Hello cloud of wisdom :-)

I was wondering if, using FIM 2010 R2 portal, this is possible:

1) Modifying the "User view" where the users can see and modify their attributes to limit what attributes they see and what attributes they are able to modify 

and 

2) If that view code can be modified to include information from other data sources, like information coming from an application that stores some assets information in SQL.

I have been playing around he customization document and settings for the FIM portal but I could not find this.

Thanks in advance!

http://xna-para-torpes.blogspot.com Your Spanish site about XNA !

Hi All and thanks for any advice

We are migrating from Novell IDM and have struck a issue with MS FIM 2010

we have Teachers and Students with Classes stored in multi-valued attributes,

The list changes as subjects and classes get added, changed and deleted, we would like FIM to create the classes as security groups in Active Directory and assign members,

NOTE: the key point is we are trying to avoid creating a rule for every security group, the goal would be to have FIM create the groups that are in the users attribute and assigning/removing members with changes,

example data in FIM

user1 - classcosed = 11MTA01, 11ENG03, 11DES02

user2 - classcosed = 11MTA02, 11ENG03, 11DES02

user3 - classcosed = 9MTA01, 9ENG03, 9DES02

user4 - classcosed = 9MTA02, 9ENG03, 9DES02

Desired Security Groups Result in Active Directory

11MTA01 = user1

11MTA02 = user2

11ENG03 = user1,user2

11DES02 = user1,user2

9MTA01 = user3

9MTA02 = user4

9ENG03 = user3, user4

9DES02 = user3, user4

again thank-you in advance for any ideas

Steve

This isn't so much a question as something others might like to be aware of...

When you install the FIM Portal and configure metaverse->FIM user sync, supposing you use an account of which your FIM metaverse is already aware, the sync service will be unable to export your account to the FIM MA with an uniqueness constraint violation. This is because merely setting up the portal and service cause your AccountName, SID, etc., to be populated in the database.

This will express itself as a "failed-creation-via-web-services" with error detail thusly:

Fault Reason: The request message contains errors that prevent processing the request.

Fault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>ObjectSID</AttributeType><AttributeValue></AttributeValue><FailureMessage>The specified attribute value must be unique for this Resource Type.</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode></AttributeRepresentationFailure></RepresentationFailures>

My solution was to search (cautiously) the FIMService database to figure out the conflicting account's anchor value:

select ObjectID from fim.Objects with(nolock) where ObjectKey =(select ObjectKey from fim.DomainAndAccountName with(nolock) where DomainAndAccountName = 'mydomain\my.user')

This returns a GUID you can use in the FIM Sync Service admin interface to search the FIM MA by DN/anchor and disconnect.  Now you have a user disconnector in the FIM MA, so head over to the joiner tab, and link it up.

I keep wondering if I've done something wrong in the FIM setup to arrive at this situation, but it's happened in several clean installs following the documented guidelines.

--Steve

Dear All,

I have created FIM 2010 environment for synchronizatoin between two different AD forest and i have done all the configuration which is necessary for it but still users are not provisioning in external AD.

If anyone have got step by step document then please share with me and please help me to check all the steps to do this.

Please see the below mentioned steps in which i have done all the steps and if i skipped anything so please let me know.

1- FIM Active Directory Service Agent.

2- FIM MA agent.

3- Synchronization Rules.

4- Management Policy Rules

5 - Work FLows

- FIM ADMA Full Import and Full Sync is working fine

- FIMMA Full Import is working fine

- FIMMA Export is not sending the data to the external AD metaverse.

Regards,

Shakeel Shahid

I'm importing users from a source SQL MA, rather than having a flag or date indicating disconnection, the users will just vanish from the view. Is there a way for me to time stamp when the user disappeared from the view into a metaverse attribute (e.g. "sourceDisconnected") and export that to the FIM portal to trigger deprovisioning actions X days after the disconnection?

Thanks.

Hello,

I was wondering if there's a way you can sync the SAP location code with FIM for whenever I go to create a new user. SAP has a location code, and whenever I create a new user in FIM, I want to be able to put in that code so the Address automatically gets filled in. 

Or if that's not possible, is there a way to automatically fill in the address in FIM?

Hi all,

I'm trying to figure out this:

We have a web server profile template that collects FQDN and passes it to the certificate template when enrolled, works just fine. Now I'm trying to set up online update scenario that emails the subscriber of the web server certificate that the certificate needs renewal, but I'm stuck on passing the FQDN that was collected during the initial enrollment phase to the email body during the one-time passwords distribution. Is it really so, that I can only use these variables in the one-time password emails:

• {SecretX} where X is 1 or 2
• {User}
• {Manager}
• {Originator}
• {User!Attribute}
• {Manager!Attribute}
• {Originator!Attribute}
• {SCSerialNumber}
• {SCPIN}
• {SCSequence}
• {LongDate}
• {ShortDate}
• {LongTime}
• {ShortTime}

Since the data is there in the FIMCM database, I would assume that it could be used in this kind of scenario?

Microsoft Identity Manager 2016, successor of FIM 2010 is now available on MSDN / Volume Licensing sites. It is the "GA" version.
There is also a new site about MIM:
Microsoft Identity Manager at microsoft.com sites.

On-premises identity and access management:

• Synchronize identities between directories, databases and applications
• Self-service password, group and certificate management
• Increase admin security with policies, privileged access and roles
• Thwart identity theft with Microsoft Identity Manager (MIM)

Note that there is "Try now" button on the site, but it is currently redirected to /evalcenter/evaluate-microsoft-advanced-threat-analytics

If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

I have general question regarding supported browsers in FIM CM 2010.

The FIM CM 2010 instilled on Server 2008 enterprise, i would like to know if FIM CM 2010 support internet explorer IE11?

and if i need to install HF for supported IE11 on FIM CM 2010.

Thanks !!!

OLGN 

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>3</EventID><Type>3</Type><SubType Name="Error">0</SubType><Level>2</Level><TimeCreated SystemTime="2009-12-11T12:24:41.1914184Z" /><Source Name="Microsoft.ResourceManagement" /><Correlation ActivityID="{391b811e-53e0-469f-9fba-295cee8a917a}" /><Execution ProcessName="Microsoft.ResourceManagement.Service" ProcessID="4456" ThreadID="11" /><Channel/><Computer>SAOPAULO</Computer></System><ApplicationData>

			System.Management: System.Management.ManagementException: Access denied &#xD;&#xA;
			at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)&#xD;&#xA;
			at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()&#xD;&#xA;
			at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)<System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics"><LogicalOperationStack></LogicalOperationStack><Timestamp>36529376603</Timestamp><Callstack>
		at System.Environment.get_StackTrace()&#xD;&#xA;
		at System.Diagnostics.TraceEventCache.get_Callstack()&#xD;&#xA;
		at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache)&#xD;&#xA;
		at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args)&#xD;&#xA;
		at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments)&#xD;&#xA;
		at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception)&#xD;&#xA;
		at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)&#xD;&#xA;
		at Microsoft.ResourceManagement.Workflow.Activities.PWResetActivity.AttemptPasswordReset(Object sender, XmlDocumentValidationEventArgs e)&#xD;&#xA;
		at System.Workflow.ComponentModel.Activity.RaiseGenericEvent[T](DependencyProperty dependencyEvent, Object sender, T e)&#xD;&#xA;
		at Microsoft.ResourceManagement.Workflow.Activities.XmlInteractiveActivity.DocumentValidation(Object sender, EventArgs e)&#xD;&#xA;
		at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)&#xD;&#xA;
		at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)&#xD;&#xA;
		at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)&#xD;&#xA;
		at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)&#xD;&#xA;
		at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)&#xD;&#xA;
		at System.Workflow.Runtime.Scheduler.Run()&#xD;&#xA;
		at System.Workflow.Runtime.WorkflowExecutor.RunScheduler()&#xD;&#xA;
		at System.Workflow.Runtime.WorkflowExecutor.RunSome(Object ignored)&#xD;&#xA;
		at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.Schedule(WaitCallback callback, Guid workflowInstanceId)&#xD;&#xA;
		at System.Workflow.Runtime.WorkflowExecutor.RequestHostingService()&#xD;&#xA;
		at System.Workflow.Runtime.ScheduleWork.Dispose()&#xD;&#xA;
		at System.Workflow.Runtime.WorkflowExecutor.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)&#xD;&#xA;
		at System.Workflow.Runtime.WorkflowInstance.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)&#xD;&#xA;
		at System.ServiceModel.Dispatcher.WorkflowOperationAsyncResult.DoWork(Object state)&#xD;&#xA;
		at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)&#xD;&#xA;
		at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.SynchronizationContextPostHelper.Callback(Object state)&#xD;&#xA;
		at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)&#xD;&#xA;
		at System.Threading.ExecutionContext.runTryCode(Object userData)&#xD;&#xA;
		at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)&#xD;&#xA;
		at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)&#xD;&#xA;
		at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)&#xD;&#xA;
		at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)</Callstack></System.Diagnostics></ApplicationData></E2ETraceEvent>

How can this be fixed, timezone in Sharepoint seems to be ok.

Hello, I've deployed MIM 2016 in a test environment to look at the new stuff. So the portal looks the same (sadly).

The data above this text is pseudorandom, brace yourselves.

I've tried installing both to SQL 2012 SP2 and it fails on Populate Database step. I think it worked with 2012 SP1.

Can anyone confirm?

The data above this text is pseudorandom, brace yourselves.

Hi Guys,

Trying to figure this out. I am using the PSMA to control Lync identities, importation is OK, but it's not projecting and nor exporting data to lync. There's something missing?

Here the scripts:

IMPORT

param
(
	$Username = "",
	$Password = "",
	$OperationType = "Full",
	[bool] $UsePagedImport,
	$PageSize
)

# these delta properties are used for delta searches in Active Directory. When this script is called
# with the Delta operation type, it will only return users objects where one of the specified
# attributes has changed since last import
$DeltaPropertiesToLoad = @( "distinguishedname", "mail", "homemdb", "objectguid", "isdeleted", "samaccountname", "oksecondarymail" )

# the MASchemaProperties are the properties that this script will return to FIM on objects found
$MASchemaProperties = @( "mail", "samaccountname", "oksecondarymail" )

$rootdse = [adsi] "LDAP://RootDSE"
$searchroot = $rootdse.defaultnamingcontext
$domain = new-object system.directoryservices.directoryentry "LDAP://$searchroot", $username, $password

$Searcher = new-object System.DirectoryServices.DirectorySearcher $Domain, "(&(objectClass=user)(objectCategory=person))", $DeltaPropertiesToLoad, 2
$searcher.tombstone = ($operationtype -match 'delta')
$searcher.cacheresults = $false

if ($OperationType -eq "Full" -or $RunStepCustomData -match '^$')
{
	# reset the directory synchronization cookie for full imports (or no watermark)
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization
}
else
{
	# grab the watermark from last run and pass that to the searcher
	$Cookie = [System.Convert]::FromBase64String($RunStepCustomData)
	$SyncCookie = ,$Cookie # forcing it to be of type byte[]
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization $synccookie
}

$results = $searcher.findall()

$results = $results | where { $_.psbase.path -match 'OU=USERS,DC=DOMAIN,DC=LOCAL$' }

if ( $results -ne $null )
{
	foreach ($global:result in $results)
	{
		# we always add objectGuid and objectClass to all objects
		$obj = @{}
		$obj.id = ([guid] $result.psbase.properties.objectguid[0]).tobytearray()
		$obj."[DN]" = $result.psbase.path -replace '^LDAP\://'
		$obj.objectClass = "user"
		if ( $result.Properties.Contains("isdeleted"))
		{
			# this is a deleted object, so we return a changeType of 'delete'; default changeType is 'Add'
			$obj.changetype = "delete"
			if ( $operationtype -ne 'full' )
			{
				$obj
			}
		}
		else
		{
			# we need to get the directory entry to get the additional attributes since
			# these are not available if we are running a delta import (DirSync) and
			# they haven't changed. Using just the SearchResult would only get us
			# the changed attributes on delta imports and we need more, oooh, so much more
			$global:direntry = $result.getdirectoryentry()

			# special handled attribute
			$obj.'ismailboxenabled' = $direntry.properties.contains('homemdb')

			# always add the objectguid and objectsid
			$obj.objectguidstring = [string] ([guid] $result.psbase.properties.objectguid[0])
			$obj.objectsidstring = [string] ( New-Object System.Security.Principal.SecurityIdentifier($DirEntry.Properties["objectSid"][0], 0) )

			# add the attributes defined in the schema for this MA
			$maschemaproperties | foreach-object `
			{
				write-debug $_
				if ( $direntry.properties.$_ )
				{
					$obj.$_ = $direntry.properties[$_][0]
				}
			}
			$obj
		}
	}
}

# grab the synchronization cookie value to use for next delta/watermark
# and put it in the $RunStepCustomData. It is important to mark the $RunStepCustomData
# as global, otherwise FIM cannot pick it up and delta's won't work correctly
$global:RunStepCustomData = [System.Convert]::ToBase64String($Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie())

EXPORT

PARAM
(
	$username = "",
	$password = "",
	$domain = ""
)

begin
{
	function log( $message )
	{
		if ( $message )
		{
			write-debug $message
			$message | out-file e:\logs\exchange-ps-export.log -append
		}
	}

	function set-actioninfo($message)
	{
		if ( $message )
		{
			$global:actioninfo = $message
			log -message $actioninfo
			write-debug $actioninfo
		}
		else
		{
			$actioninfo = "general"
		}
	}

	log -message "begin export"

	$securepassword = convertto-securestring $password -asplaintext -force
	$creds = new-object -typename system.management.automation.pscredential($username, $securepassword)

	set-actioninfo "new-pssession"
	$session = new-pssession -connectionuri ('https://SERVER.DOMAIN.LOCAL/OcsPowershell') -credential $creds -debug
	import-pssession -session $session
}

process
{
	log -message "-- start export entry --"
	$identifier = $_."[Identifier]"
	$anchor = $_."[Anchor]"
	$dn = $_."[DN]"
	$objecttype = $_."[ObjectType]"
	$changedattrs = $_."[ChangedAttributeNames]"
	$attrnames = $_."[AttributeNames]"
	$objectmodificationtype = $_."[ObjectModificationType]"
	$objectguid = $_.objectguidstring

	# used to return status to sync engine; we assume that no error will occur
	set-actioninfo 'general'
	$errorstatus = "success"
	$errordetail = ""

	$error.clear()

	try
	{
	enable-csuser -registrarpool fepool.domain.local -id "domain\"+$accountname -sipaddress "sip:"+$mail
	}
	catch
	{
		$errorstatus = ( "{0}-error" -f $actioninfo )
		log -message "ERROR: $errorstatus"
		$errordetail = $error[0]
	}

	# return status about export operation
	$status = @{}
	$status."[Identifier]" = $identifier
	$status."[ErrorName]" = $errorstatus
	$status."[ErrorDetail]" = $errordetail
	$status

	log -message "-- end export entry --"
}

end
{
	set-actioninfo "new-pssession"
	$null = remove-pssession -session $session
	log -message "end export"
}

Diego Shimohama

Lokesh SG

Hi,

I am assuming that FIM SSPR utilizes the password complexity settings of the associated AD environment (that FIM is deployed in)?

When resetting a password via SSPR, and a password not complex enough is typed in, does FIM SSPR tell you the password does not meet complexity requirements and offer that you type another password (that matches the complexity requirement)?

Thanks,

SK

Hi,

When PCNS intercepts the password change on a DC, what format does it send the password to FIM in? is it clear text?

I am asking this because we require to sync AD passwords with a systems where we do not have a Management Agent for (via FIM).

Came across this script, and was wondering if it can be used for password sync & FIM?

http://blog.goverco.com/p/psmapwdmanage.html

Thank you.

SK