Hi,

I use a display name format of lastname, firstname so I'm trying to use EscapeDNComponent to escape the comma. However, I get an error when the WF executes:

Object Reference not set to an instance of an object

If I use "DisplayName" directly, the WF generates the correct string. 

My customexpression looks like so:

EscapeDNComponent("CN=" + DisplayName)

I'm sure its bombing out at this point. If I remove the CustomExpression and do a simple "CN=" + DisplayName, the correct string is generated (but ofcourse that won't work when provisioning to AD)

Also, I'm trying to use this as part of a function evaluator which constructs the DN then passes it to the sync rule. Is there a limitation that EscapeDNComponent cannot be used inside a function evaluator?

Thanks

I have two providers for internet:

1- ADSL
2- FiberLine

I want to make group of users be on the Fiber line, remaining on the ADSL line.

Using forefront TMG>>>>>

by use ISP Redundancy or other, I don't care, it is important to identify each user on line what I want for each users.

Possible? if yes,,, how?~~~

Hi,

We have a requirement to have the same users in 2 separate forests, Forest A and Forest B. So users from Forest A are also created in Forest B via FIM.

FIM Sync, Portal and SSPR is deployed in Forest A.

Users log unto workstation in Forest B, where they need to be able to change their passwords, using the traditional cntrl-alt-del routine; these passwords need to be replicated to Forest A.

Additionally users in Forest B must be able to reset their passwords using the FIM add-ins and extensions, as well as via the SSPR Portal which is hosted in Forest A. So effectively, password changes in Forest A must also be replicated to Forest B.

Since PCNS is unidirectional - is the above actually possible?

thanks,

DW

Hi *.*,

I almost finished a FIM 2010 R2 implementation, and it looks like it's working nicely. However, I want to use it for mail-enabled distribution and security groups management and I'm facing two typical issues:

• AccountName attribute is not visible nor populated with creating newDG, I can't even chose if it's mail enabled or not. i would like a behavior similar to when creatingSG.
• In both cases, DG and SG, only mailNickname(E-mail Alias) attribute is popuplated, leaving behind the Emailone that I use for syncing back to Active Directory. Without that the groups is not truly mail-enabled.

I have taken a peek to the RCDC XML "Configuration for Group Creation". I can perfectly identify theEmailEnabling and Alias controls, but I don't get the logic that decides if it is going to be shown (SG) or not (DG).

So my questions:

• How do I make AccountName, EmailEnabling and Alias show in DG creation form?
• Why the Email field is not there and it is not populated?

Thank you so much,
Carlos

PD: For example, identified EmailEnabling control in RCDC, in case you want to comment it:

<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox" my:Caption="%SYMBOL_EmailEnablingCaption_END%" my:Description="%SYMBOL_EmailEnablingDescription_END%" my:AutoPostback="true" my:RightsLevel="{Binding Source=rights, Path=Email}"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/></my:Properties><my:Events><my:Event my:Name="CheckedChanged" my:Handler="OnChangeEmailEnabling"/></my:Events></my:Control>

My scenario is that when the new user is created in the Forefront Identity Manager then the administrator should get the alert in his mail box that the new user has been created.

Please guide me with the proper steps.

Your response will be higly appreciated

Regards,

Aman Khanna

There are few Distribution Groups on O365(which is on Cloud) andthese Distribution groups are not in Active Directory.

so CAN FIM directly manage those distribution Groups exist on O365(which is on cloud).

please suggest some thing.

Hello, 

I have a CSV management agent,  i know that we can only do a delta export. 

How without using SSIS can i run a full export in the csv file ? 

Any idea 

Hi all

Quick question... I know that Datacard IDWorks Enterprise is supported for FIMCM when using with smartcard printing, but the question is, is Datacard IDCentre Gold also supported? For what I've heard, they are the same product.

Hi All,

I have a requirement to perform cross forest exchange migration. Below link with ILM sample code helps to create mail enabled users. I am looking for the similar sample code for FIM 2010 or des FIM 2010 provides this out of box ?

http://technet.microsoft.com/en-us/library/ee861124(v=exchg.141).aspx

Regards,

Krishna

Hi,

I am looking for a way to extract stats/reports for a customer around Self-Service Password Reset of ROI information.

e.g.

1.How many users have registered

2.List of account and displayname of users that have registered.

2.List of account and displayname of users that have not registered yet

3.  How many user have successfully been able to reset there passwords for the week/month

4.Nice to have would be a more detailed report on password resets. e.g time of day, resets per day etc.

This customer does not have the FIM Reporting component installed and need to extract this from the FIM service DB.

Any info would be appreciated.

I am implementing FIM R2 SP1 on win 2012 servers and migrating FIM 2010 RTM configurations to the new environment.  Some of the custom Sets, MPRs etc did not import correctly into the new portal and when I try to manually add a set or alter an MPR I recieve the following error

Error processing your request: The operation was rejected because of access control policies.
Reason: The operation failed as a result of insufficient access rights.
Attributes: ActionParameter,ActionType
Correlation Id: 11a13390-6a1f-4776-a796-fd0f05101120
Request Id:
Details: No policy grants the Requestor permission to complete all changes.

I have tried enabling "all attributes" in "Administration: Administrators control set resources" and "Administration: Administrators control management policy rule resources" and recieved the same errors.  I am logged in as the user who installed the portal and it is a member of the administartors set.

What am I missing?  Any ideas welcome please.

Within FIM 2010 R2 I have created 2 sets called "Password Expiration Notification (7 Days)" and "Password Expiration Notification (Tomorrow)", the criteria I have set to populate these sets is:

Select users that match all of the following conditions:

Password Last Set prior to 35 days

User account control = 512

and

Select users that match all of the following conditions:

Password Last Set prior to 41 days

User account control = 512

Our domain password policy stipulates passwords should be changed every 42 days.

I've have the sets populating correctly and have followed the tutorial here http://setspn.blogspot.co.uk/2010/10/fim-send-password-expiration.html to setup the workflows, email templates and MPRs to send an email to the user when they transition into one of the above sets.

It is sort of working, in the sense it is sending emailed but when I look at the System Event Requests that appear under Search Events emails are only being sent to users who password have already expired and not all of the members of the sets.

Anybody able to suggest a reason why emails are not being sent to all members of the sets? 

I currently have FIM 2010 R2 installed and I'm trying to create a Temporal Set using xs:dayTimeDuration. The samples I have found on the Internet are using 'PnD' syntax, where n is the number of days.  However for my use case, I need to be more restrictive, like 6 hours. Based on XPath 2.0 syntax linked from FIM 2010 R2 documentation, I would use this:

(ExpirationTime < op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('PT6H')))

When I manually run the "FIM_TemporalEventsJob" SQL Job, nothing happens. The UI doesn't support the syntax, so I don't know how to see if the object is part of the set. All I know is that my workflow doesn't execute.  However, if I change the syntax to use 'P1D', everything works as expected...

My question is: is this a bug or FIM doesn't support the syntax?

Mark Remkiewicz

The results for January's TechNet Guru competition were posted!

http://blogs.technet.com/b/wikininjas/archive/2014/02/16/technet-guru-awards-january-2014.aspx

Post your FEBRUARY contributions here:

http://social.technet.microsoft.com/wiki/contents/articles/22885.technet-guru-contributions-for-february.aspx

A great big thank you to EVERYONE who contributed an article to last month's competition.

Hopefully we will see you ALL again in this month's listings?

Unfortunately, forum restrictions have prevented me from posting the winners here.

You will find the complete post, comments and feedback on the main announcement post.

Please join the discussion, add a comment, or suggest future categories.

If you have not yet contributed an article for this month, and you think you can write a more useful, clever, or better produced wiki article than last month's winners, here's your chance! :D

Best regards,
Pete Laker

More about the TechNet Guru Awards:

• TechNet Guru Competitions

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

I have a scenario where FIM is managing identity, but not all identities have an Active Directory account. I have a flag in the FIM Portal (Service) that indicates if a particular user is entitled to an AD account or not. My provisioning setup adds or removes the AD account as appropriate. To support FIM Portal activities for those that do have AD accounts, I populate AccountName, Domain, and ObjectSID in the FIM Service from their corresponding attributes in AD.

What I have noticed is that it does not seem possible to null out or delete the Domain attribute for a user in the FIM Service. I can delete the attributes for both AccountName and ObjectSID without issues.

When attempting to remove the Domain attribute for a user I get the following in the event logs:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied.

I assume that something internal to the FIM Service is trying to do some magic with validating the domain name and the domain configuration. I did found a post saying, “Yeah, you have to populate Domain”:

http://social.technet.microsoft.com/Forums/en-US/f207caa9-3a6f-4f2d-8461-a83777280803/fim-service-ma-export-failedmodificationviawebservices-error?forum=ilm2

My question is why is Domain required for a user? It is obviously needed for users that have AD accounts an must authenticate with the Portal, but in the case where a user does not have an account (and therefore does not have a domain), it feels odd to store the incorrect data for the user. It also looks weird when you bring up list of users in the portal and see domain values for users that do not have accounts. In this particular case, the client has many domains and does have the Domain and AccountName attributes displayed on the user search results page.

I want to get all users in FIM with home addresses longer than 30 characters. Does anoyone know a good way to that without first getting all user?

I'm using the Quest Powershell module for FIM and I tried to do it like this but it seems like you cannot use greater than in the filter.

TechNet loves you!

We love your contributions at TechNet Wiki sooo much that we give you more than just love in return...

We give you NOTORIETY, GLORY... and VIRTUAL MEDALS!

That's not all, this love we have, together, it flows both ways my friend.

You give us stuff, we give you stuff, like interviews, recognition points, Ninja Belt rankings, and of coursefront page love!

If the love is strong enough, who knows where it could end! We may even invite you into secret clubs and other initiatives.

So why not spread the love a little further this Valentines, with more than just a cheap card from the highstreet...

Express your love for your favourite technology in a TechNetWiki article!

Pour your heart out to us, capture our hearts and woo us with your prowess!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

hello, 

i'am using a script that permits me to parse a  CSExport Generated XML File Into A Scoped CSV. 

I want only to get the users wich are connected to my connector space. 

when i use $csObject.connector -eq "1", in the result csv file i have some users which are not connected and are not in the Metaverse ? 

is there another attribut that permit me to export only connected users ? 

Thanks 

Hi,

***Problem

I encounter a problem with FIM (version 4.1.3441.0 and 4.1.3496.0) when I try to delete a User object (and only a User object) whatever if it ismanually/Expiration Workflow/Powershell.

Deleting a User object used to be perfectly functional and, without any product version modification, stopped working. I haven't neither deleted/modified or add a"Grant" MPR or any of the corresponding Sets since last time I saw it working.

Displayed error is "Request could not be dispatched" in FIM Portal and is referencing a stored procedure in Event Viewer.

***Error details

When I try to delete a User object, here is the output :

• Portal
  • "Processing error" on submit
    • with the following details 

• Request status is stuck at "Validating" until next restart of FIM Service (after what it becomes “Canceled”)
• Request’s “Applied Policy” tab does not contain any MPR where, at least, a “Grant” MPR is expected
  • As SQL Timeout is relatively high and error happens quickly, I don’t think there is a Timeout problem under that.

• Logs

• « Application »
  • The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.

•  « Forefront Identity Manager »
  • Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

• Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)

   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()

   at Microsoft.ResourceManagement.Data.DataAccess.UpdateRequest(RequestType request, IEnumerable`1 updates)

   --- End of inner exception stack trace ---

• Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4

Correlation Identifier: e7209633-46d0-4f4b-a59e-807649ef71ea

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.InvalidCastException: Specified cast is not valid.

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)

   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Delete(Message request)

   --- End of inner exception stack trace ---

For information, a maintenance plan rebuild/reorganize indexes daily and this problem has occurred on servers with different performances.

Is any of you has already encounter this problem ?

Any help would be greatly appreciated,

Thanks in advance for your help,

Matthew

Anyone know if FIM 2010 R2 SP1 supports use of AlwaysOn under SQL 2012 as a high availability option? (For both the Sync engine and the FIM Service)

If it is supported, are there any known issues that one should be aware of?

Thanks