MIM Provisioning Hierarchy

Have you ever wondered about the Provisioning Hierarchy screen in the MIM Management Agent configuration?  Most of the examples out there ignore it and focus on other screens and features.

I stumbled across the answer when provisioning some Novell groups into AD.  This screen allows you to build OUs (or more generically "containers") based on the DistinguishedName (DN) provided to the provisioning code.  In my case, I had a Novell directory tree that I wanted to recreate and place in a specific OU in AD.  The provisioning code I defined pruned the root of the Novell directory and appended the AD OU to the DN.  See the example below:

Original DN
CN=test group,OU=sitecode,OU=division,O=orgname

New DN
CN=test group,OU=sitecode,OU=division,OU=Migrated Groups,DC=domain,DC=com

The Provisioning Hierarchy screen allows you to map the different types of DN Components to container types.

For example,

OU - Organizational Unit

In this configuration, MIM will create any missing entries in the specified DN.  In the normal configuration, MIM will generate an error if the target container does not exist.  My AD had a Migrated Groups OU but no sub OUs.  The below list indicates what gets created as a result of the MIM provisioning.

Object name
CN=test group,

New OUs
OU=sitecode,
OU=division,

Existing OUs
OU=Migrated Groups,
DC=domain,
DC=com

In this way a tree can be pruned and grafted from one environment to another.  A word of caution:  make sure your provisioning code generates sane DN values.  If you are not careful, you could create a lot of unwanted OUs.