Unique ID?

Question

We are currently a Google Apps shop and also have a number of other applications that we need to match the user in AD to. In addition, we have two forests that Adaxes manages and one of those forests is multi-domain. Right now, I want to add a unique ID to every user that will be used to connect them to every other system and maintain that connection even if their account is re-created in another domain or forest. What I want to know is what is the best way for Adaxes to create these unique IDs? We were thinking of using the serialnumber attribute to store these IDs?

I had considered to have powershell generate a 20 digit random number, verify that it is unique in the system and if so, assign it to the user. We maintain about 3000 users.

--The ID would never be changed once assigned to the user account and would always be associated with the user. (The payroll ID (employeeID) would not work here since HR does not create that until payroll which could be up to two weeks after the user is created)
--Later we would like to create custom commands in Adaxes that would help us move a user from one domain to another. (It would not be important that they maintain their domain identity, so taking the data from their current AD account and using it to create a new one would be perfect. They would need to keep the unique ID to maintain the link between all the systems)

So for example:
1. User account is created in Adaxes and provided a unique ID
2. A Google mailbox is created and an attribute is set with the unique ID from AD.
3. User accounts are also created in other applications and the unique ID is used to map them back to the user in AD

If later there is a need to move the user from one domain to another, the unique ID would be used to maintain their connection with the Google mailbox.

I am looking forward to recommendations on the best way to create and assign the unique IDs as well as any feedback on our idea.

Thanks in advance everyone

Answer 1

Hello,

Actually, every user in Active Directory already has a unique ID. Once a user is created, Active Directory assigns the user account the Object GUID property, which is unique for every object and does not change throughout the life of the user account. If you are going to move users between domains located in the same forest, you can use the Move Object functionality. When an AD object is moved, its Object GUID property remains unchanged, so you can use it as a unique identifier of a specific user. For details on how to move objects, see Moving Objects.

The only issue that you can experience with the Object GUID property is that GUIDs are stored in the property in the binary format (as a sequence of bytes). If you need to use a user ID as a string, you can use a certain property of user accounts to store the Object GUID there in the string (text) format. We don't recommend using the serialNumber property for this purpose. We suggest using the User ID (uid) property.

So, you can create a Business Rule executed after creating a new user. In the Business Rule, you can copy Object GUID to the User ID property (in the string format), and access the User ID property from your applications. To create such a Business Rule:

1. Create a new Business Rule.
2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
   
3. On the 3rd step, add the Update the User action and click Add.
   
4. In the Property to modify field, select the User ID property.
5. Type %objectGUID% in the New value field. %objectGUID% is a value reference that will be replaced with a string representation of the Object GUID property of the new user.
   
6. Finish creation of the Business Rule.