Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
2 Way Account Expires Rules Extension
Published Nov 01 2019 12:22 PM 1,355 Views

First published on MSDN on Nov 04, 2014
Updated 11/26/2017
To assist in the understanding of managing the "accountExpires" attribute in AD with the "employeeEndDate" attribute in the FIM / MIM Portal I have created supporting post to go deeper in to how to implement this below solution.
Rules Extensions –Understanding Date Time Conversion Part 1
The following is C# code that can be used to build a Rules Extension to be applied to the ADMA which converts the following:
1. accountExpires attribute on a user in AD to the Employee End Date attribute in the Portal
2. Employee End Date of a user in the Portal to the accountExpires attribute in AD.

    • Create the following custom attribute in the metaverse if it does not already exist
      Name Attribute Type
      employeeEndDate Indexed String

The following code is pulled from the Rules Extension -MAExtension Post

Management Agent Attribute Flow

When setting the attribute flow be sure to verify that you are selecting the correct Flow Direction and Mapping Type of Advanced, notice the exceptionally long names to the name of the rules extension, this is not ideal but for the initial instruction of how to deploy this solution I named the function this way to assist in the understanding of the data flow from connector space to and from the Metaverse.

accountExpires  <-  employeeEndDate           cd.user:accountExpires<-mv.person:employeeEndDate
accountExpires  -> employeeEndDate            cd.user:accountExpires->mv.person:employeeEndDate
in the updated example I use a much cleaner naming standard for my functions
To Convert the accountExpires attribute to the employeeEndDate in the metaverse to be exported to the FIM Portal add the following piece of code is required within the "void IMASynchronization.MapAttributesForImport" section
case "employeeEndDate":
if (csentry["accountExpires"].IntegerValue == 0 || csentry["accountExpires"].IntegerValue == 9223372036854775807)
// This is a special condition, do not contribute and delete any current value
DateTime dtFileTime = DateTime.FromFileTime(csentry["accountExpires"].IntegerValue);
mventry["employeeEndDate"].Value =
Notice the format of the DateTime that the accountExpires attribute is being converted into "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'" Notice the 'T' , if the dtFileTime.ToString is not in this exact format the sync engine will fail to export the value to the FIM / MIM Portal. This is not the same format used for all data sources, other SQL , ORACLE, other data sources may except a wide array of date time formats but when working with the FIM / MIM Portal it has to be this format.

If you are setting the employeeEndDate in the FIM Portal and you wish to update the accountExpires attribute in Active Directory than you need to add the following code within the "void IMASynchronization.MapAttributesForExport" section
case "accountExpires":
CultureInfo provider = CultureInfo.InvariantCulture;
if (mventry["accountExpires"].ToString() != "")
DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);
csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTime();

If you wish to be able to set the accountExpires or the employeeEndDate value from either Active Directory or the FIM Portal you will need to make this bidirectional. This can be accomplished by having both pieced of the above code in place as well as setting equal precedence in the Synchronization Service for the employeeEndDate attribute for the Peron object.

Need another example of the code Rules Extensions –Understanding Date Time Conversion Part 2


## ##

Version history
Last update:
‎Feb 20 2020 12:27 PM
Updated by: