the string length. If there is no # sign, just return the value as is.”

Building the Override

  • Click Save and then Close

Before we use that Override, let’s check that we are getting the value we expect.

  • Click Sync Report then Run Simulation (remember to wait a bit then click Refresh to get the latest data).
  • Find a Group that has the offending character and right-click to View Details (you can also double-click here)

View details

  • On the message tab we can see that the values haven’t changed yet. We’ll get to that momentarily.
  • Click the Internal Fields tab and find the custom value you created in the Override. In the View Value column you will see the value after it has been processed after the Override.

Report details

  • Close the report details
  • You’ll want to be sure that you haven’t changed values for groups without the special character. Open one of the other groups and check the Internal fields to be sure it is correct as well.

Report details

  • Close the Report Details and the Sync Report.

Once we are satisfied the Override is working correctly, we’ll need to apply it via a Mapping.

  • On the Mapping tab of the main Dir Sync console, you will see “Click here to add new item” at the top of the table.

Add new mapping

  • Leave the Source Field blank
  • Set Internal Field to the custom name you created in the Override.
  • Set the Target Field to sAMAccountName
  • Set Source Type to Group
  • Set Target Type1 to Group
  • Set Target Type2 to Contact

New mapping settings

This now applies the override value (i.e. the name without the # sign) to be the new sAMAccountName.  Repeat the process of adding a new item, but this time set Target Field to mailNickname.

Mapped values

At this point you may want to run another Sync Report to verify that these values are getting applied. In the report you can click the small + sign next to the Group name to get the details. Check sAMAccountName and mailNickname to verify they are correct. We can see that the mail and displayName values are still incorrect, as well as the TargetObject.

Sync report check

To fix the mail we’ll repeat the above process, creating a new custom value with an Override specific to the mail value.  We’ll then apply it as above via a mapping.

  • Create the override. Use a new custom value for the Field Name. The SQL statement here will be:

 CASE WHEN InternetAddress LIKE '#%' THEN RIGHT (InternetAddress, LEN (InternetAddress) -1) ELSE InternetAddress END

Mail override

  • Add the mapping
    • Internal Field set to your new custom value (e.g. BTCustom007)
    • Target Field = mail
    • Source Type = Group
    • Target Type1 = Group
    • Target Type2 = Contact

Mapped values

The final change will be to address displayName. This has the added and important benefit of setting the Target Object. Dir Sync Pro uses the displayName value to generate the CN that will be used to create the group object in Active Directory.

    • Create the override. In this case we can’t use a new custom value for the field name, but need to manipulate the field directly.
      • Set View = Groups
      • Set Field Name = DisplayName
      • Field Value will be the following SQL statement:

 CASE WHEN DisplayName LIKE '#%' THEN RIGHT (DisplayName, LEN (DisplayName) -1) ELSE DisplayName END

  • Here is our final list of overrides:

Overrides

  • At this point there is no need to add another mapping. Because we directly changed the DisplayName value in the override (in lieu of assigning it to a custom field name) a mapping is not required.
  • Run a Sync Report and double check that Target Object, Object DN and displayName values have been modified correctly.

Final sync report

You’re done! Once you’re satisfied that everything is correct in the Sync Report, you can create the AD objects and sync the data by using the Sync Profile button.  Be careful as this will modify your Active Directory, so be sure to double check everything before proceeding.

Comments

Be the first to comment below!

Leave a Comment

Submit Icon

Thanks for your comment.  It needs to be approved by an admin before displaying on the site.

Thanks for your comment - since you're an admin, this is live on the site now.