Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

what is the best way to add user access from child groups to parent group (large enterprise)

April 10, 2020, 11:08 am
$
0
0

We have investigated the steps for denesting of AD groups. 

Step1: here we are extracting the reports of nested groups 

Step2: we are going to add the groups from child AD groups to parent AD groups.

Step3 : we will be denesting the Nested AD groups and make all the groups independent. 

My doubt is when we are doing the process of adding the users directly to parent group what challenges do we face. If anybody has already done this process. please guide

1. do we get issue in adding users directly depending on group scope

2. does this have any limitation in numbers when we add access directly from child group to parent group (usersC will be added UsersB and then UsersB & UsersC will be added to Group A

NEsted group:  Group A: usersA

                                   Group B: usersB

                                                 Group c: usersC

suresh arasu

Search

Exchange Migration

April 2, 2014, 2:30 am
$
0
0

Hi,

I am currently developing a migration plan for a Cross-Forest Exchange migration.

Forest A is our existing domain and Forest B is our new forest we are migrating into. 

The plan is to have a period of coexistence between both forests. 

Our core business web application will be the first application to be migrated as we need the resources in the new environment for it. 

I used the Exchange script that creates the user object from Forest A into Forest B and then used ADMT to migrate the associated attibutes, Password and SID History. This means that my users appear in both Forest A and B and as far as the user is concerned, they use the same account to log onto our business app.

My query is what is the best way to do the cross forest coexistence? I have read many articles online about using GalSync to create a centralised GAL  using contacts. Can I still do this bearing in mind that both Forests will have Mail User accounts and not Contacts??

Im a bit confused as to how I should do it.

The goal here is to allow cross-forest calendar delegation and also display free/busy information.

MSP error on upgrade to SP2

April 20, 2020, 2:22 am
$
0
0

Hi!

I am trying to upgrade my MIM implementation to sp2.

My current version is: 4.4.1459.0

As I understand it, minimum required for upgrade to SP2 is 4.4.1302.0.

When trying to run the msp package I get an error 1642 (Application is not installed). When looking at the logfile I can see the following lines:

MSI (c) (FC:FC) [10:44:32:839]: SequencePatches starts. Product code: {5A7CB0A3-7AA2-4F40-8899-02B83694085F}, Product version: 4.4.1459.0, Upgrade code: {545334D7-13CD-4BAB-8DA1-2775FA8CF7C2}, Product language 1033

MSI (c) (FC:FC) [10:44:32:839]: PATCH SEQUENCER: verifying the applicability of minor upgrade patch C:\Install\Files\MIM\SP2\MIMSyncService_x64_KB4512924.msp against product code: {5A7CB0A3-7AA2-4F40-8899-02B83694085F}, product version: 4.4.1459.0, product language 1033 and upgrade code: {545334D7-13CD-4BAB-8DA1-2775FA8CF7C2}
MSI (c) (FC:FC) [10:44:32:839]: PATCH SEQUENCER: minor upgrade patch C:\Install\Files\MIM\SP2\MIMSyncService_x64_KB4512924.msp is not applicable.
MSI (c) (FC:FC) [10:44:32:839]: SequencePatches returns success.
MSI (c) (FC:FC) [10:44:32:839]: Final Patch Application Order:
MSI (c) (FC:FC) [10:44:32:839]: Other Patches:
MSI (c) (FC:FC) [10:44:32:839]: Unknown\Absent: {5A118493-A9B1-40E6-83EB-7E61930BA4D4} - C:\Install\Files\MIM\SP2\MIMSyncService_x64_KB4512924.msp
The upgrade cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade.
C:\Windows\Installer\19f511e.msi 

Any ideas on why my application GUID is wrong, and how to fix it?

Thanks,

Søren

MIM Portal Installation - Fatal Error - Adding FIMService account to 'Performance Monitor Users' group

April 21, 2020, 3:20 am
$
0
0

Hi Experts,

I have encountered with this error while installing MIM Service [MIM SP1] on Windows Server 2016.

Adding FIMService account to 'Performance Monitor Users' group
Property name = 'ServiceAccount', value = 'domain\svcmimsvc'.
DomainName='domain'
AccountName='svcmimsvc'
Domain AD found
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied.

I have already rolled out below pre-requisite checks:

1. The account I am using to install is a domain account and local admin on the Server.

2. Authenticated Users’ group is a member of the Pre-Windows 2000 Compatible group

3. DNS suffixes are properly configured.

4. Server and the accounts are in the same domain.

I have tried with all the combinations from past 2 days an No SUCCESS in Installation.

I was able to add/remove FIMService account in local group Performance Monitor Users.

Thanks and Regards, Siva Kumar Balaguru

Export the current date and time during an export

April 23, 2020, 8:48 am
$
0
0

Hello,

Someone asked me that : 

during an "EXPORT" cycle (on a SQL MA), when a user is getting updated (whatever attributes), add the current date and time on a column for this user. 

The goal for him is to know which user has been last updated by the agent.

Is that possible to do ?

I hope I am clear enough.

Set of Possible Event Log Entries

April 23, 2020, 3:09 pm
$
0
0
I'm looking at setting up some monitoring of the event logs but to do it properly I really need the full set of possible event log entries that MIM can generate. Is there any documentation that states the full list?

Custom Expression for extracting just the OU values from DN

April 23, 2020, 4:48 pm
$
0
0

Hi, we have a very complex OU structure and looking to dynamically sync user and group objects to a matching OU on the target domain within a staging OU.  The closest I've gotten is to create the following custom expression on the import to a custom metaverse attribute.

ReplaceString(ReplaceString(dn,Word(dn,1,","),""),",DC=sourcedomain,DC=local","")

However, this only works for simple DNs that don't contain a comma in the CN.  Basically, all i'm trying to do is strip out the entire CN which may include an escape character and commas and the DC portion so the end result is "OU=Name3,OU=Name2,OU=Name1"

CN=Doe\,Joe,OU=Staff,OU=Users,OU=Affiliate,DC=mydomain,DC=local --> OU=Staff,OU=Users,OU=Affiliate

Does anyone know how this can be achieved with a function or custom expression?

FIM Service MA Export - Failed-modification-via-web-services error

December 14, 2011, 7:18 am
$
0
0

Hello,

When I run a FIMMA export, I am getting the following error - failed-modification-via-web-services, with the following detail -

Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception: Other
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied.
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domainName)
   at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.AddDomainConfigurationFromDomain(CreateRequestParameter domainNameParameter)
   at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.DoRequestCreationPreProcessByAttribute(RequestType requestType)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.DoRequestCreationPreProcessByAttribute(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
   --- End of inner exception stack trace ---</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>e7de373c-c12d-4881-80ef-c55e80c8d658</CorrelationId></DispatchRequestFailures>

I ran the scripts described in the following link - http://social.technet.microsoft.com/wiki/contents/articles/336.aspx , but to no avail, as they both check out fine.

 

 

Search

FIM SMTP sendAsAddress displayName options?

October 10, 2013, 7:07 am
$
0
0

Hi, we have configured FIM to use a Google smtp gateway based on Brad's great post.  All is working well and FIM is able to successfully send email to a Google Apps instance which we use for corporate email.  We have gotten a request to change the display name of the FIM email account that notifies end users so the address appears as something friendly in their email box instead of "fimmailbox@acme.com".  The specific request is to change the display name in the email from "fimmailbox@acme.com" to "Acme Provisioning Team".  Sounds like this should be simple to do but we are stuck.

  1. We confirmed that "fimmailbox@acme.com" has the friendly name "Acme Provisioning Team" set in Google apps.  When we manually go in to the Google Apps mailbox and send directly from Google mail, the desired display name appears.
  2. However, when FIM sends the notification the "from" display name appears as "fimmailbox@acme.com" instead of "Acme Provisioning Team".
  3. We attempted to modify Microsoft.ResourceManagement.Service.exe.config  and updated <add key="sendAsAddress" value="Acme Provisioning Team<fimmailbox@acme.com>" />  when we restart the FIM Service it bombs out so we reverted back to <add key="sendAsAddress" value="fimmailbox@acme.com" />.
  4. We created a .net console smtp app and ran it on the FIM service server to see how it would react. This code gives us the desired email format as well. 

try
            {
                MailMessage mailMessage = new MailMessage();
                mailMessage.To.Add("my.testaccount@acme.com");

               //**Key line, this gives desired format option!
                mailMessage.From = new MailAddress("Acme Provisioning Team<fimmailbox@acme.com>");

                mailMessage.Subject = "FIM Welcome Email";
                mailMessage.Body = "FIM Rocks!";
                SmtpClient smtpClient = new SmtpClient("localhost");
                smtpClient.Send(mailMessage);
                Console.Write("E-mail sent!");
            }
            catch (Exception ex)
            {
                Console.Write("Could not send the e-mail - error: " + ex.Message);
            }

The question at hand is how can we configure FIM to show the desired display name like we do here?

//**Key line, this gives desired format option!
mailMessage.From = new MailAddress("Acme Provisioning Team<fimmailbox@acme.com>");

Cheers!


Is it possible to export a membership report using the MIM portal for a particular group

April 24, 2020, 6:36 am
$
0
0

All,

I’m seeking your guidance. I want to download a particular group’s membership report through the MIM portal.

Is it possible, or there a way to export a membership report to CSV from Members tab (only for admin) through RCDC.

Regards,

Srinwantu




ECMA Export of ObjectModificationType.Delete - no attributes but anchor

April 24, 2020, 9:13 am
$
0
0

For processing ObjectModificationType.Delete records on an external system, I need a full set of fields, but it appears that for deletes only the anchor is being provided in the CSChangeEntry object.

I have MACapabilities.ExportType = MAExportType.ObjectReplace. Is there a an MACapabilities directive that will force all attributes to be populated for a delete?

Set trigger MPR only when users are added manually, but not when dynamic criteria is met

April 24, 2020, 4:49 pm
$
0
0

Hi guys!

I have a set, a workflow, and MPR. The MPR triggers the workflow when a user enters the set. My problem is with the set. 

When a user met the condition for belonging to the set, i can see the users in "view users", but the MPR is not executed.

When i add the same users to the same set manually the MPR is triggered normally.

please help me.

Geraldine.  

Do we need a federation server at both organizations?

April 25, 2020, 7:39 pm
$
0
0

If we have two separate organizations in separate forest which do not have a trust: A and B.

For A to access B resources do both forests need to have a ADFS server in their respective forest?

If A has a federated farm consisting of 50 servers.  How do the 50 separate ADFS servers write to the same SQL server? or is there something I am not understanding?,... 

dsk

RCDC my:Enabled - Attribute eval

April 27, 2020, 6:02 am
$
0
0

Hi,

I have an RCDC where I need a field to be "enabled" only when attribute isXYZ isnot true.

But it seems that I can only use "positive" logic here. ex:

my:Enabled="{Binding Source=object, Path=isXYZ, Mode=TwoWay}">

How to use "negative" logic here? Is there any "negation" operator or javascript manipulation I can use?

Thanks,

DD

MIM 2016 to SP1/SP2 upgrade reset RCDCs

April 28, 2020, 12:18 am
$
0
0
Hi All,

Sorry if this is an obvious / stupid question. I'm running through my first MIM upgrade and I've come across an issue that I wasn't expecting and I'm not sure what is the best way to proceed.

I've upgraded an existing Dev system from 4.3.2266.0 to SP1 then SP2. Everything appears to be working except at least some of the RCDCs have been reset to what I'm guessing is default. I've since come across minor references that imply this might be expected and that you can then re-import your modifications (https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-service-pack-2-upgrade-path) but they don't provide any steps for doing this. The best I can find is this FIM upgrade guide (https://docs.microsoft.com/en-us/previous-versions/mim/jj134291(v=ws.10)). I've tried performing the restore steps but after the Import-FIMConfig / IISRESET the page still looks the same and a new export of the XML is the same as before attempting the import.

So questions are:
1. is it expected that RDCDs will be modified on updating MIM?
2. should the FIM RCDC import instructions have worked?
3. Is there a better way to do this that either prevents this RCDC issue happening in the first place or makes the import process easier?

Related question. Do people use the RCDC Editor Tool from Oxford and find it's worth the money?
https://oxfordcomputertraining.com/tools/rcdc-editor/#description

Thanks for any advice
Regards
Brett
Search

Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

December 13, 2016, 1:24 am
$
0
0

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 


Andreas


Upgrading MIM 2016 from Service pack 1 to Service pack 2 in High Availability environment.

April 30, 2020, 10:54 pm
$
0
0

Hi Everyone,

We are able to upgrade the MIM SP1 to SP2 in our standalone environments and it worked out perfectly.

But when we tried the same approach in one of our High availability environment setup with 2 zones, each zone having a separate mim, mim synch and Database. The zone 1 and zone 2 database are always configured to be in synchronized mode.

We followed below steps:

  1. Installed MIM in Zone 1 using DB listener name.
  2. Applied patch and worked fine.
  3. Tried to install MIM in Zone 2 using same db listener, but it failed saying DB version mismatch which is already upgraded in zone 1 as DB’s are always in synchronized mode.

Can anyone please assist us through this.

Looking forward for a response.

Thanks,

Kavish.

SSPR in a Virtual Desktop Environment

April 14, 2011, 5:16 pm
$
0
0

I have a scenario where SSPR will be used in a Virtual Desktop Environment (VDI). How will the GINA components interact with VDI configured in static or dynamic modes? Has anybody implemented this scenario?

 

Looking at how VDI works (http://blogs.technet.com/b/yungchou/archive/2010/01/06/microsoft-virtual-desktop-infrastructure-vdi-explained.aspx) the static model provides a user with a VM (with a Win OS) and the dynamic model provides a cloned personalised VM. Both models are accessed by the user via RDP. I would guess that as long as a the FIM SSPR client extensions are install on the VM (or base VM in the dynamic model) then this should work as if the user where using remote desktop to access a normal workstation.

 

Thanks

 

Paul



MIM RCDC

May 3, 2020, 1:05 am
$
0
0

Hi All,

I am making two attributes to "required" based on a Boolean checkbox attribute.

Had put in autopost back property and in required property of those two attributes have mentioned the value as the checkbox. But after implementing end users are not able to edit their profile.

An error "Null object cannot be converted to a value type" pops out

What could be the issue?

For all users the checkbox value has been set as False and not null.

Kindly let me know if I am missing anything

Thank you

Rajesh


MIM PAM API not send information

May 4, 2020, 3:00 am
$
0
0

Hello,

I am trying to run the Privileged Access Management Sample Portal
I did the installation several times but without result.

Pam works fine because I tested

When I do Get-PAMRole, I get the list of roles in place

When I go to the address http://pam-svr1.priv.adatum.com:8086/api/pamresources/pamroles/, I manage to download the file "pamroles.json" but it does not display the role available as with the Get-PAMRole request.

The json file displays
{
  "odata.metadata": "http://pam-svr1.priv.adatum.com:8086/api/pamresources/%24metadata#pamroles", "value": [

  ]
}

Do you have an idea ? Please

sorry for my English

    
Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>