How do you automate the population and management of RFC2307 attributes in Active Directory in a scalable and reliable manner now that SFU and IdMU is considered deprecated by Microsoft and won't be available in Server 2016?
My goal is to have uidNumber, gidNumber, unixHomeDirectory and loginShell automatically set when creating a user or group in Active Directory.
When adding a user to a group, the user should also be added to the memberUid attribute of that group.
I've considered using homemade Powershell or VB scripts, but it doesn't feel very scalable when used by multiple administrators handling thousands of users in a production system with high reliability requirements.
I feel that this should be a common problem and that there should exist good solutions, but I can't find any.
Best Answer
In my experience, there are two ways I've seen it done.
I will refrain from posting product recommendations for option 1 because it's against the site rules and I'm sure you can do your own research on that. But let me describe how we do it in my current environment with self-written tools.
The basic premise is that you should stop creating accounts by hand and let your tools do the work for you. Particularly with tools you write, you can hard code and enforce business rules about your specific environment (user locations, name formats, automatic group memberships, etc) that other tools can't possibly know about. That has the side effect of making your tools much easier to use. And the less you have people creating users manually from ADUC, the more consistent and reliable your environment becomes.
In our environment, all new identities associated with people are automatically provisioned (and deprovisioned) by an upstream, HR owned system. But this only takes care of the basic GAL-related metadata (name, email, phone, etc). We also have a powershell script running on the PDC emulator DC that runs every 5 minutes looking for accounts with incomplete RFC2307 profiles and updates them as necessary. It also updates GIDs for certain subsets of groups. UIDs and GIDs are generated based on an algorithm that calculates them from the account's SID. It could be possible for the HR system to provision the RFC2307 profiles as well, but at the time it was less work to have the AD team own that data/process.
Additionally, we have a home grown web page for provisioning "non-people" accounts like service accounts, shared accounts, test accounts, etc. Each type of account is automatically configured with appropriate RFC2307 attributes in addition to things like fine-grained password policies, username format conventions, etc.
At the end of the day, AD is just a giant LDAP server and there are many ways to interact with it programmatically.