Hi,

I have groups in FIM portal that are criteria-based.

I need to change those groups to manual in order to add/remove users from them via my code with RMGroup resourceType.

I can´t use xpath filters anymore because it will be quite complex and FIM doesn't accept it.

I tried to, in code, remove the filter, set an empty filter, set MembershipLocked to false, ... every thing

I allways get the error "Policy prohibits the request from completing", so without changing the groups to manual, I still can´t add/remove users to the groups with my code.

If I change the group from criteria-based to manual membership in the UI, it works. The code is calling the FIM webservices using the same credentials  I use to access the portal.

Note: I also have a MPR granting all permissions in all Attributes to AllGroups to administrators

How can I do it programmatically?

Help is really appreciated,

Many thanks,

DevDiver

Hi Everyone,

I am currently facing an issue in the Sync server where the Full Sync is showing "Stopped server" while running Full Synchronization of SQL MA and this is not happending regularly as it is showing the error message 3 times if it runs 10 times in a week and rest 7 times its running fine.

What could be the reason why this is occuring?

Your response will be highly appreciated

Thanks,

Aman

Currently we are using some code to project into the MV from on of our MA's based on extaqnsionAttribute.

I tried to add to this code to create a second qualifier, but it is now wanting both and when I try to project it to the MV tells me that it is missing.

boolIMASynchronization.ShouldProjectToMV(CSEntrycsentry,outstringMVObjectType)

Russell Lema

Hi Guys,

Trying to figure this out. I am using the PSMA to control Lync identities, importation is OK, but it's not projecting and nor exporting data to lync. There's something missing?

Here the scripts:

IMPORT

param
(
	$Username = "",
	$Password = "",
	$OperationType = "Full",
	[bool] $UsePagedImport,
	$PageSize
)

# these delta properties are used for delta searches in Active Directory. When this script is called
# with the Delta operation type, it will only return users objects where one of the specified
# attributes has changed since last import
$DeltaPropertiesToLoad = @( "distinguishedname", "mail", "homemdb", "objectguid", "isdeleted", "samaccountname", "oksecondarymail" )

# the MASchemaProperties are the properties that this script will return to FIM on objects found
$MASchemaProperties = @( "mail", "samaccountname", "oksecondarymail" )

$rootdse = [adsi] "LDAP://RootDSE"
$searchroot = $rootdse.defaultnamingcontext
$domain = new-object system.directoryservices.directoryentry "LDAP://$searchroot", $username, $password

$Searcher = new-object System.DirectoryServices.DirectorySearcher $Domain, "(&(objectClass=user)(objectCategory=person))", $DeltaPropertiesToLoad, 2
$searcher.tombstone = ($operationtype -match 'delta')
$searcher.cacheresults = $false

if ($OperationType -eq "Full" -or $RunStepCustomData -match '^$')
{
	# reset the directory synchronization cookie for full imports (or no watermark)
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization
}
else
{
	# grab the watermark from last run and pass that to the searcher
	$Cookie = [System.Convert]::FromBase64String($RunStepCustomData)
	$SyncCookie = ,$Cookie # forcing it to be of type byte[]
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization $synccookie
}

$results = $searcher.findall()

$results = $results | where { $_.psbase.path -match 'OU=USERS,DC=DOMAIN,DC=LOCAL$' }

if ( $results -ne $null )
{
	foreach ($global:result in $results)
	{
		# we always add objectGuid and objectClass to all objects
		$obj = @{}
		$obj.id = ([guid] $result.psbase.properties.objectguid[0]).tobytearray()
		$obj."[DN]" = $result.psbase.path -replace '^LDAP\://'
		$obj.objectClass = "user"
		if ( $result.Properties.Contains("isdeleted"))
		{
			# this is a deleted object, so we return a changeType of 'delete'; default changeType is 'Add'
			$obj.changetype = "delete"
			if ( $operationtype -ne 'full' )
			{
				$obj
			}
		}
		else
		{
			# we need to get the directory entry to get the additional attributes since
			# these are not available if we are running a delta import (DirSync) and
			# they haven't changed. Using just the SearchResult would only get us
			# the changed attributes on delta imports and we need more, oooh, so much more
			$global:direntry = $result.getdirectoryentry()

			# special handled attribute
			$obj.'ismailboxenabled' = $direntry.properties.contains('homemdb')

			# always add the objectguid and objectsid
			$obj.objectguidstring = [string] ([guid] $result.psbase.properties.objectguid[0])
			$obj.objectsidstring = [string] ( New-Object System.Security.Principal.SecurityIdentifier($DirEntry.Properties["objectSid"][0], 0) )

			# add the attributes defined in the schema for this MA
			$maschemaproperties | foreach-object `
			{
				write-debug $_
				if ( $direntry.properties.$_ )
				{
					$obj.$_ = $direntry.properties[$_][0]
				}
			}
			$obj
		}
	}
}

# grab the synchronization cookie value to use for next delta/watermark
# and put it in the $RunStepCustomData. It is important to mark the $RunStepCustomData
# as global, otherwise FIM cannot pick it up and delta's won't work correctly
$global:RunStepCustomData = [System.Convert]::ToBase64String($Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie())

EXPORT

PARAM
(
	$username = "",
	$password = "",
	$domain = ""
)

begin
{
	function log( $message )
	{
		if ( $message )
		{
			write-debug $message
			$message | out-file e:\logs\exchange-ps-export.log -append
		}
	}

	function set-actioninfo($message)
	{
		if ( $message )
		{
			$global:actioninfo = $message
			log -message $actioninfo
			write-debug $actioninfo
		}
		else
		{
			$actioninfo = "general"
		}
	}

	log -message "begin export"

	$securepassword = convertto-securestring $password -asplaintext -force
	$creds = new-object -typename system.management.automation.pscredential($username, $securepassword)

	set-actioninfo "new-pssession"
	$session = new-pssession -connectionuri ('https://SERVER.DOMAIN.LOCAL/OcsPowershell') -credential $creds -debug
	import-pssession -session $session
}

process
{
	log -message "-- start export entry --"
	$identifier = $_."[Identifier]"
	$anchor = $_."[Anchor]"
	$dn = $_."[DN]"
	$objecttype = $_."[ObjectType]"
	$changedattrs = $_."[ChangedAttributeNames]"
	$attrnames = $_."[AttributeNames]"
	$objectmodificationtype = $_."[ObjectModificationType]"
	$objectguid = $_.objectguidstring

	# used to return status to sync engine; we assume that no error will occur
	set-actioninfo 'general'
	$errorstatus = "success"
	$errordetail = ""

	$error.clear()

	try
	{
	enable-csuser -registrarpool fepool.domain.local -id "domain\"+$accountname -sipaddress "sip:"+$mail
	}
	catch
	{
		$errorstatus = ( "{0}-error" -f $actioninfo )
		log -message "ERROR: $errorstatus"
		$errordetail = $error[0]
	}

	# return status about export operation
	$status = @{}
	$status."[Identifier]" = $identifier
	$status."[ErrorName]" = $errorstatus
	$status."[ErrorDetail]" = $errordetail
	$status

	log -message "-- end export entry --"
}

end
{
	set-actioninfo "new-pssession"
	$null = remove-pssession -session $session
	log -message "end export"
}

Diego Shimohama

When using the PowerShell activity (NOT the PowerShell Workflow Activity) in a workflow, how can I get an object ID?

I.e. with PowerShellWorkflowActivity you can use $fimwf.targetID but how can I do that in a normal Powershell activity?

Thanks,
JD

Hi,

The FIM Portal is configured to use https, so I tried setting up BHOLD to use https using this installation guide:
http://technet.microsoft.com/en-us/library/jj134093(v=ws.10).aspx (Configuring BHOLD to support SSL)

When I click 'BHOLD Self Service' from the portal, I get the error as shown in screenshot 1. Apparently, the connection to https://IAMW03:5151/BHOLD/RoleExchangePoint/BHOLDRoleExchangePoint.svc failes. When I try to go directly to this URL, the message in screenshot 2 appears. This clearly indicates that 'https is not supported', which sounds a bit weird to me.

Has anyone did this before?

Some information about the versions installed:
- FIM Portal 4.1.2273.0
- BHOLD Suite 5.0.1312


Best regards,
Pieter.

Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Experts,

I have one confusion which i am not able to clarify after going MS guide, forum and wiki.

Do I need windows CAL in addition with FIM CAL?

I am managing 1000 users via codeless provisioning. Do I need

1. 1000 FIM CAL and 1000 Windows CAL or

2. Just 1000 FIM User CAL?

Thanks,

Mann

I am trying to use this client to set binary attributes such as Photo in FIM but found out that these attributes were defined as "Int' in the client schema instead of "Byte[]".

What is the reason for that?

Does anybody has some sample code to set binary attributes in FIM?

Hello,

I'm wondering if anyone has any resources on mapping AccountExpires (AD) -> EmployeeEndDate (FIM). I understand that this has to be done by rules extensions or advance attribute flows. Unfortionatly I do not have experience with either. Any help is appreciated.

thanks,

Josh

Hi,

Created an Outbound System Scoping Filter Sync Rule, and during initial setup I set the "Relationship Criteria attribute" to be 'employeeID'. However, this value cannot be modified once the rule is created, as the drop down box is grayed out (1st pic below).

When I subsequently try Full Import/Full Sync on the FIM Portal MA, I get this error message:

"Relationship criteria of a root synchronization rule should not be null." (2nd pic below)

Sounds like FIM (build 4.1.3479.0) is confused?

Thanks,

SK

April fools out of the way, now let's find an April genius!

The name "April" is derived from the Latin verb "aperire", meaning "to open", as it is the season when trees, flowers AND MINDS start to open! And.. I can't wait to OPEN and read this month's community contributions! (groan, tenuous link!)

Things are indeed heating up around TechNet. The Wiki has become a shining example of what the community has to offer, and talent is SPRINGING FORTH from all corners of our garden of knowledge. 

If you can find the time to enrich us with your latest revelations, or some fascinating facts, then not only will you build up a profile and name for yourself within the gaze of Microsoft's very own glitterati, but you will be adding pages to the most respected source for Microsoft knowledge base articles. This could not only boost your career, but would benefit generations to come!

So don't be an April fool. Please realise the potential of this platform, realise where we are going, and join us in growing this community, learning more about you, and opening the minds of others!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi,

I'm importing FIM data via a SQL agent and I have a column with this data:

00E704CB-40AE-0616-5B5A-6E0965BD5616,018F1801-34AE-FEE9-F98D-86E484F1812D

when the import runs, I see in the CS Object Properties that the new value is

00E704CB-40AE-0616-5B5A-6E0965BD5616\,018F1801-34AE-FEE9-F98D-86E484F1812D

Whats appenning and how can I tell FIM not to do this?

Many, many thanks,

DD

I actually have two problems that I'm trying to solve here.  The issue i'm trying to solve related to criteria based groups that allow manually managed members to be imported from AD.  Say I have a criteria based group for all contractors.  if someone adds a member to this group in AD, this newly added member is imported as an ExplicitMember.  If you go to the details of this group there is an error that the dynamic group has static members and you can't make changes unless you clear out those explicitmembers.

One approach we tried to fix this was to limit access to admins so they cannot modify membership of criteria groups.  this is possible since we put criteria groups in a single OU.  Our Server team didn't want to go this route.  next I setup and alert within FIM to notify me when a member was added to a criteria based group.  However the fix is still to manually go into the group and remove those members.

So, I thought why not create a set that would contain criteria based groups (MembershipLocked = True) that have Manually Managed Members (ExplicitMember = /Person) so that I can create a policy to remove ExplicitMember.  I came up with the following XPATH filter /Group[(MembershipLocked = True) and (ExplicitMember = /Person)] yet I cannot get this to work in a set.  If I create a search scope with this filter it works perfectly.

Why won't this XPATH filter work in a Set?

As always, thanks in advance for your help.

Kirk

We are having a password sync problem after putting on hotfix 4.1.3613.0 (http://support.microsoft.com/kb/3011057 ). Originally we were on 4.1.3441.0. We put on 2 patches to bring us to the latest patch.  Patch 4.1.3510.0 then 4.1.3613

Structure of AD is

company.com Forest

               d1.company.com Domains

               D2.company.com Domains

FIM Sync is in d1.company.com

All the accounts from d1.company.com are syncing. The accounts from d2.company.com are failing.

We receive the error 6914 The connection from a password notification source failed because it is not a Domain Controller service account.

In the notes on the hotfix

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Password Change Notification Service (PCNS)

Issue 1

The following error message is logged:

6914 The connection from a password notification source failed because it is not a Domain Controller service account.

After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID

Error in FIM SYNC

6914 error

The connection from a password notification source failed because it is not a Domain Controller service account.

Domain: d2.company.com

Server: x.x.x.x

6915 error

An error has occurred during authentication to the password notification source.

 "ERR_: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11691): gethostbyaddr failed with 0x2afc

BAIL: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11693): 0x80004005 (Unspecified error)

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(316): 0x80070534 (No mapping between account names and security IDs was done.): Win32 API failure: 1332

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(570): 0x80070534 (No mapping between account names and security IDs was done.)

Forefront Identity Manager 4.1.3613.0"

The error we are getting when a user from d2.company.com tries a sync

ERROR IN PCNS

Log Name:      Application
Source:        PCNSSVC
Date:          3/10/2015 9:19:08 AM
Event ID:      6025
Task Category: (4)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      box.d2.company.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.  
Thread ID: 3704 
Tracking ID: 19657b31-4547-4f18-94c3-e85adc1d0700 
User GUID: 99de63a6-9e09-4906-9515-bb4ba0a2c5d6 
User: LOCB\user 
Target: FIMProd1 
Delivery Attempts: 1135 
Queued Notifications: 1 
0x00000005 - Access is denied.

LOCB netbios resolves to d2.company.com

LOCA netbios resolves to d1.company.com

C:\>setspn -l LOCA\_FIMSyncService

Registered ServicePrincipalNames for CN=_FIMSyncService,OU=Sec,OU=SA,OU=Resource

 Management,DC=d1,DC=company,DC=com:

       PCNSCLNT/fim2

       PCNSCLNT/fim2.d1.company.com

       PCNSCLNT/fim1

       PCNSCLNT/fim1.d1.company.com

--------------------------------------------------------------------------------------

C:\Program Files\Microsoft Password Change Notification>pcnscfg list

Service Configuration

  MaxQueueLength........: 0

  MaxQueueAge...........: 345600 seconds

  MaxNotificationRetries: 0

  RetryInterval.........: 60 seconds

Targets

  Target Name...........: FIMProd1

  Target GUID...........: 4C72BA98-8414-476B-80BF-6D9045EFCF39

  Server FQDN or Address: fim1.d1.company.com

  Service Principal Name: PCNSCLNT/fim1.d1.company.com

  Authentication Service: Kerberos

  Inclusion Group Name..: LOCB\Domain Users

  Exclusion Group Name..:

  Keep Alive Interval...: 0 seconds

  User Name Format......: 3

  Queue Warning Level...: 0

  Queue Warning Interval: 30 minutes

  Disabled..............: False

Total targets: 1

The password sync has been working for years now this is throwing this error.  Does anyone have clues to the problem with the Hotfix?

We have looked at trying to resolve 6025 errors using http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx but there are no issues here.

Hello,
I installed and configured DirSync v1.0.7020.0 on Windows Server 2012 R2. All is working fine but every timeForefront Identity Manager Synchronization Service is restarted, these errors appears under Application Log:

• Source: FIMSynchronizationService
• Event ID: 6313
• Description: The server encountered an unexpected error creating performance counters for management agent "Active Directory Connector". Performance counters will not be available for this management agent.

• Source: FIMSynchronizationService
• Event ID: 6313
• Description: The server encountered an unexpected error creating performance counters for management agent "Windows Azure Active Directory Connector". Performance counters will not be available for this management agent.

I already followed these links without any success:

• Office 365 Forums - DSync - Services Stopped & Disabled
• TechNet Forums - Event 6313: registry keys are present

If I run perfmon, these are performance counters already present (regarding DirSync):

• FIM 2010: Connector Space
• FIM 2010: Management Agents
• FIM 2010: Synchronization Engine

Could you help me ?

Thank you,
Luca

Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

Hello,

Is it possible to have one set of users go through a QA gate and another go through One-Time Password Email Gate? We have a small subset of users that we would like to email temp passwords to, instead of making them answer security questions.

thanks,

Josh

Hello,

I would like to send a notification to a user's manager (\\Target\Manager) if the user updates their Department of Job Title. Does anyone have any idea how to do this without making sets for each department and job title?

Hi,

I am trying to hide the Groups ribbon/button on Outlook client, using the registry values from here https://msdn.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx . I am using 32-bit Outlook 2013. The registry value ShowGroupManagementUi set to 0 does not hide the "GROUPS" button from Outlook.

Can anyone confirm if they have been able to hide the Groups ribbon on Outlook 2013 or if there is something else to check?

-Mikko