Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 145 | 146 | (Page 147) | 148 | 149 | .... | 204 | newer

    0 0

    I need to solve a problem where an MPR/Workflow needs to be triggered when a user becomes a member of a Security Group.

    I would rather not write MV extension C# code but try and use a simple Transition into a Set.

    There are HUNDREDS of these security groups, but they are all dependent on being CostCenter/Id dependent so I can link them to FIM criteria based SGs.

    I am trying a Set criteria like :-

    Select user that matches all of the following conditions

       ObjectSid starts with %

       TestforSGmembership is True

       Any of the following

           Id is 1

           Id is 2

           Id is 3

           and so on and so on...

    It seems to work for 10 'or' sub-conditions

    However, My query is just how many "OR" type sub-conditions can I have in my criteria?

    0 0

    I've been messing with FIM all week trying to get a POC working and got stuck where I didn't think I'd have a problem. I'm trying to use FIM to provision users from a bunch of different AD DS MA's into the portal, and then provision the users to a different AD DS from the portal. I've gotten most of it setup and working where I have all my MA's on the same server as my Portal, but I'm wanting to have each domain run its own Synchronization Service with an MA that just exports users to the one common Portal, and then let the portal provision from there. Essentially how the Office 365 DirSync tool works. It's how to get multiple external MA's to connect to my portal that I'm having trouble. Should each external MA connect to FIM using the built-in FIM connector, or should they be using some custom method with an ECMA like Office 365 uses? It seems strange and insecure to have them directly connect to the SQL database and it doesn't seem to even let me do it once another Synchronization Service is connected anyway.

    Essentially my intended flow is: AD DS->Metaverse->FIM Portal <--WAN Link--> FIM Portal->AD DS

    Doing this all on one server has worked fine, where I'm essentially pulling LDAP over the WAN link, but I want to be able to do this via a "push" method from the source into the portal as opposed to the portal side "pulling" it.

    0 0

    We have MIM with the latest patch installed and the portal is on SharePoint 2013. 

    The PowerShell custom workflow activity is not running. I'm guesisng it may be due to a .NET framework mis-match.

    Does anyone know what version of the .NET framework to build aginst for MIM with the portal on SharePoint Foundation 2013?



    0 0
  • 01/25/16--00:35: SharePoint Connector
  • The SharePoint Connector Reference web page states that it "expects a specific FIM build to be installed on your FIM synchronization server". Does anyone know why there is this restriction, and whether it will work (or can be encouraged to work) on MIM 2016?


    0 0
  • 01/26/16--13:36: Directory-Sync Issues
  • Hello,

    I am a new System Admin and I am having some trouble with Directory-Sync. It was suggested to post here. To keep from retyping everything, I used this post:

    Basically, the passwords do not sync and an error message displays about a missing publicFolder when a manual sync is initiated. 

    I appreciate any assistance and thank you,


    0 0


    I was wondering if anyone had any insight out there in regards to this error. All I did to repro the issue was hide a contact in exchange and then unhide that contact and now I get a sync error for that contact.

    The error:

    Stack Trace info:

    Microsoft.MetadirectoryServices.UnexpectedDataException: Provisioning without cn, mailNickName or targetAddress
       at Microsoft.MetadirectoryServices.GALSync.Synchronizer.LogAndThrowUnexpectedDataException(String ExceptionString)
       at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.AddOrRenameConnector(ConnectedMA& MA, GALMA& MAConfig, MVEntry mventry, CSEntry csentry)
       at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.Provision(MVEntry mventry)

    I would be happy to provide more information if it helps.

    I am kinda at a loss here as I don't see any reason why it shouldn't work. I disabled, recreated, moved the account but no change. I ensured my sync removed the contacts in case it was holding on to them in the remote AD but the contact is currently not in the remote AD and it's not syncing back either due to this error.

    Please note: I am only using the Synchronization Service and not the portal.

    Any advice?

    Thank you in advance.



    Event viewer shows:

    0 0

    I get this error intermittently while executing the enrollment requests in FIM 2010 CM R2. Sometimes it auto resolves but during other times I will have to restart the IIS to get this working again. My environment earlier had FIM 2010 and was upgraded to FIM 2010 R2. Did I forget some configuration? Please help. 

    -- JPM

    0 0


    We have an on-premise AD, DirSync and Azure AD (its synchronizing user accounts).

    If we deploy Azure AD SSPR (in Azure) and setup the MIM Client (on-premise) - can domain joined computers use the MIM Client to register and reset their passwords? Or do we also need MIM deployed on-premise?



    0 0
  • 01/29/16--13:21: User Logon Name - AD
  • I would appreciate if someone could assist me with this.

    In the properties of a user in AD under the Account Tab, there is a drop down box next to user logon name.  The drop down contains our domain:

    Do you know what attributes I need to match and customize to populated this when I run my sync rule.

    I have tried = UserPrincipleName however this does not work.

    New to FIM and help is appreciated.

    Thank you.


    0 0
  • 01/30/16--09:23: FIM Reporting
  • I am trying to add FIM Reporting on the existing FIM Service. I have 3 servers running separately for Service, Service Manager and Datawarehouse. My FIM version is 2010 R2 and I am using SCSM 2010 SP1. During the installation wizard, after I enter the Management Server Name, I got the pop up saying, "The System Center Service Manager update (KB2561430) is not installed on this computer." I have installed the hotfix to all the above 3 servers. Still I am getting the same error. Please help if you know the reason or solution to this error.


    0 0


    every time  i want to sync initiate a full sync i have below error:

    Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD Users Outbound'. Details: Object reference not set to an instance of an object.
       at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

    I looked at so many links but my sync rule seems to be ok! here is a screen shot of my sync rule:

    0 0

    I am trying to run a full synchronization however since upgrading to the latest build 4.3.2064.0 I get the following extension-dll-exception. The stack trace is below:

    System.ArgumentException: parsing "<![CDATA[^([\!#\$%&'\*\+/\=?\^`\{\|\}~a-zA-Z0-9_-]+[\.]?)*[\!#\$%&'\*\+/\=?\^`\{\|\}~a-zA-Z0-9_-]+@{1}((([0-9A-Za-z_-]+)([\.]{1}[0-9A-Za-z_-]+)*([A-Za-z]){1,6})|(([0-9]{1,3}[\.]{1}){3}([0-9]{1,3}){1}))$]]>.Value" - Too many )'s.
       at System.Text.RegularExpressions.RegexParser.ScanRegex()
       at System.Text.RegularExpressions.RegexParser.Parse(String re, RegexOptions op)
       at System.Text.RegularExpressions.Regex..ctor(String pattern, RegexOptions options, TimeSpan matchTimeout, Boolean useCache)
       at Microsoft.MetadirectoryServices.GALSync.Synchronizer.IsMailValid(String& MailAddress)
       at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.AddOrRenameConnector(ConnectedMA& MA, GALMA& MAConfig, MVEntry mventry, CSEntry csentry)
       at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.Provision(MVEntry mventry)

    0 0

    Hi guys,

    First off all, if any of you (maybe some Idenitity MVPs) have access to an internal MS DL, or if MS is monitoring this thread, the installation guide of MIM 2016 is by far the worst documentation guide ever :-)

    Being a Office Servers and Services MVP, I know it can by hard something to come out with some good documentation but following the step by step guide of MIM 2016, will never get you up and running...

    Back to my problem;

    A customer of mine wants to use the SSPR on their Win7/8 logon screen (Ctrl-Alt-Del)

    So my goal is only to deploy the SSPR portion, sync from AD and export to MIM DB....seems pretty simple.I have decided to follow some FIM install guide instead of MIM:

    I have up to a point where the sync rules works but in the SSPR portal, if I do a search on the user, this is what I see:

    I cannot seems to match the displayname somewhere...

    Any tips and trick or just a quick guide will be more than helpful.



    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks.

    Jean-Philippe Breton | Senior Microsoft Consultant | MCTS, MCITP, MCT, Lync MVP

    0 0

    I changed the AD OSR so that DN is flowed out to AD all the time(in addition to initial flow what we already had). All sync rules are throwing error for just one user. I could see many other objects where the DN got changed.  I am not able to find the root cause of this issue. I even tried matching the dn in AD to be same as that of FIM.

    Extensionfile name: FuctionLibrary.dll


    Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OSR - User - Create/Delete'. Details: Unable to rename non-leaf object.
       at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

    0 0


    I am just starting my research and wanted to see how others have solved this problem before I go too far down this road.  I have a requirement to create a custom object in the FIM portal that allows a user to request access to other systems.  

    1. The preference is to have a separate custom object (MySystemRequests) instead of modifying the primary user object in the portal.  Easy enough.
    2. The new custom object "MySystemRequests" will contain several fields including a multi-value check box called "Request System Access" to request access to systems like payroll, accounts receivables, etc...  Again pretty straight forward.
    3. Here's where it might get tricky.  An a separate approval for each system selected on the "Request System Access" should be created when the MySystemRequests is submitted.  Each selected item may have its own approval workflow and automation that it needs to follow - hence the need for separate approvals.

    My question is, short of writing a custom activity is there a way to spawn multiple approvers for a multi-value checkbox?  Any thoughts and insights would be appreciated.

    0 0

    I'm looking to deal with our HR system and the "renaming" of employee objects when they change the employee number. I've found that there is a MACapabilies property for ObjectRename, but I haven't found anyone who has worked with it when set to true.

    Anyone use it like this?

    MACapabilities.PObjectRename = True

    0 0

    Hi Folks,

    We have a scenario that when a group is created in AD with members in it, it should flow the members for the first time to metaverse and then to FIM Portal. After this, if members are added/removed in AD for the group these changes should not flow in to the metaverse and members in FIM Portal must override the changes done directly in AD. We thought we could achieve this with a rules extension but learnt that advanced flow rules for reference attributes is not allowed.

    Any suggestions on how this can be achieved?

    Any help would be appreciated.



    0 0


    what we are planing to do is to allow some users to create user accounts in FIM portal and after, their request to create user accounts needs to be sent to a moderator before actual provisioning to AD? if that moderator accept the request then that is allowed to go in provisioning process. 

    any ideas how do i can implement this?

    0 0
  • 02/02/16--02:14: MIM PAM Powershell
  • Hi Guys,

    I would like to use the command new-pamuser from a computer in the corp domain, but the client add-ins doesn't provide this command.

    Is there a way to do this remotely?

    Best regards,


    0 0

    Hi All,

    I have below server OS configuration:

    • AD server - 2012.
    • FIM server- 2012.
    • SQL server- 2012 R2.

    Also, below are FIM component versions:

    • FIM version- 4.1.3419
    • SQL server version- MSSQL server 2012 with build 11.0.5343

    Please do let me know if SSPR will support Enforce Password Policy with this configuration or not?

    Thanks in Advance.

    If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

older | 1 | .... | 145 | 146 | (Page 147) | 148 | 149 | .... | 204 | newer