Directory Sync Pro: Using Overrides to Modify Group Names
Let’s talk about Overrides.
By now everyone knows that Binary Tree’s Directory Sync Pro solution is the best available for all sorts of directory synchronization. Whether it’s for Active Directory migrations, or Exchange migrations, or interoperability between AD and IBM Domino, Directory Sync Pro should be your tool of choice.
One of the most powerful features of Dir Sync Pro is its ability to change data as it’s being transferred using Overrides. Overrides use a SQL statement format to manipulate data before transfer.
We recently had a customer who had a bunch of Domino group names that were prepended with a ‘#’ symbol (e.g. #IT-Admins). As part of their migration strategy and directory clean up, the wanted to remove the ‘#’ from all the group names. Keep in mind they also had many groups that didn’t include the #, so we needed to account for those. Enter the power of Overrides.
To accomplish this, we needed to change several AD values that were keying off the Domino group name. We created one override for the basic name values, one for the mail, and a final special one used to create the actual AD object.
This technique would work regardless of source and target. In this case it happened to be a Domino address book as the source, but the same ideas would apply in an AD-to-AD scenario.
We’ll be using the Sync Report feature extensively to check what is going to happen before we actually apply the Sync. It’s a great way to simulate changes without actually touching your target directory.
Let’s get to work.
First, we’ll run a Sync Report with the default settings (Mappings and Overrides) to see what the extent of the problem is. Click Sync Report, then Run Simulation. Depending on the size of your source directory it may take a few moments for the sync to complete. Use the Refresh button on the Sync Report to update the display table.
As you can see in the screen shot, we’ve got # symbols in the following locations:
Source Name, Source Object, Target Name, Target Object, Object DN, mail, displayName, mailNickname, sAMAccountName
We don’t need to worry about fixing Source Name and Source Object. Obviously, those values are being pulled from the source and should remain. Target Name can remain as well: this is a name used internally by the SQL server behind Dir Sync Pro. The rest of the values we will need to address. We’ll start by using a custom field in an Override to provide values for sAMAccountName and mailNickname.
- Return to the main Dir Sync Pro console and go to the Mapping tab for the profile you’d like to work on.
- Click the Overrides button to create a new Override.
- Click Add to create a new Override.
- Change the View value to Groups
- Set the field name to be a custom field. We’ll use BTCustom006 in this case, but be sure your custom field isn’t already in use.
- The Field value is where the magic happens. We’ll enter a SQL statement to trim off the leading # sign.
CASE WHEN sAMAccountName LIKE '#%' THEN RIGHT (sAMAccountName, LEN (sAMAccountName) -1) ELSE sAMAccountName END
This statement says, “If you see a sAMAccountName with a # sign followed by any number of characters, give me the right side of the string subtracting 1 from the string length. If there is no # sign, just return the value as is.”
- Click Save and then Close
Before we use that Override, let’s check that we are getting the value we expect.
- Click Sync Report then Run Simulation (remember to wait a bit then click Refresh to get the latest data).
- Find a Group that has the offending character and right-click to View Details (you can also double-click here)
- On the message tab we can see that the values haven’t changed yet. We’ll get to that momentarily.
- Click the Internal Fields tab and find the custom value you created in the Override. In the View Value column you will see the value after it has been processed after the Override.
- Close the report details
- You’ll want to be sure that you haven’t changed values for groups without the special character. Open one of the other groups and check the Internal fields to be sure it is correct as well.
- Close the Report Details and the Sync Report.
Once we are satisfied the Override is working correctly, we’ll need to apply it via a Mapping.
- On the Mapping tab of the main Dir Sync console, you will see “Click here to add new item” at the top of the table.
- Leave the Source Field blank
- Set Internal Field to the custom name you created in the Override.
- Set the Target Field to sAMAccountName
- Set Source Type to Group
- Set Target Type1 to Group
- Set Target Type2 to Contact
This now applies the override value (i.e. the name without the # sign) to be the new sAMAccountName. Repeat the process of adding a new item, but this time set Target Field to mailNickname.
At this point you may want to run another Sync Report to verify that these values are getting applied. In the report you can click the small + sign next to the Group name to get the details. Check sAMAccountName and mailNickname to verify they are correct. We can see that the mail and displayName values are still incorrect, as well as the TargetObject.
To fix the mail we’ll repeat the above process, creating a new custom value with an Override specific to the mail value. We’ll then apply it as above via a mapping.
- Create the override. Use a new custom value for the Field Name. The SQL statement here will be:
CASE WHEN InternetAddress LIKE '#%' THEN RIGHT (InternetAddress, LEN (InternetAddress) -1) ELSE InternetAddress END
- Add the mapping
- Internal Field set to your new custom value (e.g. BTCustom007)
- Target Field = mail
- Source Type = Group
- Target Type1 = Group
- Target Type2 = Contact
The final change will be to address displayName. This has the added and important benefit of setting the Target Object. Dir Sync Pro uses the displayName value to generate the CN that will be used to create the group object in Active Directory.
- Create the override. In this case we can’t use a new custom value for the field name, but need to manipulate the field directly.
- Set View = Groups
- Set Field Name = DisplayName
- Field Value will be the following SQL statement:
CASE WHEN DisplayName LIKE '#%' THEN RIGHT (DisplayName, LEN (DisplayName) -1) ELSE DisplayName END
- Here is our final list of overrides:
- At this point there is no need to add another mapping. Because we directly changed the DisplayName value in the override (in lieu of assigning it to a custom field name) a mapping is not required.
- Run a Sync Report and double check that Target Object, Object DN and displayName values have been modified correctly.
You’re done! Once you’re satisfied that everything is correct in the Sync Report, you can create the AD objects and sync the data by using the Sync Profile button. Be careful as this will modify your Active Directory, so be sure to double check everything before proceeding.