Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

MIM Hybrid Reporting questions

$
0
0

Hi,

Looking at this article: https://technet.microsoft.com/en-us/library/mt148517(v=ws.11).aspx, it talks about installing a Reporting Agent on MIM, got a few questions:

  1. Which MIM server do you install the Reporting Agent on? MIM Sync or MIM Service?
  2. Must all the MIM data go to Azure? Is there a way to send it to another target system, like for example a Private Cloud SIEM system? What options do we really have?
  3. The article also mentions creating custom reports in Azure - where is a guide on how to create these custom reports?
  4. Is the actual Metaverse data (i.e. user metadata) replicated by this Reporting Agent?
  5. Can we also report on Groups?
  6. The FIM/MIM reporting solution based on System Centre shipped with 7 reports - are these available in Azure?

Thank you,

SK



MIM synch engine Group Sync members in a CSV

$
0
0

Hey Everyone,

i'm having this issue with a gorp sync i've been asked to implement

so basically we're synching distribution groups from notes to AD, those notes groups contain some users that were entered manually by employees (because stupid notes allows you to do that). obviously those users entered manually are not added to the AD groups because they don't exist.

so i was asked if i could add those users to the groups if they provided me with a csv file of those contacts. 

i know that group membership is complex and very basic in the sync engine could you help me figure out if it's doable or is the only to have those users as contacts in notes ?

thanks !


Hitch Bardawil

Unable to Install FIM Data Warehouse Support Scripts on a Remote SQL Server

$
0
0

Hi,

Busy trying to deploy FIM Reporting. I am at the stage where I need to run the FIMPostInstallScriptsForDataWarehouse.ps1, but of course this fails as SCSM DW and SQL are on different servers (and there is nothing in the Microsoft FIM Reporting Deployment Guide on this common scenario).

I found this article and am working through it:

http://social.technet.microsoft.com/wiki/contents/articles/17916.troubleshooting-fim-install-fim-data-warehouse-support-scripts-on-a-remote-sql-server.aspx

However, everything was running smoothly until I tried to execute the following command (as per article):

Could someone that may have worked through this article, or had a similar deployment help us out please.

Thank you,

SK


Dynamic Approval in FIM 2010

$
0
0

Hello,

Our requirement is to select one approver from a drop-down list while requesting to which the request's approval should go. Is this achievable via FIM request MPR? 


Regards,
Manuj Khurana


Duplicate Resource Type bindings on SearchScopeConfiguration cause Export-FIMConfig to fail

$
0
0

Running the following PS extract:

$policy= Export-FIMConfig -policyConfig -portalConfig -MessageSize 9999999 -URI $URI-customconfig "/SearchScopeConfiguration[starts-with(UsageKeyword, '%super')]"–onlyBaseResources

...which results in the following error:

Export-FIMConfig : Failure on making enumeration web service call.

Filter = /SearchScopeConfiguration[starts-with(UsageKeyword, '%super')]
Error= System.ArgumentException: An item with the same key has already been added.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
   at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
   at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()
At G:\FIMTasks\ExportPolicy-Filtered.ps1:26 char:31
+     $policy = Export-FIMConfig <<<<  -policyConfig -portalConfig -MessageSize 9999999 -URI $URI -customconfig "$Filter" –onlyBaseResources
    + CategoryInfo          : InvalidOperation: (:) [Export-FIMConfig], InvalidOperationException
    + FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automation.ExportConfig

This is due to the duplicate Resource Type binding to the search scope resource type.  Is it safe to rename one of the bindings? All references to it should be to the attribute name and not the binding itself...


Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Using Xpath Syntax in the text boxes on the FIM custom activity UI

$
0
0

Hi,

I have seen certain activities in FIM that allow us to specify Xpath queries in the text boxes on the UI as below:



How do we resolve the Xpath query in the first text box? Should we resolve it in our custom activity or FIM workflow will resolve and send the value to our activity?

In my case, I am getting the string whatever I provide in the text box as is. Kindly let me know if I need to make any configuration for the workflow to get the value resolved.


MIM Exchange 2013 Provisioning Details and Performance

$
0
0

Hey all,

I'm trying to make some intelligent decisions about the way to implement Exchange mailbox provisioning and deprovisioning.  From what I've read, there are no out of the box methods to deprovision a mailbox.  That's fine, I can deal with that using set transitions and MPRs and such. 

From a provision standpoint, I see where I have two options.  Use a set transistion and MPRs and such, or use the ADMA facilities. 

My concern centers around the performance of these methods.  In my testing of provisioning mailboxes, the portion of the PowerShell script that establishes and imports the session takes a good 5 seconds to load.  The actual "work" happens very quickly.  That 5 seconds isn't a big deal for one or two ro 10 or even may 100 mailboxes.  But, a part of my IDM work is for schools.  When school sessions start, I need to create upwards for 3000+ accounts.  At 5 seconds an account, that totals up to over 4 hours. Not my idea of efficiency.

So, will the ADMA method be faster?  I couldn't find anything on the details of what PowerShell scripts are sent out.  My hope is that the ADMA only opens the session once, then executes all the enable-mailbox/new-mailbox commands within the same session (avoiding the repeated 5 second delay in opening the importing the session.

I'm fairly certain the MPR/Set transition implementation is going to be slow, simply because of import session load times.

Thanks,

Greg

Custom Search Scope

$
0
0

Hello All,

We have two custom search scope to get registered and unregistered users for SSPR , But they are not working as expected.

Registered user is showing no users and unregistered user is showing total users(registered+unregistered).

Kindly suggest.

Regards,
Suman


Error syncing according to MIM 2016 guide

$
0
0

Hey guys, I'm trying to sync my AD / MIM agents according to https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/install-mim-sync-ad-service but it tries to sync my "a_eka" user which is a admin user that I used for install and to login at the portal with.

It then creates 2 user objects in the metaverse after syncing AD and when I try to Export to MIM again it fails with a ValueUniquenessViolation error on ObjectSID, I'm guessing there's some kind of mismatch?

Get-PAMUser is not working...?

$
0
0

I'm getting nothing. No error. Simply nothing / $NULL. My MIM is updated to the latest build. I'm running it in Windows Azure. Other PAM commandlets works as expected.

Get-PAMUser -PrivDisplayName DEMO.guys
Get-PAMUser -SourceDomain demo.lan -SourceAccountName guys
Get-PAMUser -Filter *


GH

Just curieus. Which Israeli company worked on the development of MIM?

$
0
0
Just curieus. Which Israeli company worked on the development of MIM?

GH

'Private Sub User_Provisioning(ByVal mventry As MVEntry)' is not starting

$
0
0

Hi,
I'm working on deprovisioning and moving an ADDS account as describe here: http://www.wapshere.com/missmiis/account-deprovisioning-scenarios#Metaverse


The private sub 'Private Sub User_Provisioning(ByVal mventry As MVEntry)' is not starting. I have no better ways of describing it. I placed it under the public sub Provisioning. When I tried to place it in the Provisioning sub I got several #C errors so I stopped right away. Do you have an y Idea why the code is not being called?

 There's no error. No throw. No event in the event viewer.  When running in with Visual Studio in debug mode a break-point is ignored as well.


GH

How to count the connectors in a mv entry ?

$
0
0

Hi,

I'm having a problem with my MVExtantion rule when I try to assign a new AD password to a new AD entry.

To explain myself:

When a new entry is created in the MV, it counts the number if connectors with AD:

if (0 == Connectors)
{<code that creates the AD CS entry>
}

the problem is that the MA that calls the MVExtention is called 2 times before an export to AD is made, and I think that the AD connector isn't created until the export, so the condition passes the second time.

Is that anyway to search the CS to see if the entry is already there?

Something like "Utils.FindMVEntries" but that searches the CS ?

I hope it was possible to understand my problem,

Thanks in advance for all your help,

Marc

Downloading Software

$
0
0

I just signed up for the Enterprise Mobility Suite through the Office365 Portal and I want to deploy the Advance Threat Anaylitics but I can not find where to download the software, including the Gateway. 

I would also like to use the Forefront Identity Manager 2016 but the same here can not find the downloads though they say I should have access to them.

Does anyone know where I can download them?  They are not in my VLSC

Declarative approach - changing a sync target Transition Set in existing MPR's?

$
0
0

MIM novice:  I have a single sync target - Transition Set that I use for 50+ identical outbound only ADMAs, workflows and Management Policy Rules.   My sync target Transition Set is dynamic and uses a value stored in MSexchangeEntensionAttribute15 as the trigger.  This lets me mark all users to be synced to ALL the remote forests easily.

Recently the requirements have changed and a few customer forests are requiring some different accounts to be synchronized.

I would like to create some new Transition Sets, about 3 that use the same dynamic queries - but also allow me to use the manually controlled memberships for those specific forests.  Can I go modify the Management Policy Rules \ Transition in, Transition Out MPRs and change the Transition Set they use for the 3 specific forests and replace the Transition Set without any major issues?

Thanks, Stu


Permissions for a custom search scope

$
0
0

Hello all,

I have defined two custom search scopes , but they are not visible in the main page

Is there a particular permissions need to given ? where and how? please suggest.

Regards,

Suman

MIM PAM Questions

$
0
0

Hi,

Just started reading about PAM and am looking to find some detailed information as the information online is very high level: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Some basic questions:

1. We have an AD domain with MIM already deployed and working. If we want PAM, I understand we need to deploy another Forest - can we use our existing MIM, or do we need to deploy another MIM instance in the new Forest?

2. Where can I find a PAM deployment guide?

3. Where can I find a MIM PAM configuration guide?

4. Will the 'docs.microsoft.com' PAM website be updated, or is this it?

Thank you,

SK

MIM - PUR / Additional software (BHold, SCSM DW, PCNS and so on)

$
0
0

Hi

The FIM 2010 R2 PUR (Product Use Rights) included a list of "additional software" included with the FIM license (appendix 3 in the PUR)

The PUR from aug 2014 lists:

  • Microsoft Password Change Notification Service
  • Microsoft BHOLD Suite
  • FIM Certificate Management Client
  • FIM Certificate Management Bulk Insurance Client
  • System Center – Service Manager

 

With the new Product Terms list, I can't find a similar list for MIM. Where should I look? I am guessing that MIM includes equal usage rights as FIM 2010 R2, but a confirmation would be great.



FIM architect - Crayon AS - www.crayon.com

csexport.exe fails. Error: The search token appears to be invalid. WHY?

$
0
0

We suffered a DoS attack recently. The admins upgraded the VM frmaware and since that time FIM has had problems.

I have isolated the [FIM] problem to a specific MA.

FIM Synchronization server fails whenever a full synchronization requires to read/write the connector space of the problematic MA.

I cannot dump the whole of the CS with csexport.exe

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin> .\csexport.exe "User MA" c:\t
emp\userMAdump.xml
Microsoft Identity Integration Server Connector Space Export Utility v4.1.2273.0
© 2012 Microsoft Corporation. All rights reserved

[560/2944]Failed to export connector space.
Error: <error>The search token appears to be invalid.</error>
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin>

I cannot search the whole CS using the FIM Sync GUI.

I cannot even delete the CS using the Delete CS only option from Delete MA option of FIM Sync GUI. !!

When I ran the csexport.exe, FIM Sync service stopped. In the Event Log I see these 3 error entries:

The server encountered an unexpected error creating performance counters for management agent "User MA".
Performance counters will not be available for this management agent.

Application: miiserver.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 000000007391E4F5

Faulting application name: miiserver.exe, version: 4.1.2273.0, time stamp: 0x4f91c0b8
Faulting module name: MSVCR90.dll, version: 9.0.30729.6161, time stamp: 0x4dace4e7
Exception code: 0xc0000005
Fault offset: 0x000000000001e4f5
Faulting process id: 0xf44
Faulting application start time: 0x01d1e7097503f47f
Faulting application path: C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll
Report Id: 8594fe56-5303-11e6-858f-005056bd2558

I want to scratch this User MA and all its connections to the MV and rebuild the MA again. What options do I have?

If I try to Delete the User MA (and its CS) and it fails, I guess only option thereafter is to restore the DataBases, but what about the FIM code?

MIM Service and Portal Setup Wizard ended prematurely

$
0
0

Hey everyone, I'm trying to install MIM 2015 in a lab environment and I have run into a problem.

The lab environment consists of the following.

1 - domain controller 2012 R2 (dc.alpha.domain.com)
1 - Exchange 2013 Server (Exchange13.alpha.domain.com)
1 - MIM Sync Server (Server 2012 R2 with SQL 2012) (MIMSync.alpha.domain.com)
1 - MIM Portal Server ( Sharepoint Foundation 2013) (MIMPortal.alpha.domain.com)

Everytime I try to install the Service & Portal, the installation simply ends saying that the MIM Wizard ended prematurely. It doesn't tell me why or what went wrong.

To give you a little background on the environment, the MIM Sync machine is running Windows Server 2012 R2 and already has MIM Synchronization Service installed with its own SQL 2012.

There is another machine running Windows Server 2012 which is the Service & Portal machine. It is running on Windows Server 2012 as well as SharePoint 2013 Foundation. (All SQL databases are stored on MIMSync.Alpha.domain.com)  I have followed the lab guide however I still receive the error message any advice is greatly appreciated. 

Since the error is so vague, I ran a log file with Verbose to see what the problem could be, however this log does not make any sense to me. I have attached the log file to this post in hopes that somebody can assist in decoding this for me. 

MIM Error Log

Viewing all 6657 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>