Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

Provisiong a user immediately from FIM to AD whenever a poassword for that user is changed.

November 11, 2014, 6:21 am
$
0
0

Hi,

I am trying to provision users using FIMSYNC from FIM to AD. It is working fine when i execute the RUN Profiles. Now, my scenario is i have to provision a user account immediately from FIM to AD whenever password of that user account is changed. For that i am triggering a workflow on change in user's password and calling a powershell script from the workflow by passing the user account name.

I am trying to use that passed account name in FIM MA filters.But unabel to find the solution for that.

Could you specify the way to provision only the user accounts whose password is chnaged immediately to the target systems(Ex: AD)

Thanks

Prasanthi

Search

Synching AD users into FIM Portal using FIMSync-getting Connector Filter-rule voilation.

November 15, 2014, 12:45 am
$
0
0

Hi All,

As per my requirement, I need to reconcile only one user named "xyz" into FIM from AD. For that i have defined a filter in Configure Connector filter page of AD MA. After that i am doing a FullImport of ADMA which is working fine. But When i perform a FullSynchronization on AD MA, it is throughing me a "connector-filter-rule-violation". So, Inorder to fix it, i have removed that filter from Configure Connector filter page and deleted the connector space objects of that AD MA.

But, still I am facing the same error i.e. "connector-filter-rule-violation" on doing Full Sync of AD MA.

Could any one please help me out.

Thanks

Prasanthi.

Check out what Guggenheim had to say

November 15, 2014, 4:59 am
$
0
0
There will be a crossover where he'll see


his old friend The Flash (Grant Gustin), and villain Captain Boomerang will be making an appearance to rock the boat for Oliver. Check out what Guggenheim had to say about Roy becoming Arsenal, the introduction of Ray Palmer and the big crossover with The Flash, among other topics.


[url]http://www.reddit.com/r/BanJaara/comments/2md16l/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/397-gr-b-hd-w-a-t-c-h-ufc-180-live-stream-hd-quality-update.html?groupid=864[/url]
[url]http://www.masterstkdclub.com/Videos/415356[/url]
[url]http://www.reddit.com/r/Mere5ai/comments/2md1jl/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/402-fakeer-s-event-ufc-180-live-stream-ppv-full-watch-online.html?groupid=863[/url]
[url]http://www.reddit.com/r/Mere5ai/comments/2md28m/[/url]
[url]http://www.masterstkdclub.com/Videos/418309[/url]
[url]http://www.reddit.com/r/Num3RIC/comments/2md31y/[/url]
[url]http://energytrap.org/content/trem-online-ufc-180-live-stream-predictions-results-winner-watch-free[/url]
[url]http://www.reddit.com/r/Num3RIC/comments/2md3ky/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/401-se-rch4-watch-ufc-180-live-weigh-in-stream.html?groupid=863[/url]
[url]http://www.reddit.com/r/Kamliye0Kudiye/comments/2md44c/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/398-re-ults-m-in-cards-ufc-180-live-stream-watch-video-online.html?groupid=863[/url]
[url]https://www.reddit.com/r/Kamliye0Kudiye/comments/2md4tl/[/url]
[url]http://www.losttreasure.com/content/wit-watch-ufc-180-live-online-streaming-fight-cards[/url]
[url]https://www.reddit.com/r/Kamliye0Kudiye/comments/2md5f2/[/url]
[url]http://energytrap.org/content/higher-access-ufc-180-live-online-line-video-watch[/url]
[url]http://www.reddit.com/r/SamjhOYe/comments/2md5sj/pak0de_ufc_180_live_stream_werdum_vs_hunt_watch/[/url]
[url]http://www.losttreasure.com/content/fazfesfr-all-access-ufc-180-live-stream-watch-online[/url]
[url]http://www.reddit.com/r/SamjhOYe/comments/2md6ar/[/url]
[url]http://www.masterstkdclub.com/Videos/418363[/url]
[url]http://www.reddit.com/r/SamjhOYe/comments/2md6x4/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/395-grab-enj0y-ufc-180-watch-live-stream-all-formats.html?groupid=862[/url]
[url]http://www.reddit.com/r/Punnu7Hal/comments/2md74x/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/396-haniw-r-weigh-in-ufc-180-live-stream-watch-free-online.html?groupid=863[/url]
[url]http://www.reddit.com/r/BanJaara/comments/2m9rcv/[/url]
[url]http://www.masterstkdclub.com/Videos/415481[/url]
[url]http://energytrap.org/content/must-watch-ufc-180-video-live-stream-no-buffering[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/399-ppv-m-in-ufc-180-ppv-2014-live-stream-watch-online-free.html?groupid=864[/url]
[url]http://www.reddit.com/r/Punnu7Hal/comments/2md7m2/[/url]
[url]http://www.losttreasure.com/content/dimaag-air-ufc-180-live-stream-watch-ppv-online[/url]
[url]http://www.reddit.com/r/BanJaara/comments/2m9qyr/[/url]
[url]http://energytrap.org/content/fun-2-ufc-180-live-stream-online-free-watch-tv-coverage[/url]
[url]http://www.reddit.com/r/BanJaara/comments/2m9mmm/[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/394-santr-watch-ufc-180-live-rumors-stream-weigh-in.html?groupid=862[/url]
[url]http://www.reddit.com/r/alloKhaYr/comments/2md8fi/[/url]
[url]http://energytrap.org/content/reactiong-free-ufc-180-live-stream-novamov-watch-online[/url]
[url]http://www.reddit.com/r/alloKhaYr/comments/2md7zx/[/url]
[url]http://www.losttreasure.com/content/face-watch-ufc-180-live-streaming-free-golden-chance-online[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/400-hd-pure-w-a-t-c-h-ufc-180-live-stream-2014-online-f-u-l-l-c-o-v-e-r-a-g-e-tv.html?groupid=864[/url]
[url]http://www.losttreasure.com/content/legit-live-ufc-180-stream-watch-ticket-finder-online-free[/url]
[url]http://www.masterstkdclub.com/Videos/415278[/url]
[url]http://www.davefenley.com/jomsocial/groups/viewdiscussion/393-cruiz-watch-ufc-180-live-streaming-video-free.html?groupid=862[/url]
[url]http://www.streetfire.net/profile/sunkardeen.htm[/url]
[url]http://jazztimes.com/community/profiles/428321-sunkardeen[/url]

FIM PowerShell Connector - Error on Export

August 21, 2014, 12:50 pm
$
0
0

This issue is regarding recently published Microsoft PowerShell connector.

I'm following the instruction per Microsoft article listed here: http://msdn.microsoft.com/en-us/library/dn640417(v=ws.10).aspx

It says that in my Export Data script, I have to return a PutExportExtriesResults object to the pipeline, and it can be just an empty object like shown on the example. 

Write-Output (New-Object Microsoft.MetadirectoryServices.PutExportEntriesResults)

Only if I have any errors during export, then I need to create a list that conveys the error. However, when I executed  export on the MA, it gives an error after the run is completed. The error is ma-extension-error. When I opened the error to get more details, it says:

Connected data source error code: 0x80230703

Connected data source error: unexpected-error.

Event viewer is not helpful to figure out what the issue is. It says the following on the stack trace:

 "Microsoft.MetadirectoryServices.ExtensionException: csEntry ID: 14642da3-3028-e411-a6fd-00155d910f73, Export unsuccessful. 
   at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ExportBridge.PutExportEntries(String scriptFileConfigKey, IList`1 connectorSpaceEntries)

Forefront Identity Manager 4.1.3559.0"

Have anyone experienced this before, and know where I go wrong? Thank you very much for ya'll time.

FIM CM - Manager Operations view not available in the portal home page (only for normal domain users who earlier had access to perform smart card ops)

October 23, 2014, 11:02 am
$
0
0

I just had my FIM CM setup upgraded from FIM CM 2010 to FIM CM 2010 R2 with SP1. After the configuration is complete, I have noticed that some of the users who earlier had access to manage the smart cards, by having access to perform workflow actions such as Enroll Smart Cards, Unblock Smart Cards and all do not get the 'Manager Operations' view in the new FIM CM homepage (FIM CM 2010 R2).

 

I have compared the web.config of the old and new setup and they both are almost the same. While accessing the portal using a domain admin account, I get the Manager Operations as well as 'Manage my Info' views. For a normal user, even though it has Smart Card management functions, its not showing the 'Manager Operations' view.

 

The issuing CA is same as before.

 

Please help me out understand which setting has to be changed in the new setup to ensure that the users who have permissions for workflow tasks can have access to the 'Manager Operations' view as well.

Can FIM and "Generic LDAP Connector" do deltas with Oracle Internet Directory (OID)?

November 15, 2014, 8:36 pm
$
0
0

Hi,

We've been using the OpenLDAP XMA to get FIM to work with Oracle Internet Directory (OID), but I've been told by one of my colleagues that that connector doesn't really do deltas with OID.  Then I just found this:

http://msdn.microsoft.com/en-us/library/dn510997(v=ws.10).aspx

(Generic LDAP Connector for FIM 2010 R2 Technical Reference)

and I was wondering if anyone has worked with this connector with OID, and knows if it is able to perform deltas with OID?

I've been testing it with OID, but it doesn't seem to pick up changes in the OID unless I do full import full synch.

Thanks,

Jim

FIM PowerShell Connector - Export in large number of modifications

November 15, 2014, 12:26 pm
$
0
0

I am exporting modifications in large numbers through FIM PowerShell connector, and I have yet to understand the 3 different export script sections, mainly Begin Export Script and Export Script.

From the definition given by Microsoft, 

The begin export script is run at the beginning of an export run step. During this step, you can establish a connection to source systems and conduct any preparatory steps prior to exporting data from the connected system.

The Synchronization Service will call the Export Data script as many times as is necessary to process all of the pending exports. Depending on whether or not the connector space has more pending exports than the connector’s page size, the presence of reference attributes, or passwords, the export data script may be called multiple times and possibly multiple times for the same object.

And I followed the definition closely.

My plan is because I'm planning to export to O365, then I will do the connection once in Begin Export Script, like this:

[CmdletBinding()]param([ValidateNotNull()][System.Collections.ObjectModel.KeyedCollectionstring], [Microsoft.MetadirectoryServices.ConfigParameter]$ConfigParameters,[ValidateNotNull()][PSCredential]$PSCredential,[Microsoft.MetadirectoryServices.OpenExportConnectionRunStep]$OpenExportConnectionRunStep,[ValidateNotNull()][Microsoft.MetadirectoryServices.Schema]$Schema)Set-StrictMode-Version3Import-Module(Join-Path-Path([Microsoft.MetadirectoryServices.MAUtils]::MAFolder)-ChildPath'FIM.O365.psm1')-Verbose:$false-ErrorActionStopImport-ModuleMSOnline-Verbose:$false-ErrorActionStopConnect-MsolService-Credential$PSCredential-ErrorActionStop

However, when I tried to use the command get-msoluser in Export Script, it gave me this error: You must call the Connect-MsolService cmdlet before calling any other cmdlets. So, is something like this possible?

Secondly, I have over 20k modification to export. My Export Script at high level looks something like this:

$putExportEntriesResults=new-object -TypenameMicrosoft.MetadirectoryServices.PutExportEntriesResults

foreach($CSEntryin$CSEntries)

{

   #do stuffs here...

   $csEntryChangeResult =[Microsoft.MetadirectoryServices.CSEntryChangeResult]::Create($CSEntry.Identifier,$CSEntry.AttributeChanges,"Success")

      $putExportEntriesResults.CSEntryChangeResults.Add($csEntryChangeResult)|Out-Null

}

Write-Output$putExportEntriesResults

When I run the actual export, I actually have to wait until the whole export finishes before I see any feedback on how many updates were successful, or failed. How should my export script be modified in order for me to get updates as the export is happening?

Thank you all for your time.

Error message: cd-existing-object AD MA

November 10, 2014, 5:13 am
$
0
0

Hi,

can you plz help me to resolve this error showed with this error message in Fim Synchronization service: cd-existing-object (with the management AD MA).

how can I resolve it?

Regards

Search

FIM SQL Agent Jobs are missing

November 16, 2014, 1:07 pm
$
0
0

Hello,

None of the FIM 2010 SQL Server Agent Jobs

FIM_DeleteExpiredSystemObjectsJob
FIM_MaintainGroupsJob
FIM_MaintainSetsJob
FIM_TemporalEventsJob

exist on my SQL server.  How can I restore these?

Thanks.

Generate Unique AccountName in FIM Portal 2010 R2.

November 16, 2014, 9:50 pm
$
0
0

Hi,

As User AccountName  is a fairly common attribute that needs to be generated Unique, I want to create/generate a unique AccountName in the FIM Portal. Specifically, take a LastName and a FirstName, generate a AccountName in the format of<LastName><FirstName> and check whether it exists in the FIM Portal. If it does, FirstName first one character will be added to the end,if it is also exists in fim portal then FirstName first two character will be added to the end  and so on  checked until a unique value is discovered.if any one have any idea or any solution or code for developing this logics on this please share with me.

Regards

Anil Kumar


Extensible Connectivity 2.0 MA - Export and Import works but not in same Run Profile (no-start-ma error)

July 3, 2012, 3:06 am
$
0
0

Hi.

I am a newbie on ECMA 2 and have a problem that hopefully is easy to resolve. I have migrated an old Custom MA to the ECMA2 interface but I have some problems getting it to work correctly. Export and Import works correctly but when I put them in the same Run Profile (for instance Export+Full Import-Full Sync) I get a no-start-ma error on the second operation. The order of operations does not matter, i.e. if I do a Import first and export after that, the export fails. The second operation, whichever that is, does not reach any code that I have written so it seems to happend internally in FIM.

I have tried running it in separate process, changed between .Net 3.5 and 4.0, upgraded the server to R2 without any success. My worries are that I have missunderstood some basic ECMA 2 stuff. I have for instance not found any good information explaining the usage of CustomData in the ImportRunStep (for instance GetImportEntriesRunStep) or in the result (for instance GetImportEntriesResults).

The only thing I can find in the eventlog is:

FIMSynchronizationService 
- EventID 6401 
   EventRecordID 89262 
- EventData 
   BAIL: MMS(9844): d:\bt\9394412\private\source\miis\ma\extensible\extensionmanager.cpp(550): 0x8000ffff (Catastrophic failure) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\ma\extensible\extensionmanager.cpp(1354): 0x8000ffff (Catastrophic failure) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\ma\extensible\import.cpp(404): 0x80231348 (unable to get error text) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\cntrler\cntrler.cpp(2733): 0x80231348 (unable to get error text) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\ma\extensible\extensionmanager.cpp(550): 0x8000ffff (Catastrophic failure) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\ma\extensible\extensionmanager.cpp(1497): 0x8000ffff (Catastrophic failure) BAIL: MMS(9844):
d:\bt\9394412\private\source\miis\ma\extensible\import.cpp(595): 0x8000ffff (Catastrophic failure) ERR_: MMS(9844):
d:\bt\9394412\private\source\miis\shared\utils\libutils.cpp(9944): Failed to start run because of undiagnosed MA error Forefront Identity Manager 4.1.2273.0 

Currently running FIM 2010 R2.

Best regards and thanks for any reply
Håkan

PS! Another totally unrelated question is that I have not found a way to retreive the complete CS-entry in the Connector. Can this be performed as easy as it was before?

MIM PAM - Service and Portal Install Error

November 17, 2014, 12:07 am
$
0
0

Guys,

I'm having an issue deploying MIM Service and Portal. 

I have downloaded the MIM CTP from the Microsoft Connect and following the MIM CTP test lab guide for PAM. 

I'm on page 25/26 trying to launch the Service and Portal msi to install. When I launch the setup as the 
administrator I get the following error.


When I enabled msiexec logs, the only error I see is shown below. Any ideas?

Any Ideas appreciate...

FIM 2010 GAL Synchonization Error

November 17, 2014, 8:50 pm
$
0
0

number oneForest

exchangeserver2013
a server withactive directory2012
a server runningFIM2010 R2sp1

numbertwoForest

a server withExchange 2010
Activedirectoryserver2008 r2

I'msetting up aglobal address list withFIMServer

configureagentswith defaultattributes

Forestusersnumberone, theyaresynchronizedto the numbertwoForest


Forestusersnumberone, theyare nottransferredto the numbertwoForest.

userssee them asdeleteand are not added, attached the error.

Forestgroupsthe numberone Forestsynchronizedto the numbertwo

myquestionis?

that usersarenot synchronizedand groupsaresynchronizedifthe forestboth.

is there anyattribute to beremoved for beingExchange2010 andAD 2008.


thatI takeiswhen they are forestandexchangedifferent version?


                      

Deleted Users/Groups from FIM Portal get recreated in the portal on full/delta sync

November 17, 2014, 11:14 pm
$
0
0

I am using declarative provisioning. I have two sync rules to provision users and groups respectively from the portal to AD. I have another two sync rules to import users and groups from AD to the portal. The first two sync rules got higher precedence than the later two. The attributes have equal precedence in MV. Each of the sync rule is associated with a workflow and an MPR.

Now, I am able to provisioning new users and groups from Portal to AD fine. However, when I delete them in the portal and do an delta import and delta sync on the FIM MA, the deleted users and groups are recreated in the FIM portal instead of deleting them from the AD.

What am I doing wrong? How do I deprovision the users/groups from AD?

Thanks a lot!

John!

how to clear the Forefront Identity Manager trace log file

November 18, 2014, 7:34 am
$
0
0

We have Sharepoint 2010 with FIM that came with that product.  We just realized that the 'verbose' tracing was turned on and the log file

C:\Program Files\Microsoft Office Servers\14.0\Service\fimDiagnostics.svclog got really big (60GB).  I edited the config file to only record "Error" events instead of Verbose as per this article:

http://msdn.microsoft.com/en-us/library/windows/desktop/ff357801%28v=vs.100%29.aspx#BKMK_enableDiagnosticTracing

Can I just delete this file or is there some way to keep the file but clear its contents?

thanks,

Search

Disconnect accounts when join rules are broken

November 18, 2014, 10:16 am
$
0
0

Hi All,

I am using FIM Sync Manager to synchronise various attributes between our domains.  We have several logon domains and one resource domain.  The resource domain contains disabled accounts with the user's mailboxes, these are linked to the user's logon domain accounts for authentication.  I can use the common sid attribute between the 2 as a basis for my join rules in FIM and this allows me to sync other attributes back and forth.

This is all working fine, however . . . when a user moves from one part of the business to another (ie change of job role) which means they change logon domain I am having a problem.  The user has a new logon account created and the Exchange admins re-link their existing resource domain account to this new account.  In real terms this rewrites the resource domain account's msExchMasterAccountSid attribute with the objectSid attribute from the user's new logon account.  My join rule in FIM is based on these 2 attributes, however the change does not cause FIM to disconnect the accounts, even though they don't match (and there is a new match) the old logon account keeps the resource account joined.

Question is, how can I go about making FIM disconnect these accounts once the join rule that brought them together is broken.

Thanks for reading.

Steve

"sync-rule-inbound-flow-rules-invalid" error on synchronizing an Inbound Sync Rule from the FIM connector space to the Metaverse

April 28, 2011, 5:52 pm
$
0
0

I have created an inbound sync rule in the FIM portal to import groups from an external system (SQL Server) into the metaverse.  I can import the rule from the FIM MA into the FIM connector space but when I run a full sync on the FIM MA I get the error"sync-rule-inbound-flow-rules-invalid".  The only way I have found around the error is to remove all the attributes from Inbound Attribute Flow in the sync rule.  However, this defeats the purpose of having the sync rule in the first place.  Searching the Web, I have come across posts from other people with "sync-rule-inbound-flow-rules-invalid" problems but the solutions do not seem to work in my situation. 

A little background about the sync rule

Metaverse Resource Type: group

External System Resource type: group

Relationship Criteria: accountName (metaverse) = "string field" (ConnectedSystemObject)

Create resource in FIM: yes

Inbound attribute flow:

- Domain

- Member

- DisplayName

- accountName

- MembershipLocked

- MembershipAddWorkFlow

- Type

- Scope

 

I am new to FIM so it's possible I have overlooked something in the setup of this sync rule.  Any suggestions on possible causes of this issue would greatly appreciated.

 

 

 

Do all workflow approvals appear in Outlook?

November 12, 2014, 8:46 pm
$
0
0

Hi,

In the past I have used the FIM add-ins for Outlook to approve or reject Group Join Requests.

However, if someone changes their mobile number, for example, and this needs to be approved by their manager - does this request by default also appear in Outlook with the Approve/Reject button? If yes, do we also need to deploy FIM add-ins for Outlook?

Thanks,

SK

AD MA cd-error on deleted users as previous Group members

November 12, 2014, 7:33 pm
$
0
0

Hi,

We are running FIM 2010 R2 SP1 and Windows 2008 R2 AD with Recycle Bin enabled.

A user gets deleted from our HR system, and it turn gets deleted from FIM Portal, AD and FIM MV.

In AD, this user gets moved to Recycle Bin; and removed from the AD Groups they were a member of (in FIM Portal, AD and FIM MV).

This deleted user exists in AD Connector Space as: Placeholder CN=username\0ADEL:<some GUID>\CN=Deleted Objects,DC=....

When Exporting (Run Profile) the AD MA, we now get the following error on the Group object the user used to belong to:

Error: cd-error
Source Error Code: 1168
Source error: Element not found

Group membership modification is trying to occur, and we can also see the following in the error:

Changes: Delete
Value: CN=username\0ADEL:<some GUID>

Any idea on how to resolve this?

Thank you.

Can we use IdFix with FIM?

November 18, 2014, 12:43 pm
Viewing all 7443 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>