Hi ..
We had install MIM 2016 in Development Environment, and we face strange issue as we need to create workflow for adding user to group but the activity shown as blank as below screen shot.
Any idea how to fix this issue?
↧
MIM 2016 - Active Directory - Add User to Group Activity Blank "Unable to configure"
↧
BHOLD FIM integration-OU/USER/Attestation Prcoess
Hi All,
Can someone pls provide the steps for Configuring the BHOLD-FIM using Workflow activity and Sync rules.Ob OU mapping. Please share the link which provides the attestation process.
↧
↧
MIM Portal Error Logging?
Has the way we debug portal issues changed with MIM as compared to FIM? I'm getting an error page come up in the portal and have tried the following:
- Service tracing via MIMWAL CaptureTrace.cmd - no error, so looks like a portal issue
- Portal tracing via both methods in the technet article - no files created on disk and none in event log
- Show detailed errors as per this technet article - doesn't work and no ILMErrors module anymore
- Reviewed the SharePoint log - shows that there was an error page displayed, but no detail
↧
SSPR - One-Time-Password Email Gate - Security Code expiration
Hi,
Anyone know the time of expiration of the security code that is sent by e-mail gate in password reset portal?
I read somewhere about it that expiration occurs in the same time of application session, but I did not see any microsoft document with this information.
I appreciate any help!
Thanks in advance,
Vitor Silva
↧
BHOLD MA outbound synchronization via Synchronization Rule -MIM Portal
I've set up the BHOLD MA (Access Management Microsoft) in MIM 2016to export users to the BHOLD Core.
I'm using the http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx lab guide to help me out.
The only difference, I'm preferring to use portal sync rules instead of using the attributeflow in the BHOLD MA itself. (easier and powerful)
I've configured a Synchronization rule in the FIM Portal, however, it complains that when I'm trying to flow department (MV) to OrganizationalUnit (CS) (a BHold orgunit is not the same as an AD OU) are not matching types: String versus Reference.
When I configure this on the BHOLD MA agent itself as explained in the above lab guide, there's no error!
Question: has anyone ever used portal sync rules to populate BHOLD CORE with users? Is it possible
↧
↧
SQL Deadlock: CalculateRequestSetTransitionsStatementEvaluation
Hello,
I have an issue during the execution of TemporalEventsJob.
On FIM Service, I have lot of alerts in Event viewer during the evaluation of SET Transitions. Each error is composed of 3 events:
1/ Error Event ID 3:
Reraised Error 1205, Level 13, State 51, Procedure CalculateRequestSetTransitionsStatementEvaluation, Line 153, Message: Transaction (Process ID 87) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
2/ Error Event ID 3:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 1205, Level 13, State 51, Procedure CalculateRequestSetTransitionsStatementEvaluation, Line 153, Message:
Transaction (Process ID 87) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader()
at Microsoft.ResourceManagement.Data.DataAccess.EvaluateRequest(RequestType request, RequestEvaluationOptions options)
--- End of inner exception stack trace ---
3/ Warning Event ID 2 :
Microsoft.ResourceManagement.WorkflowDataExchangeException: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
at Microsoft.ResourceManagement.Workflow.Activities.FunctionActivity.FunctionActivityStoreResultComplete(Object sender, QueueEventArgs e)
at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
at System.Workflow.Runtime.Scheduler.Run()
This issue is not constant. For exemple I have no issue during 1 week, and one night, I encounter 4 or 5 errors on different objects.
Do you see this issue ? Any idea of the origin ?
I think there are bugs on the SPROC of CalculateRequestSetTransitionsStatementEvaluation, or during the search of MPR to apply. I see that requests on error doesn't have any applied MPR...
Thank you.
Anthony.
↧
MOSS_Export not importing profile pictures
Hi
FIM 2010 on Sharepoint 2013.
Mapped the Picture properth to thumbnailPhoto attribute and do a full sync.
Everyrhing work fine except importing profile pictures.
I can see them in mms_metaverse table. There are not created in user photos list from my site roor with names as partitionid_id of user, from where Ican transform with update-spphotostore.
No errors in uls or event viewer.
Whatt should I check more ?
Thank you,
Sorin
Sorin Sandu
↧
Approval reminders and rejection comments
Hi Gurus,
one quick query. Is there an option in MIM to provide reminders on a daily basis for approvals and also is there a way for the approvers to reject approval mails with comments.
↧
Read User Attributes while Operation - Delete(Extensible Connectivity Management Agent)
We have a requirement to create a file of the users while exporting, who are getting deleted. I'm able to read their "Anchor" attribute, modification type but I'm not able to read their other attributes in Extensible MA Code. Is there any way
to achieve this? If Yes, then please tell how.
Regards,
Manuj Khurana
↧
↧
Outbound sync rule and employeeStatus values
Hello!
I need to make outbound sync rule for users.
I have HR system with all employee data and Microsoft AD.
Main rures are:
1. If employeeStatus in MV=0 this is normal, not blocked account.
2. If employeeStatus in MV=1,2,3 this is locked account.
This can be done with flow like this:
Source Tab
Function
Function name
IIF
condition:Boolean
customExpression
Eq(employeeStatus,”0”)
ValueTrue:Object
customExpression
BitAnd(-3,userAccountControl)
valueFalse:Object
CustomExpression
BitOr(2,userAccountControl)
Destination Tab
userAccountControl
But, what will happens with system accounts (they are defined in AD, but not defined in HR system).
They will be locked?
I'm a little bit confused with statuses 1,2,3. Maybe it would be better to make a rule extension to handle this case?
Thanks!
1
↧
MIMWAL - Update Resource activity - change Employee Manager not working
Hello,
We are trying to change Employee Manager when Department attribute changed, and am unable to change manager attribute using MIMWAL Update Resource Activity, below what values am trying to use
Value Target
InsertValues([//Queries/SalesManager/displayName]) [//Target/Manager/ExplicitMember]
InsertValues([//Queries/SalesManager/displayName]) [//Target/Manager]
InsertValues[//Queries/SalesManager/displayName] [//Target/Manager]
"Sales Manager" [//Target/Manager]
am new in MIM and WAL, can you please help me to get correct format for this
Thanks
Ahmed
↧
Account synchronisation fails to fully provision in FIM 2010 R2 for around 1% of users, I need to perform manual edits in the FIM portal
Hi,
I'm provisioning users to AD based on an input from a CSV file (it's actually a CSVDE). I've successfully synced around 6000 users and that has worked fine for a number of months. The process I'm using is as follows:
1. File MA --> Full import and delta sync (loads data from CSV file)
2. FIM MA --> Export, delta import and delta sync (provisions user to FIM portal)
(wait 10 minutes)
3. AD MA --> Export, delta import and delta sync (provisions user and mailbox in AD)
4. FIM MA --> Export, delta import and delta sync (updates domain attribute in FIM portal)
I'm using declarative rules, similar to this: https://technet.microsoft.com/en-us/library/ee534908(v=ws.10).aspx
The HR file is authoritative (i.e. takes precedence
Today I realised that around 50 users were provisioned to the MV, had a file MA connector and a FIM connector, but not a an AD connector. Looking at the account in the FIM portal I realised that the domain attribute was not populated for contoso and that an AD outbound sync rule was not pending.
I then decided to run the synchronisation steps at 1 to 4 above, but this time used full imports and full synchronisations. After doing this the number of accounts which did not have an AD MA connector dropped to around 10 (e.g. 40 additional accounts were provisioned to AD).
To provision the remaining 10 users, I firstly deleted the 10 users from my input CSV file and ran through the sync steps above. This ensured that the 10 users were removed from the MV and FIM portal. I then re-added the 10 users to my CSV and ran through the steps above, but this did not provision the 10 users! To ensure the 10 users and their mailboxes were created in AD/Exchange I did the following:
1. Logged on the FIM portal and checked to see if an AD outbound sync rule is pending (it's not).
2. Changed the user account employee type to "contractor" (bringing the user out of scope of a sync rule using the MPR\triple).
3. On the FIM MA, performed a delta import and delta sync. The MA shows an update, but prompts for a FIM MA export back to "FullTimeEmployee" for the user as the MV value takes precedence.
3b. I perform an export and delta import on the FIM MA.
4. The user account now shows as having an AD export sync rule pending.
5. If the synchronisation step in 3A shows an outbound sychronisation for the AD MA, I simply perform a:
5a. AD MA --> export, AD delta import & AD delta sync
5b FIM MA --> export, delta import & delta sync
If the synchronisation step in 3A does not show an outbound sychronisation for the AD MA, I do the following:
5c. Change the domain attribute for the user to "contoso" using the drop down in the FIM portal when clicking on the user.
5d. FIM MA --> delta import and delta sync (MA reports update due to 5c).
5e. FIM MA --> export, delta import and delta sync.
5f. FIM MA --> delta import and delta sync (now the AD MA shows an outbound synchronisation)
5g. AD MA --> export, delta import and delta sync (user account and mailbox provisioned in AD)
5h. FIM MA --> export, delta import and delta sync (tidy up)
I don't know why these additional steps were required for the 10 users, it just feels as if they got stuck in the system!
Any ideas on how to avoid this oddness would be appreciated in future...
On a slightly different note, am I right in thinking that full synchronisations and imports on valid existing objects simply updates the existing object if applicable, rather than delete and create new objects?
Thanks in advance
IT Support/Everything
↧
Manager Attribute Not Sync to MIM Portal
Hi..
We had configure MIM MA and AD MA all attributes sync correctly Manager while we already configure it in Inbound Sync rules and Outbound Sync rules, Also added in both MIM MA & AD MA.
where the issue?
Thanks
Ahmed
↧
↧
SSPR OTP question
Hi,
Pls could someone explain SSPR and OTP.
In order to receive an OTP (either via email or phone), do people still need to register their Questions, and Answer them correctly to receive an OTP, and only then reset their password?
Or, with OTP, are you supposed to auto-register people with SSPR, and during a reset operation they would receive their OTP?
Thank you,
SK
↧
An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Receiving this error:
An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
I have been through this article (https://jorgequestforknowledge.wordpress.com/2015/03/08/resolving-the-pwunrecoverableerror-error-with-fim-self-service-password-reset-sspr/) and still getting the same error.
At a bit of a loss now. Hoping someone could shed some light on this and help me out.
Thanks
Stephen
↧
File Based XML Management Agent
We have a requirement to create Export files on different instances of Application Servers via FIM based on certain attribute value criteria. Is there any way of achieving it from one Management Agent to create different files for users.
Also, during de-provisioning of users, we have to remove the connector and create other xml based on instances where it was present. For FILE based Management agent, for de-provisioning scenarios do the mentioned code also generates the entries for de-provisioned user as well? "
public void ReadExportFile(KeyedCollection<string, ConfigParameter>
configParameters,
Schema types,
ReadExportFileRunStep exportRunStep)"
Regards,
Manuj Khurana
↧
AADConnect Directory Type?
Hi,
We don't have AADConnect at the moment, looking at this screenshot, what options exist in the "Directory Type" drop down box?
Can this be any Directory Service? e.g. AD, ADLDS, OpenLDAP, etc etc?
Thank you
↧
↧
FIM 2010 - Access on Demand & Entitlements
I've seen one video on Access on Demands & Entitlements on Youtube for providing time based access to users. But I'm not able to find anything on how to add these features in the existing FIM Setup. Can anybody please help in adding them to FIM, or is there any other way of achieving time based access?
FYI - The product is "Blue Athene product add-on for Forefront Identity Manager 2010"
Regards,
Manuj Khurana
↧
Active Rights Management Service
Hello,
I had protected my Excel File using IRM on Office 2010 Pro .
I am now using Office 365 Home . Now I am not able to access my Excel File .
Request inputs from anyone having knowledge regarding this .
Thanks!
↧
MIM 2016 & AIX OS security manager
Hi..
Is there any way to manage IBM AIX OS Accounts/Groups/Password using MIM 2016?
I try to search only fond thired party connector below:
Regards,
↧