DeleteExpiredSystemObjects bug?

October 27, 2015, 4:41 am

≫ Next: Get date and time when a user registered for password reset

≪ Previous: Is it advised to create two connectors in AADS for the same forest.

This stored procedure is run periodically by a SQL Server Agent job to prevent the database from growing too large and keeping FIM responsive.

BUT... What the procedure is doing is to delete all attributes on the objects in the database and leaving the main table [fim].[objects] to continue growing. ( The table [fim].[ObjectValueIdentifier] also has this behavour and doesen't get deleted from. )

In our database, with a total of 24 454 388 objects, 7 707 052 seems to be "deleted" objects. Doing a standard "Disk usage by Top Tables" report, [fim].[objects] and [fim].[ObjectValueIdentifier] is in top five.

Is there a reson why old expired objects with no attributes should/must remain in the database?

/ Jörgen

↧

Get date and time when a user registered for password reset

October 27, 2015, 5:37 am

≫ Next: FIM SSPR Gates

≪ Previous: DeleteExpiredSystemObjects bug?

Hi All,

I am currently exporting a list of users who registered for Password reset into a CSV and recently needed to add the date and time of the registration. Does anyone know the path lookup that can get this value or where it would be stored ?

The current script looks like this.

set-variable -name URI -value "http://identity.fimservice.local:5725/resourcemanagementservice' " -option constant
set-variable -name CSV -value "c:\ps\RegisteredResetPassUsers.csv" -option constant

clear

If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation}

$Filter = "/Person[AuthNWFRegistered = /Set[ObjectID = '7c866fd3-cf65-46cf-a198-4ea2f84980ec']/ComputedMember]"
$curObject = export-fimconfig -uri $URI –onlyBaseResources -customconfig ($Filter) -ErrorVariable Err -ErrorAction SilentlyContinue

[array]$users = $null
foreach($Object in $curObject)
{
    $ResetPass = New-Object PSObject
    $UserDisplayName = (($Object.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "DisplayName"}).Value)
    $ResetPass | Add-Member NoteProperty "Display Name" $UserDisplayName

    $jobTitle = (($Object.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "jobTitle"}).Value)
    $ResetPass | Add-Member NoteProperty "Job Title" $jobTitle

    $UserEmail = (($Object.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "email"}).Value)
    $ResetPass | Add-Member NoteProperty "Email" $UserEmail
    $Users += $ResetPass
}

$users | export-csv -path $CSV -NoTypeInformation

Rob

↧

FIM SSPR Gates

October 27, 2015, 6:28 am

≫ Next: FIM SSPR OTP Gates

≪ Previous: Get date and time when a user registered for password reset

Can someone please guide me

I have SSPR configured with SMS OTP gate. The SMS Send - recivew operation is all working good.

I need to edit the gate in such a way that SMS OTP that is sent needs to be sent to email as well (Which is pretty much possible with PowerShell script)

However I need to edit the registration part. When we enable SMS GATE. It asks for Mobile number, I also need to ask Email and send the code to that email which is registered.

Thanks in advance..

↧

FIM SSPR OTP Gates

October 27, 2015, 6:28 am

≫ Next: What does a CD-Error 50 mean on Export?

≪ Previous: FIM SSPR Gates

Can someone please guide me

I have SSPR configured with SMS OTP gate. The SMS Send - recivew operation is all working good.

I need to edit the gate in such a way that SMS OTP that is sent needs to be sent to email as well (Which is pretty much possible with PowerShell script)

However I need to edit the registration part. When we enable SMS GATE. It asks for Mobile number, I also need to ask Email and send the code to that email which is registered.

Thanks in advance..

↧

What does a CD-Error 50 mean on Export?

October 27, 2015, 8:36 am

≫ Next: Password Reset for multiple AD Accounts

≪ Previous: FIM SSPR OTP Gates

Hi,

I have two Forests/Domains which FIM manages with no Trust between them. In this case, FIM Exports from the Metaverse/Forest A into Forest B. Its only a one-way operation.

On export, 2 groups fail export with a CD-Error 50 error. These groups are Domain Local security groups in Forest A.

Can anyone plz point me to where I can find a CD-Error 50 explanation or advise on what this means?

Thanks in advance for the help.

Thanks for your help! SdeDot

↧

Password Reset for multiple AD Accounts

October 27, 2015, 3:02 pm

≫ Next: How to create Management Agent in Synchronization Service programmatically using C#

≪ Previous: What does a CD-Error 50 mean on Export?

Hi,

I have need to provision multiple AD accounts in two different active directories, they share trust relationship, but are otherwise unrelated.

How is password reset achieved to the multiple active directories?

Thanks,

Sylvester

↧

How to create Management Agent in Synchronization Service programmatically using C#

October 27, 2015, 11:25 pm

≫ Next: FIM Extention question regarding multiple WAAD connectors

≪ Previous: Password Reset for multiple AD Accounts

Hello All,

I have created Management Agent in Synchronization Service graphically and all is working fine.

Now, I wan to create that MA programmatically with C# and also it's profile.

How can I do that, I did lot's of R&D, last 2 days, didn't found anything.

Any help would be greatly appreciated.

Thanks,

Naresh

↧

FIM Extention question regarding multiple WAAD connectors

October 28, 2015, 1:08 am

≫ Next: Generating sequential unique identifier in FIM portal

≪ Previous: How to create Management Agent in Synchronization Service programmatically using C#

Hi.

I've been having some issues with configuring FIM Syncronization Service for use with Single forest/domain, and multiple Office365/Azure tenants.

I've used this as my base and modified slightly some filters and attribute flows (mainly from local AD to Metaverse), and filters on the WAAD so that no user is synced twice or into the wrong WAAD.
Link to refrence: https://msdn.microsoft.com/en-us/library/dn511002(v=ws.10).aspx

So to the question (or issue) at hand.
I can't for the life of me figure out what I need to change to sync into multiple tenants. Some users (for a single tenant) is synced to the metaverse, but the others are not. I understand why they wont work, mostly because of this code in the extention, that is telling the extention to what MA it should connect to. If i change the name, other users will sync.

Any suggestion as to how I can rewrite this code to support more MA Connectors?

ConnectedMA ma = mvEntry.ConnectedMAs["Windows Azure Active Directory"];
                //Provision a new connector if none exist

                if (ma.Connectors.Count == 0)
                {
                    try
                    {
                        // Construct the Source Anchor for the new CSEntry
                        String sourceAnchor = mvEntry["sourceAnchor"].StringValue;//RulesCommon.ContructSourceAnchor(mvEntry);

                        // Determine the type of object to provision to Office365
                        Office365ObjectType office365ObjectType = GetOffice365ObjectType(mvEntry);

                        // Create a new connector.
                        CSEntry cs = ma.Connectors.StartNewConnector(office365ObjectType.ToString());

                        // Create the RDN string
                        // String rdn = Microsoft.Online.DirSync.Extension.Utilities.DNEncoding.StringToSafeRdn(sourceAnchor);

                        // Set the DN
                        cs.DN = ma.EscapeDNComponent(mvEntry["sourceAnchor"].StringValue);

                        // One-Time EAF Attributes
                        cs["SourceAnchor"].StringValue = sourceAnchor;

                        // Commit the Connector
                        cs.CommitNewConnector();
                    }
                    catch (ObjectAlreadyExistsException)
                    {
                        // If we hit this exception it means we have tried to create a CSEntry:
                        //   1. With a duplicate RDN
                        //   AND
                        //   2. In the same container as the duplicate
                        // In this case the exception is ignored.
                        // On the next sync run the TargetWebServiceMA should resolve this by joining to the MV object
                    }
                }

Thanks

Harald

↧

Generating sequential unique identifier in FIM portal

October 28, 2015, 3:34 am

≫ Next: Changed the password of local auto created user runnining FIM 2010

≪ Previous: FIM Extention question regarding multiple WAAD connectors

Hi,

We had a requirement to generate unique sequential number for every user created in FIM portal. We have tried with randomNum() function. but it is generating duplicate values. We need to implement some sequential unique number whenever a user is created in FIM portal.

Please help me out in achieving this.

Regards

Prasanthi.

↧

Changed the password of local auto created user runnining FIM 2010

October 28, 2015, 11:53 pm

≫ Next: FIM Portal Search Scope Issue

≪ Previous: Generating sequential unique identifier in FIM portal

Hi,

I needed to change the passsword of this user because my domain account was not allowed to run miisclient even

it was it correct local Groups.

I was able to log on and do my things but some day later after a restart I can get the service running Again.

get even 6208,

The server encryption keys could not be accessed.

User Action

Verify that the service account has permissions to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service

If the problem persists, run setup and restore the encryption keys from backup.

This took me to the program miiskmu, which someone used to fix this problem. That article says that you should "abandon key

start the application “miiskmu”
Choose the option to abandon your key set.
Start the “Directory Sync Configuration” tool and reconfigure your synchronization
After this start your services again (the “Forefront Identity Manager Synchronization Service” was already started) and start a manual sync
This could lead to the following message in your eventlog:
Eventid: 6126
The management agent “TargetWebService” completed run profile “Delta Confirming Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
So with the help of the miisclient I started a full sync, a full confirming import and a export"

In this prgram (“miiskmu”)there is also an option to "add new key set (reuires service to be stopped)

and there I can choose "re-encrypt all Microsoft identy integration Service data with new key"

and I get an option to Assing a domain user to this.

My question is, can I use this "add new key with re-encrypt" and a domain user.. and be able to start services again and sync, or do I need to "abandon key" and follow that instruction ?

thans

Erro

↧

FIM Portal Search Scope Issue

October 29, 2015, 9:18 am

≫ Next: Azure AD Connect

≪ Previous: Changed the password of local auto created user runnining FIM 2010

Hi Everyone,

We have 2 search scope:
1. SearchScope1
2. SearchScope2

Both search scope are having usage keyword "GlobalSearchResult" and "Global". I need GlobalSearchResult usuage keyword because I want to hide both New and Delete button.

SearchScope1 Search Scope Filter: /CustomObject1
SearchScope2 Search Scope Filter: /CustomObject2

We have given permission to read this search scope through MPR.
We can see both search scope are displaying in Home Page under Search within drop down menu.

Issue Description:
Suppose I logged in FIM Portal as normal users and I can see both search scope in home page search within drop down menu.
I selected one search scope say SearchScope1 and clicked on Search button. This is redirecting me to GlobalSearchResultPage.aspx for CustomObject1.
However in this page I am seeing both search scope i.e. SearchScope1 and SearchScope2.

GlobalSearchResult Page

My requirement is just to show one search scope based on what I selected in home page. So in above case, GlobalSearchResultPage.aspx page for CustomObject1 should only show me SearchScope1 search scope under Search witin drop down.

Search URL for both search scope:

http://FIMSERVER/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=c1939a77-4e65-49e5-b876-a31f6aa1e38a&content=%2a
http://FIMSERVER/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=1dc89434-a634-4034-8140-5f024c044936&content=%2a

Any help would be greatly appreciated.

Thanks in advance!!

Sujit Kumar

↧

Azure AD Connect

October 30, 2015, 8:58 am

≫ Next: I cant get the Syncronization manager service to start.

≪ Previous: FIM Portal Search Scope Issue

Hello everyone

I have installed an Azure AD Connect (AAD Connect) server, and it is functioning successfully.

I am starting process to install a second AAD Connect server as a staging server.

Is there a way to export the configuration from the first server to allow an import on the second server? When installing the staging server the usual wizard starts, and to complete the install need to enter some synchronization information, then could import the MA configurations from the other server. Is there other configuration outside of the MAs needed?

On the staging server I can run the azureadconnect.exe to get the Import configuration wizard, but on the active server, the azureadconnect.exe cmd to start the wizard with the "Export Settings" (as when run on a legacy Dirsync server) just starts the usual post install wizard.

Summary: how to export the configuration of an Azure AD Connect server to allow it to be imported on a second staging server.

Thanks

Alexis

QAlexis75

↧

I cant get the Syncronization manager service to start.

October 30, 2015, 12:48 pm

≫ Next: Accounts Sync from Open Directory to Active Directory

≪ Previous: Azure AD Connect

After performing a clean install of MIM 2016 using the directions I found in the Tech Net Library- MT150255. (I am prohibited from sharing the link at this time.) I have been unable to get the sync service to start. The error message states that the service is either not started (it is) or my account is not part of a required security group. I am logged in as a domain admin. Has anyone else had this problem? Any help would be greatly appreciated.

Thanks,

Dan

↧

Accounts Sync from Open Directory to Active Directory

November 1, 2015, 10:28 pm

≫ Next: Convert IIF from AAD to FIM

≪ Previous: I cant get the Syncronization manager service to start.

I need a tool to sync accounts (including passwords) from OD (open Directory) to AD (Active Directory), can FIM do that? if not do we have any other tool?

Fadi

↧

Convert IIF from AAD to FIM

November 2, 2015, 1:58 am

≫ Next: Convert IIF function from AAD to FIM

≪ Previous: Accounts Sync from Open Directory to Active Directory

Hi FIM experts,

I'm currently working on the mailbox provisioning from FIM to Exchange Online and i would like to convert the following IIF Azure function to a FIM function. I'll import MSOline Users from FIM and want to trigger the mailbox creation if the result of the function is false (cloudSOAExchMailbox)

CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType],&HFF) = 0))

Thanks,

Yannick

↧

Convert IIF function from AAD to FIM

November 2, 2015, 1:58 am

≫ Next: GAL Sync Required attribute cn is missing

≪ Previous: Convert IIF from AAD to FIM

Hi FIM experts,

CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType],&HFF) = 0))

Thanks,

Yannick

↧

GAL Sync Required attribute cn is missing

November 2, 2015, 2:50 am

≫ Next: Organization Maintenance in FIM and BHOLD

≪ Previous: Convert IIF function from AAD to FIM

I am a complete novice to FIM but am trying to set up the sync service to do a GAL sync between two AD forests. The forests have a two way AD trust in place and one is running Exchange 2010 and the other Exchange 2013. I have configured the two MAs and run a staged Import and a Sync on each. When I run an export though I receive an error saying that the "Required Attribute 'cn' is missing". Despite this the contact is created in the specified OU and does have a cn assigned. The proxyAddresses attribute is also populated as with all of the original users email addresses and the new contact shows up in Exchange as a Cross-Forest Contact. Can anyone suggest why I might be seeing this error, what implications it might have, and how to resolve it? So far I have seen the error when exporting from the Exchange 2013 domain into the Exchange 2010 one but not the other way around. I am using FIM 2010 R2 version 4.1.3419.0.

Thanks

Alan

↧

Organization Maintenance in FIM and BHOLD

November 2, 2015, 1:29 pm

≫ Next: Exchange support

≪ Previous: GAL Sync Required attribute cn is missing

Hello,

I have an implementation where the corporate structure is maintained in a database. There is an MA and set of sync rules defined to import that hierarchical structure into the metaverse. There is also an MA and sync rules defined to push that structure to BHOLD.

Occasionally, the corporate structure changes (the name changes or is moved to a different parent). Moves are handled properly by the MAs and rules. However, renames or flat out deletions are not. Renames are treated as a new entry. The old entry gets disconnected at the SQL connector space, but the object remains in the metaverse (and AD and BHOLD). I have the BHOLD MA configure to stage a delete on the next export (I've yet to test that).

What I'd like to happen is to stage a delete of the metaverse object when the object is delete from the database. Is there something in the box that will do that, or does that require a rules extension DLL?

Or, can I not do that at all. The whole purpose here is to make this a hands off operation.

Thanks,

Greg

↧

Exchange support

November 3, 2015, 12:46 am

≫ Next: Microsoft Official BHOLD training

≪ Previous: Organization Maintenance in FIM and BHOLD

Hi,

We have FIM 2010 R2, and looking to upgrade our exchange to 2016.

Does FIM 2010 R2 support exchange 2016 (presumably with a recent patch) or do we need to upgrade to MIM 2016 which I have not been able to find documentation if that supports exchange 2016 either. :(

Thanks!

↧

Microsoft Official BHOLD training

November 3, 2015, 5:33 am

≫ Next: UserAcccountControl bitwise operations - enable\disable with passwordNeverExpires always set.

≪ Previous: Exchange support

Hi Everyone,

Please let me know if Microsoft provides BHOLD training or somewhere else I can find training.

FYI, I already tried with Source solutions and they are no longer providing BHOLD training.

Thanks in Advance.

If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

↧

Latest Images