tag:blogger.com,1999:blog-65598168635637965272024-02-19T04:48:03.761+01:00Microsoft IAMThis is the personal blog of Stefan van der Wiele, Infrastructure Engineer specialist in Security and Identity Management. This blog will mostly be about Forefront Identity Manager 2010Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-6559816863563796527.post-51569974865738172052011-11-18T10:45:00.001+01:002011-11-18T10:45:33.143+01:00Directory Synchronization tool 64-bit supportFinally it's here! The Directory Sync tool for Office 365 based on FIM 2010. So there's 64bit support.<br />
<br />
Source: http://community.office365.com/en-us/w/sso/555.aspx<br />
<br />
Next thing I'm going to try in my lab environment is trying to extract the MA from the sync tool to use it in native FIM 2010. :-) <br />
<br />
Keep you posted!Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-4859132281833891132010-12-14T11:11:00.002+01:002010-12-14T11:11:44.572+01:00Tools4FIM RCDC Editor - NOW AVAILABLE!<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif; font-size: 13px;">The RCDC editor is a WYSIWYG editor for Resource Control Display Configurations (RCDCs). This accelerates and supports FIM user interface customization, but saving heaps of time manually editing XML files. Once you have exported the Service configuration, you can browse through the RCDCs and configure them. You can then save the results and test them in FIM. As far as possible the RCDC Editor is designed not to allow illegal configurations, which is where so much time is normally wasted. Once you have used it, you won't go back to editing the configuration manually; and if you’ve never edited one manually, you’ll never need to!</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif; font-size: 13px;"><br />
</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif; font-size: 13px;"><a href="http://www.tools4fim.com/rcdc-editor.aspx">Read more</a></span>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-51283878963377541522010-11-30T15:59:00.001+01:002010-11-30T16:03:34.471+01:00FIM 2010: Delete a user when the end date is reached (Expiration Workflow)If you are using the FIM portal, you problaby have noticed the Expiration Workflow. This workflow can became very handy to delete users from the FIM portal if the end date is reaced. <br />
<br />
But how do you use it? I will provide you with a little manual that will guide you through the steps.<br />
<br />
1. First create a set that will contain all users with the end datum that is equal to today:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4gZHlHvsSNULMSJKQQ4wi686OvLi_uYN_PgjGN9zf0RX7H_FE8TGAuKpE42g-otI9iCIXdDWRWOWld8aV26sSWN8MZtrhAUeb6J49TzK1aNl9fHuVo5cwLVLC5qmi4U-Kg8q_S4FnqaQ/s1600/set+expired.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4gZHlHvsSNULMSJKQQ4wi686OvLi_uYN_PgjGN9zf0RX7H_FE8TGAuKpE42g-otI9iCIXdDWRWOWld8aV26sSWN8MZtrhAUeb6J49TzK1aNl9fHuVo5cwLVLC5qmi4U-Kg8q_S4FnqaQ/s400/set+expired.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. Then create a set that contains the Expiration Workflow, because you need to give the Expiration Workflow rights to delete a user object.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6kA3Y1FCCu-V6Tub3n3CKvYxULuAOtryqrUzyvwLMZhmcZZ7T1jyEw1-BIwJw1vo2SJDj2E_QYFzwgvBbtese3tCPRLkrBrLRJ_7kUvqZpye78JDSJn4QKge1ByK4q4TOzB-7sGGHR3s/s1600/set+expiration.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6kA3Y1FCCu-V6Tub3n3CKvYxULuAOtryqrUzyvwLMZhmcZZ7T1jyEw1-BIwJw1vo2SJDj2E_QYFzwgvBbtese3tCPRLkrBrLRJ_7kUvqZpye78JDSJn4QKge1ByK4q4TOzB-7sGGHR3s/s400/set+expiration.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Then you need to configure rights for the Expiration Workflow to delete a user object<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXPvW_erJZY541aNuBwbbkhNCotu0yL5A5mjwZbhmPA565bUeaFqlsPDGKgG_LBW4iQGWAsWZTK3VHubssjsJuNxkNzUU1hnefLQJQcVkY8K8pIZFUxdknK_njO84EKKfUDXax4rXm6vE/s1600/mpr+expiration.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXPvW_erJZY541aNuBwbbkhNCotu0yL5A5mjwZbhmPA565bUeaFqlsPDGKgG_LBW4iQGWAsWZTK3VHubssjsJuNxkNzUU1hnefLQJQcVkY8K8pIZFUxdknK_njO84EKKfUDXax4rXm6vE/s400/mpr+expiration.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4XhQuT8LTmXdA8Fh54QHdjB4z3g_wFpOfy267fDitRq-q8pHVe50OyzVnde87oCO1-FCX4h1P5JvaSP0d5MKbEPGFtula4vh4vxD801_ep9uEI3peyg6fdMuhvz0RWqyOHYOp7t5xysI/s1600/mpr+expiration+2.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4XhQuT8LTmXdA8Fh54QHdjB4z3g_wFpOfy267fDitRq-q8pHVe50OyzVnde87oCO1-FCX4h1P5JvaSP0d5MKbEPGFtula4vh4vxD801_ep9uEI3peyg6fdMuhvz0RWqyOHYOp7t5xysI/s400/mpr+expiration+2.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4. And then youb need to create a MPR to launch the Expiration Workflow when a user joins the set.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRweX9Qt5xfF5nl-d1urHlzlUaMNrNQNKQFxXIXNOhBCbctbAWMxdw4ZyI_IOgHg-LjLTFVi9s0TdO_rpmz2oDbw8I80HTbuhbkaEbvka8ZsWswPUFy8HH-scAG_0rDSxurKaYKNfhTxc/s1600/mpr+1.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRweX9Qt5xfF5nl-d1urHlzlUaMNrNQNKQFxXIXNOhBCbctbAWMxdw4ZyI_IOgHg-LjLTFVi9s0TdO_rpmz2oDbw8I80HTbuhbkaEbvka8ZsWswPUFy8HH-scAG_0rDSxurKaYKNfhTxc/s400/mpr+1.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCOcM8w9lxXFdNW9U5Dik1Zwy3aYGx7PEpECfYs-_wIoKTNKhOEMA7T6pEqe9gmZf5DMk6p_DkKI7g56xE2FdDLa7fdEstIyBHYr7ixiceBGdYjzQLoRPeBrLvdkQVXaq3YgoqBAGr6x8/s1600/mpr+2.PNG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="310" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCOcM8w9lxXFdNW9U5Dik1Zwy3aYGx7PEpECfYs-_wIoKTNKhOEMA7T6pEqe9gmZf5DMk6p_DkKI7g56xE2FdDLa7fdEstIyBHYr7ixiceBGdYjzQLoRPeBrLvdkQVXaq3YgoqBAGr6x8/s400/mpr+2.PNG" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After creating this MPR users will be deleted from the FIM portal if there end date is reached. If you want to delete them from other connected systems you need to configure the Object Deletion rules in the FIM Synchronisation Engine and configure deprovisining.Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-67566587790326592152010-11-24T15:24:00.002+01:002010-11-24T15:24:57.870+01:00Learning FIM (virtual labs)<span class="Apple-style-span" style="font-family: inherit;">If you want to try FIM but don't have a own testing enviorment, then you can use the Microsoft Virtual Labs. In this blogpost I will provide you links to the different types of Virtual Labs</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="color: #333333; font-size: 12px; line-height: 18px;"></span></span><br />
<b><span class="Apple-style-span" style="font-family: inherit;">Virtual labs</span></b><br />
<ul><li><div id="title6"><a href="http://technet.microsoft.com/en-us/bb499665.aspx" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" target="_blank"><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Labs: Forefront Security</span></a></div><div></div></li>
<li><a href="http://go.microsoft.com/?linkid=9726327" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Forefront Identity Manager (FIM) 2010 Overview"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Forefront Identity Manager (FIM) 2010 Overview</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736442" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: The FIM Experience"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: The FIM Experience</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736540" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Importing and Synchronizing Data"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Importing and Synchronizing Data</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736441" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Joining Data from Another MA and Provisioning AD LDS"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Joining Data from Another MA and Provisioning AD LDS</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736763" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Managing Users in the FIM Portal"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Managing Users in the FIM Portal</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736764" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Creating the FIM MA and Synchronizing"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Creating the FIM MA and Synchronizing</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736841" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Inbound Synchronization Rules"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Inbound Synchronization Rules</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9736828" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Synchronizing Active Directory Users"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Synchronizing Active Directory Users</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9737143" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Password Self-service and Configuring PCNS"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Password Self-service and Configuring PCNS</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9737524" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;"><span><span class="Apple-style-span" style="font-family: inherit;">Technet Virtual Lab<strong>:</strong> Distribution Groups and Provisioning Distribution Groups in Active Directory</span></span></a><span class="Apple-style-span" style="font-family: inherit;"> </span></li>
<li><a href="http://go.microsoft.com/?linkid=9737525" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;"><span><span class="Apple-style-span" style="font-family: inherit;">Technet Virtual Lab: Security Groups and Provisioning Security Groups in Active Directory</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9737005" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Backup, Restore, and Disaster Recovery, MA Run Scripts, and Final Configuration"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Backup, Restore, and Disaster Recovery, MA Run Scripts, and Final Configuration</span></span></a></li>
<li><a href="http://go.microsoft.com/?linkid=9737149" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Managing Groups- Lab A"><span><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Managing Groups- Lab A</span></span></a></li>
<li><span style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;"><a href="http://go.microsoft.com/?linkid=9737372" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;" title="TechNet Virtual Lab: Managing Groups- Lab B"><span class="Apple-style-span" style="font-family: inherit;">TechNet Virtual Lab: Managing Groups- Lab B</span></a></span></li>
</ul>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-37621580292573602492010-11-09T15:43:00.001+01:002010-11-09T16:07:57.801+01:00PowerShell: Create a FIM user and add the SID from ADToday I created a PowerShellscript that displays a inputbox where you can enter a username, after that the script will create a new user in the FIM portal and it will find the SID in the AD and add it to the user.<br />
<br />
This scripts is a combination of two scripts found on the technet forum with a little bit custom code.<br />
<br />
The code is a little bit "dirty", it needs some optimalisation.<br />
<br />
The code is below:<br />
<br />
<br />
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') <br />
<br />
#----------------------------------------------------------------------------------------------------------<br />
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant<br />
#----------------------------------------------------------------------------------------------------------<br />
function SetAttribute<br />
{<br />
PARAM($object, $attributeName, $attributeValue)<br />
END<br />
{<br />
$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange<br />
$importChange.Operation = 1<br />
$importChange.AttributeName = $attributeName<br />
$importChange.AttributeValue = $attributeValue<br />
$importChange.FullyResolved = 1<br />
$importChange.Locale = "Invariant"<br />
if ($object.Changes -eq $null) {$object.Changes = (,$importChange)}<br />
else {$object.Changes += $importChange}<br />
}<br />
}<br />
#----------------------------------------------------------------------------------------------------------<br />
function CreateObject<br />
{<br />
PARAM($objectType)<br />
END<br />
{<br />
$newObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject<br />
$newObject.ObjectType = $objectType<br />
$newObject.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString()<br />
$newObject<br />
}<br />
}<br />
#----------------------------------------------------------------------------------------------------------<br />
function CreateUser<br />
{<br />
<br />
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}<br />
clear-host<br />
<br />
if($args.count -ne 1) {throw "You need to specify your attribute values as parameter"}<br />
$attributes = ($args[0]).split("|")<br />
<br />
if(0 -ne [String]::Compare(($attributes[0]).split(":")[0],"displayname", $true))<br />
{throw "You need to specify a display name"}<br />
<br />
$objectName = ($attributes[0]).split(":")[1]<br />
$exportObject = export-fimconfig -uri $URI `<br />
–onlyBaseResources `<br />
-customconfig "/Person[DisplayName='$objectName']"<br />
if($exportObject) {throw "L:User $objectName already exists"}<br />
<br />
$newUser = CreateObject -objectType "Person"<br />
foreach($attribute in $attributes)<br />
{<br />
$attrData = $attribute.split(":")<br />
SetAttribute -object $newUser `<br />
-attributeName $($attrData[0]) `<br />
-attributeValue $($attrData[1])<br />
} <br />
<br />
$newUser | Import-FIMConfig -uri $URI<br />
write-host "`nUser created successfully`n"<br />
}<br />
#----------------------------------------------------------------------------------------------------------<br />
trap<br />
{<br />
$exMessage = $_.Exception.Message<br />
if($exMessage.StartsWith("L:"))<br />
{write-host "`n" $exMessage.substring(2) "`n" -foregroundcolor white -backgroundcolor darkblue}<br />
else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred}<br />
Exit<br />
}<br />
#----------------------------------------------------------------------------------------------------------<br />
function GetSidAsBase64<br />
{<br />
PARAM($AccountName, $Domain)<br />
END<br />
{<br />
$sidArray = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAA71I1JzEyxT2s9UYraQQAAA==") # This sid is a random value to allocate the byte array<br />
$args = (,$Domain)<br />
$args += $AccountName<br />
$ntaccount = New-Object System.Security.Principal.NTAccount $args<br />
$desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>write-host " -Account SID : ($Domain\$AccountName) $desiredSid"<br />
$desiredSid.GetBinaryForm($sidArray,0)<br />
$desiredSidString = [System.Convert]::ToBase64String($sidArray)<br />
$desiredSidString<br />
}<br />
}<br />
<br />
function fixSid<br />
{<br />
PARAM([string]$AccountName,[string]$Domain)<br />
cls<br />
#------------------------------------------------------------------------------------------------------<br />
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant<br />
<br />
#------------------------------------------------------------------------------------------------------<br />
write-host "`nFix Account ObjectSID"<br />
write-host "=========================="<br />
#------------------------------------------------------------------------------------------------------<br />
#Retrieve the Base64 encoded SID for the referenced user<br />
$accountSid = GetSidAsBase64 $AccountName $Domain<br />
#------------------------------------------------------------------------------------------------------<br />
#Export the account configuration from the service:<br />
write-host " -Reading Account information"<br />
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0)<br />
{add-pssnapin FIMAutomation}<br />
<br />
$exportObject = export-fimconfig -uri $URI `<br />
-onlyBaseResources `<br />
-customconfig ("/Person[AccountName='$AccountName']")<br />
if($exportObject -eq $null) {throw "Cannot find an account by that name"}<br />
$objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `<br />
Where-Object {$_.AttributeName -eq "ObjectSID"}<br />
<br />
Write-Host " -New Value = $accountSid"<br />
Write-Host " -Old Value =" $objectSID.Value<br />
<br />
if($accountSid -eq $objectSID.Value)<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>{<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>Write-Host "Existing value is correct!"<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>}<br />
else<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>{<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange.Operation = 1<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange.AttributeName = "ObjectSID"<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange.AttributeValue = $accountSid<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange.FullyResolved = 1<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importChange.Locale = "Invariant"<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject.State = 1<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject.Changes = (,$importChange)<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>write-host " -Writing Account information ObjectSID = $accountSid"<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>$importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>if($Err){throw $Err}<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>Write-Host "Success!"<br />
<span class="Apple-tab-span" style="white-space: pre;"></span>}<br />
#------------------------------------------------------------------------------------------------------<br />
trap<br />
{<br />
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred<br />
Exit<br />
}<br />
#------------------------------------------------------------------------------------------------------<br />
}<br />
$c=[Microsoft.VisualBasic.Interaction]::InputBox("Enter the admin account that need access to FIM","Create FIM admin account")<br />
<br />
if ($c.Trim()) {<br />
createUser "DisplayName:$c|AccountName:$c"<br />
fixSid $c<br />
}Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-46423657966543267802010-11-04T09:08:00.000+01:002010-11-04T09:08:03.644+01:00FIM 2010 Self-Service Password Reset Now Supports All Domain Password Policies<span class="Apple-style-span" style="color: #333333; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 11px; line-height: 13px;"></span><br />
<div style="border-bottom-style: none; border-bottom-width: 0px; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0px; border-right-style: none; border-right-width: 0px; border-style: initial; border-top-style: none; border-top-width: 0px; border-width: initial; font-family: inherit; font-style: inherit; font-weight: inherit; list-style-type: none; margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 1em; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none;">FIM 2010 Self-Service Password Reset now supports all domain password policies. It was a joint effort between the Windows Active Directory and FIM development teams to provide this new functionality. </div><div style="border-bottom-style: none; border-bottom-width: 0px; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0px; border-right-style: none; border-right-width: 0px; border-style: initial; border-top-style: none; border-top-width: 0px; border-width: initial; font-family: inherit; font-style: inherit; font-weight: inherit; list-style-type: none; margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 1em; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none;">Details of this change can be found in <a href="http://support.microsoft.com/KB/2443871" style="border-bottom-style: none; border-bottom-width: 0px; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0px; border-right-style: none; border-right-width: 0px; border-style: initial; border-top-style: none; border-top-width: 0px; border-width: initial; color: #0066dd; cursor: pointer; font-family: inherit; font-style: inherit; font-weight: inherit; list-style-type: none; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none;">http://support.microsoft.com/KB/2443871</a>.</div>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-18941899092216525842010-09-29T13:02:00.004+02:002010-09-29T13:04:30.275+02:00Troubleshooting FIMService / FIMPortal / Password Reset Client<span class="Apple-style-span" style="color: #333333; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 18px;"></span><br />
<div style="margin-top: 0px;">FIM is a complex product. Once a while, I find myself just clueless why something does not work. I have the advantage of having access to the source code and be able to debug. Attaching a debugger isn't a 5-second task and very often the answer is actually in the log. In this blog post, I would talk about how to enable tracing.</div><div style="margin-top: 0px;"><b>Warning: you should always backup your config file before making any change.</b></div><h1 style="clear: both; color: #3a3e43; font-family: 'Segoe UI Semibold', 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 1.8em; font-weight: normal; line-height: 28px; margin-bottom: 5px; margin-left: 0px; margin-right: 0px; margin-top: 5px;"><b>Let's start with the easiest - Password Reset Client</b>.</h1><div style="margin-top: 0px;">The following is the config file for the client at C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe.config.</div><pre class="scroll" style="border-bottom-color: rgb(221, 221, 221); border-bottom-style: solid; border-bottom-width: 1px; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; border-right-color: rgb(221, 221, 221); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(221, 221, 221); border-top-style: solid; border-top-width: 1px; font-size: 1.2em; margin-bottom: 12px; overflow-x: auto; overflow-y: auto; padding-bottom: 2px; padding-left: 6px; padding-right: 6px; padding-top: 2px; width: 561px;"><code class="html"><?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<section
name="resourceManagementClient"
type="Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClientSection, Microsoft.ResourceManagement"/>
</configSections>
<resourceManagementClient
resourceManagementServiceBaseAddress="http://localhost:5725"
timeoutInMilliseconds="60000" />
<appSettings>
<add key="NamedPipeTimeout" value="10000"/>
</appSettings>
<span style="background-color: yellow;"><!--</span>
<system.diagnostics>
<sources>
<source name="<span style="background-color: yellow;">Microsoft.ResourceManagement</span>" switchValue="<span style="background-color: yellow;">Warning</span>">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add initializeData="<span style="background-color: yellow;">C:\Logs\PwdMgmtProxy.svclog</span>"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ResourceManagementListener" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
<filter type="" />
</add>
<add initializeData="Application" type="System.Diagnostics.EventLogTraceListener"
name="myEventListener">
<filter type="System.Diagnostics.EventTypeFilter" initializeData="<span style="background-color: yellow;">Error</span>" />
</add>
<add type="System.Diagnostics.ConsoleTraceListener" name="myConsoleListener"
traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
<filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
</add>
</listeners>
</source>
</sources>
<trace autoflush="true" indentsize="0" />
</system.diagnostics>
<span style="background-color: yellow;">--></span>
</configuration></code></pre><div style="margin-top: 0px;">FIM uses standard <a href="http://msdn.microsoft.com/en-us/library/zs6s4h68%28VS.85%29.aspx" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;">.NET Tracing and Instrumenting</a> libraries. I have highlighted a few important things in the config file:</div><ol style="list-style-type: decimal;"><li>The entire <i><system.diagnostics>...<system.diagnostics></i> is commented out. You will need to un-comment that.</li>
<li>The managed part of FIM (FIMService / FIMPortal / Pwd Reset Client) shares the same tracing library and all traces are written to a source <i>Microsoft.ResourceManagement</i>. You should not change this part.</li>
<li>The <i>Warning</i> switch means for all FIM specific traces, only traces of warning level and above will be considered. Notice nothing has been logged so far.</li>
<li>For those traces that are being considered, they will be passed to each of the <i>listeners</i>:<ol style="list-style-type: lower-alpha;"><li>The XmlWriterTraceListener will write all the traces to the file C:\Logs\PwdMgmtProxy.svclog.</li>
<li>The EventLogTraceListener will further filter only trace with Error level and above, and write them to event log.</li>
</ol></li>
</ol><div style="margin-top: 0px;">So to enable tracing for Password Reset Client, you will need to:</div><ol style="list-style-type: decimal;"><li>Uncomment <i><system.diagnostics>...<system.diagnostics></i></li>
<li>Change <i>Warning</i> to <i>Verbose</i></li>
<li>If you want everything to be written to event log as well, change <i>Error</i> to <i>Verbose</i> as well</li>
<li>Create C:\Logs and grant NETWORK SERVICE full access on that folder so the file can be created.</li>
<li>Restart FIMPasswordReset service</li>
</ol><h1 style="clear: both; color: #3a3e43; font-family: 'Segoe UI Semibold', 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 1.8em; font-weight: normal; line-height: 28px; margin-bottom: 5px; margin-left: 0px; margin-right: 0px; margin-top: 5px;">FIMService and FIMPortal are really the same</h1><div style="margin-top: 0px;">The FIMService config file already contains inline comment on how to enable tracing. You can follow those steps.</div><div style="margin-top: 0px;">If you want to log everything, you can replace t<system.diagnostics> section with the following. <b>Warning, the trace file gets really huge.</b></div><div style="margin-top: 0px;"><b></b></div><b><pre class="scroll" style="border-bottom-color: rgb(221, 221, 221); border-bottom-style: solid; border-bottom-width: 1px; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; border-right-color: rgb(221, 221, 221); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(221, 221, 221); border-top-style: solid; border-top-width: 1px; font-size: 1.2em; margin-bottom: 12px; overflow-x: auto; overflow-y: auto; padding-bottom: 2px; padding-left: 6px; padding-right: 6px; padding-top: 2px; width: 561px;"><code class="html"><b><system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Critical,ActivityTracing"
propagateActivity="true">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
<source name="Microsoft.ResourceManagement" switchValue="Verbose,ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="<span style="background-color: yellow;">C:\Logs\Microsoft.ResourceManagement.Service_messages.svclog</span>"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
<filter type="" />
</add>
<add initializeData="<span style="background-color: yellow;">C:\Logs\Microsoft.ResourceManagement.Service_tracelog.svclog</span>"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics></b></code></pre></b><div style="margin-top: 0px;"></div><div style="margin-top: 0px;">For FIMPortal, you need to change the highlighted filename to something else. For example, use:</div><ul><li>ILMPortal.Client_messages.svclog</li>
<li>ILMPortal.Client_tracelog.svclog</li>
</ul><div style="margin-top: 0px;">The <i>*_tracelog.svclog</i> contains all the FIM specific traces instrumented by the FIM team (you will spend 99% of your time with this file). On the other hand, <i>*_messages.svclog</i> contains WCF specific traces.</div><h1 style="clear: both; color: #3a3e43; font-family: 'Segoe UI Semibold', 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 1.8em; font-weight: normal; line-height: 28px; margin-bottom: 5px; margin-left: 0px; margin-right: 0px; margin-top: 5px;">How to Get Rid of the Generic FIMPortal Error Page?</h1><div style="margin-top: 0px;">When there is an error in FIMPortal, you will see the follow screen which absolutely contains no useful information at all.</div><div style="margin-top: 0px;"><img height="418" src="http://lh6.ggpht.com/_ogW55ub7GXo/TBlEUukS31I/AAAAAAAAAL8/N6HS45jt7Dk/s1600/image%5B5%5D.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-top-style: none; border-top-width: 0pt; height: auto !important; max-width: 550px; overflow-x: hidden; overflow-y: hidden;" width="640" /></div><div style="margin-top: 0px;"><a href="http://setspn.blogspot.com/2010/06/fim-2010-enable-advanced-error-logging.html" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;">Thomas Vuylsteke has blogged about how to get rid of hat</a> to get a full stack trace which is usually enough for you to troubleshoot FIMPortal issues.</div><div style="margin-top: 0px;"><br />
</div><div style="margin-top: 0px;">Source: <span class="Apple-style-span" style="color: black; font-family: 'Times New Roman'; font-size: medium; line-height: normal;"><a href="http://blogs.technet.com/b/aho/archive/2010/09/29/troubleshooting-fimservice-fimportal-password-reset-client.aspx">http://blogs.technet.com/b/aho/archive/2010/09/29/troubleshooting-fimservice-fimportal-password-reset-client.aspx</a></span></div>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-70038919118551787042010-09-27T18:32:00.000+02:002010-09-27T18:32:01.138+02:00Do you need a Unique Name Generator for Forefront Identity Manager 2010?One thing that is not present by default in FIM 2010 is a unique name generate (Accountnames). You can create your own custom workflow activity or use an existing solution like:<br />
<br />
<span class="Apple-style-span" style="font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;"><a href="http://www.tools4fim.com/function-evaluator.aspx">http://www.tools4fim.com/function-evaluator.aspx</a></span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif; font-size: small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Verdana, Tahoma, 'Lucida Sans Unicode', Helvetica, sans-serif;"><br />
</span>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-33384373803468875162010-09-21T15:51:00.002+02:002010-09-21T15:51:31.175+02:00PowerShell Activity for FIM<div style="color: #444444; font-family: Verdana; font-size: 11px; line-height: 17px;">Carol(MissMiis) has created a really nice activity for executing PowerShell scripts, both local and remote and it opens up for all kinds of possibilities! Check it out!</div><div style="color: #444444; font-family: Verdana; font-size: 11px; line-height: 17px;"><a href="http://www.wapshere.com/missmiis/powershell-activity" style="background-attachment: initial; background-clip: initial; background-color: initial; background-image: url(http://idmcrisis.com/pics/remote.gif); background-origin: initial; background-position: 100% 0%; background-repeat: no-repeat no-repeat; color: #5c80b1; padding-right: 10px; text-decoration: none; white-space: nowrap;" target="_blank" title="http://www.wapshere.com/missmiis/powershell-activity"><strong>http://www.wapshere.com/missmiis/powershell-activity</strong></a></div>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-39117048542831134792010-09-21T11:54:00.000+02:002010-09-21T11:54:50.696+02:00Welcome!Hi Everybody!<br />
<br />
On this blog I am going to share my experience with Forefront Identity Manager 2010. I hope it will help and entertain you :)<br />
<br />
Greetings,<br />
<br />
<br />
StefanStefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0tag:blogger.com,1999:blog-6559816863563796527.post-34075706324397932782010-09-21T11:34:00.000+02:002010-09-21T11:34:00.132+02:00Troubleshooting Common FIM Provisioning Errors<span class="Apple-style-span" style="color: #333333; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 18px;"></span><br />
The objective of this article is to capture the most common synchronization errors and to provide troubleshooting steps to resolve them.<br />
<strong>Synchronization errors addressed in this article:</strong><br />
<ol style="list-style-type: decimal;"><li><a href="http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-common-fim-provisioning-errors.aspx#1" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;">Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: <strong>An object with DN "ABC" already exists in management agent "DEF"</strong></a></li>
<li><a href="http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-common-fim-provisioning-errors.aspx#2" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;">Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException:</a><strong><a href="http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-common-fim-provisioning-errors.aspx#2" style="color: #0066dd; cursor: pointer; font-weight: normal; outline-color: initial; outline-style: none; outline-width: initial; text-decoration: none;"> Object "ABC" does not have a parent object in management agent "DEF"</a></strong></li>
</ol><br />
<div><br />
</div><div><a href="http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-common-fim-provisioning-errors.aspx">Read more...</a></div>Stefanhttp://www.blogger.com/profile/17735928998921603652noreply@blogger.com0