Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 148 | 149 | (Page 150) | 151 | 152 | .... | 204 | newer

    0 0


    We are currently using MIM 2016 (I know its not exactly FIM 2010 but it's the only forum I found) and doExchange Provisionning (Exchange 2010). Sometimes and for unknown reasons, we are getting the following errors "not-start-ma". The Management Agents refuses to launch and we have several errors in Event Viewer (see attachment). The problem is that when it's happen, we don't make major changes or big improvements... For now, we get around of this error (when happens) by reverting VM. But the we don't succeed in understanding and solving the problem.

    I try to search for this errors code or exceptions but get not much information. For example the following links : But for now we weren't able to solve this question.

    Does someone already encounter these errors and could maybe provide advices ?

    Thank you for any help


    0 0
  • 02/17/16--14:26: Powershell script help
  • Can someone help with a Powershell script? Need to query the FIM portal database. Customer wants a list of all their distribution groups with output to a csv file. Attribute Display Name, Description, email address

    0 0
  • 02/18/16--01:53: Dynamic Group criteria
  • Hi,

    We have to create a number of dynamic distribution groups for our corporate communications department, an example of this is groups based on service organization and level or rank.  This results in about 500+ groups.  I have scripted the creation of these groups in AD.

    My question is: Is it possible to script the selection criteria of these groups in the FIM portal?  I don't really want to do this manually for so many groups :-)

    Any will appreciate any idea


    Johan Marais


    0 0

    I'm trying to synch users and groups from open LDAP into Active Directory. 

      Is FIM / MIM2016 the right product for my use case? 

    Many thanks.

    0 0

    We have SQL Management agent used for creating accounts in AD/LDAP.

    Achor is Accountname , we generate it based on Fname and lname when a record is added to SQL.

    Join is AccountNumber ( which is another unique entry)

    Now we want to change Anchor for SQL to some other attribute in SQL-  we want to use column number as a new anchor.

    My understanding is if we change anchor , it will generate a record in FIM for all the objects present.

    Any suggestion or steps for changing anchor for SQL  without affecting current users in SQL / AD ?


    0 0


    I have created a on premises Domain also created some users and Sync with office 365 and working fine due to some Hardware crash i have formatted and reinstalled the same on premises.Everything is working fine with the new AD and the only problem i am facing is that the Users created with the old password reset is not getting sync.

    I have created all the users on the new domain but the office 365 users are not deleted at the time of crash and after the new domain it got SYNC and working.

    0 0
  • 02/19/16--07:04: uniquenessvalidationxpath
  • I have the validation rule that works fine when the user tries to change the current email address to another email address.

    But if the current one is blank and they enter a duplicate one, the portal accepts the duplicate value. Please help.

    <my:Property my:Name="UniquenessValidationXPath" my:Value="/Person[not(ObjectID='%ObjectID%') and ExternalEmail='%VALUE%']"/>

    0 0


    in group provisioning to active directory, why samaccountname is random? look below:

    And my flow is like this

    0 0


    According to the FIM Infrastructure Planning Guide (IPD):

    • FIM Service database: SQL Server can be clustered for fault tolerance (there is no mention of other high availability and disaster recovery strategies like database mirroring and log shipping in this part of the IPD document)
    • FIM Sync Service database: The FIM Synchronization Service database can be hosted on a clustered instance of SQL Server for fault tolerance. Other high availability and disaster recovery strategies like database mirroring and log shipping can also be used to provide fault tolerance for the SQL Server database, whether located locally or remotely

    Question 1:

    Based on this IPD document, FIM Service database does NOT support "Other high availability and disaster recovery strategies like database mirroring and log shipping"?

    Question 2:

    SQL these days has numerous High Availability options, how many of these are supported by both MIM databases:

    - SQL Clustering

    - Availability Groups

    - Database Mirroring

    - Log Shipping

    - any other?

    It would be awesome if Microsoft could give us a clear answer to these HA options for MIM SQL databases please.



    0 0


    I implement the Microsoft Identity Manager 2016 Self Service Reset Password in my environment. 

    I have Password Policy in my domain that users can not used five password history and can not change their password twice in a day.

    But when Users use SSPR, they can change password several times and they can set any password out of our policy.

    MIM 2016 have any setting that understand Domain Password Policy age behave according to our policy?


    0 0

    Hi All,

    I notice something weird and want to understand the reason for this.

    We created a new attribute in MV schema as well as FIM Portal schema for group object and defined an export attribute flow for it in FIM.Service MA. Now when a group is created in AD and then exported to Portal, all the other group attribute flow configured in the MA are going via a single request in portal but for the new attribute flow defined, Portal is creating another request. Any idea why? I have not configured the attribute flow for this new attribute in a special way/different way. Its a direct mapping from AD to MV to Portal.

    Can someone help me here.

    Thanks in Advance


    0 0


    I am trying to create a new synchronization in FIM Portal. I have defined one rule to map the attribute from source system into FIM. The second rule to map the attribute from FIM to AD. I am not getting the AD attribute to map in the destination.

    How do I bring it to map it?


    0 0


    I'm running FIM 2010 R2 in a testing environment to test the following situation: I want to join existing user accounts in AD with employee data from the HR system. Relationship criteria should be the AD attribute EmployeeNumber which corresponds to the EmployeeNumber in the HR system. Therefore I added the attribute EmployeeNumber in the schema of the metaverse and the portal.

    I configured a MA for SQL (HR System) and for AD and for the FIM portal. In the FIM portal I configured an inbound synchronization rule for SQL with the setting "Create Resource in FIM" enabled. That part works fine, the users are imported and synchronized to the metaverse and also synchronized to the portal and the attribute EmployeeNumber is populated.

    I also configured an inbound synchronization rule for the AD MA. Here I configured "Create Resource in FIM" disabled, since I don't want accounts from users that don't exist in the HR database to be synchronized to FIM. I configured EmployeeNumber in the inbound attribute flow. I can see that the Synchronization rule is projected to the metaverse, but it isn't executed. When I search the connector space of the AD connector, I can see that all user accounts are imported to the connector space with the following attributes:

    displayName, name, objectSID, pwdLastSet,sAMAccountName and UserAccountControl. None of them are configured in the Synchronization Rule. The attributes configured in the Synchronization rule however are NOT synchronized, so I conclude that the Synchronization rule isn't executed at all.

    What am I doing wrong?

    Kind regards,


    0 0


    I have a question regarding the conditional sync from two forest. The setup is:

    - Two AD forests with management agents (object of each forest is joined to the same metaverse object)

    - AD extension attribute is used to indicate, which forest should determine the attributes of the metaverse object (via connector filters)

    -Connector filter in forest 1: "filter out if extension attribute != 1"

    -Connector filter in forest 2: "filter out if extension attribute != 2"

    My procedure is the following:

    I create an AD object in forest 1, populate certain attribute (extension attribute =1 and a immutable anchor attribute). In forest 2, I create an object with the same anchor attribute (for joining) and the extension attribute also set to 1. Other attribute have different values in comparison to forest 1. I then make a "full import and sync" with the management agent of forest . Connector space get filled and (since metaverse is empty) objects are projected (works fine, metaverse objects have the attribute values of forest 1). After that i set the extension attribute in both forest to a value of 2 and I start a "full import and sync" with the management agent of forest 2. Joining is performed successfully and the metaverse objects attributes have the values of forest 2 (as it should) be. If I run the management agent of forest 1 again, as intended nothing happens (due to the connector filter) to the attribute values of the metaverse object.

    Now comes the interesting part: I now change the extension attribute back to "1". The management agent of forest 2 now does, as expected (due to the connector filter) nothing. However running the management agent of forest 1 also has not effect on the metaverse object. Its attribute values were set to the values of forest two in the former step and should now be updated by the values of forest 1 of the correponding object. Howver this does not happen! Reason presumably is the following: When the managment agent of forest 1 runs againt (happens for delta and full import and sync) it reads the data from forest and compares it to the connector space data it already has from the prior run. Except for the extension attribute, no attribute was changes, and  it seems that the FIM does not apply a flow rule if the source and the connector space attribute have still the same data (although the metaverse attribute value of the object is different). So to speak: "If source directory data and connector space data are the same I do not have to sync to the metaverse."

    Does anyone know how to change this behavior or how to force and metaverse update? (Or any other solution)


    0 0

    I want to use UocFilterBuilder for creating criteria based groups. When I define the criterias and move to next page or finish the wizard the configuration wont be saved. I could see this when I go to the next tab and go back again to criteria, all configuration are lost. I think it could be one of the handlers not working properly.

    When I click on Preview Button first, it looks like it sents back data to the server and than it saved the criteria configuration correctly. Also when using the edit creiteria based groups wizard it works properly as well, without using Preview Button.

    Does somebody know how to save filter criterias within RCDC for group creation?

    My RCDC code looks like this:

    <my:Grouping my:Name="GroupingCalculatedMembers" my:Caption="%SYMBOL_GroupingCalculatedMembersTabCaptionTabCaption_END%"><my:Control my:Name="ManagerialMembershipDescription" my:TypeName="UocTextBox" my:Visible="false"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_ManagerialMembershipDescription_END%" /></my:Properties></my:Control><my:Control my:Name="Manager" my:TypeName="UocIdentityPicker" my:Caption="%SYMBOL_GroupingManagerialMembersManagerCaption_END%" my:RightsLevel="{Binding Source=rights, Path=Filter}"><my:Properties><my:Property my:Name="Required" my:Value="true" /><my:Property my:Name="ObjectTypes" my:Value="Person" /><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName, MailNickname, Manager" /><my:Property my:Name="AttributesToSearch" my:Value="DisplayName, MailNickname" /><my:Property my:Name="UsageKeywords" my:Value="Person" /><my:Property my:Name="ResultObjectType" my:Value="Person" /><my:Property my:Name="ListViewTitle" my:Value="%SYMBOL_ManagerPopupListviewTitle_END%" /><my:Property my:Name="PreviewTitle" my:Value="%SYMBOL_ManagerPopupPreviewTitle_END%" /><my:Property my:Name="MainSearchScreenText" my:Value="%SYMBOL_ManagerSearchText_END%" /></my:Properties><my:Events><my:Event my:Name="SelectedObjectChanged" my:Handler="OnChangeManagerialMembership" /></my:Events></my:Control><my:Control my:Name="FilterBuilder" my:TypeName="UocFilterBuilder" my:RightsLevel="{Binding Source=rights, Path=Filter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="PermittedObjectTypes" my:Value="Person,Contact" /><my:Property my:Name="Value" my:Value="{Binding Source=object, Path=Filter, Mode=TwoWay}" /><my:Property my:Name="Required" my:Value="true" /><my:Property my:Name="PreviewButtonVisible" my:Value="false" /></my:Properties></my:Control><my:Control my:Name="Preview" my:TypeName="UocButton" my:ExpandArea="true"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_ViewMembers_END%" /></my:Properties><my:Events><my:Event my:Name="Click" my:Handler="OnClickPreview" /></my:Events></my:Control><my:Control my:Name="ComputedMemberList" my:TypeName="UocListView" my:Caption="%SYMBOL_CalculatedMemberCaption_END%" my:RightsLevel="{Binding Source=rights, Path=Filter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType" /><my:Property my:Name="EmptyResultText" my:Value="%SYMBOL_CalculatedMemberEmptyResultText_END%" /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="false" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" /><my:Property my:Name="ReadOnly" my:Value="true" /></my:Properties></my:Control><my:Control my:Name="InvalidMemberListDynamic" my:TypeName="UocListView" my:Caption="%SYMBOL_InvalidMemberCaption_END%" my:Description="%SYMBOL_InvalidMemberHint_END%" my:ExpandArea="true" my:Visible="false"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType" /><my:Property my:Name="EmptyResultText" my:Value="%SYMBOL_InvalidMemberListEmptyResultText_END%" /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="True" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" /><my:Property my:Name="ReadOnly" my:Value="true" /></my:Properties></my:Control><my:Events><my:Event my:Name="AfterEnter" my:Handler="OnEnterMembersGrouping" /><my:Event my:Name="BeforeLeave" my:Handler="OnLeaveMembersGrouping" /></my:Events></my:Grouping>

    0 0

    Is there any way we can digitally sign the email sent out by FIM service? We are going use FIM to send out password expiry notification and we would like to digitally sign the emails. Thanks.

    0 0

    I have a sync rule for IAF flow from an external system which also contains a mapping from multivalued string attribute in the external system to a multivalued string attribute in the MV. Also, I have a similar export flow in the FIM MA which maps the multivalued string MV attribute to a multivalued string FIM Portal attribute.

    When I run a sync cycle, I can see that the values come in the FIM MA CS. However when I trigger an export, I get the following error:


    An error occurred in executing a Web service object modification request.

    Type: System.InvalidOperationException

    Message: Operation is not valid due to the current state of the object.

    Stack Trace:

    Inner Exception:

    Does anyone know the cause behind this? I am struggling to find the exact issue since there is not Stack Trace which gives the detail.

    0 0


    We have a FIM 2010 and we want to upgrade to FIM 2010 R2 SP1.

    Can we go directly to 2010 R2 SP1 ? or we need to upgrade first to R2 then to R2 SP1 ?

    Please provide a reference.


    0 0

    We are starting to plan a MIM 2016 development. The scenario consists of on premises AD and MIM server(s) with Azure AD Connect installed on its own server. There is the cloud and Azure AD plus Exchange Online.

    There is NO Exchange 20xx anywhere, all mailboxes now live in Exchange Online.

    We are asked to create new on-prem AD accounts via MIM from an HR feed. AADC will sync these to Azure AD. MIM is also tasked to make Exchange Online mailboxes & license the things via a Powershell script when the account is in Azure.

    All ok so far.. except that the Managers and Service Desk want Notifications to be sent BY *MIM* when a new AD account is created and again when a (licensed) mailbox is successfully created. 

    How is MIM and the myDomain\MIMService account configured to send Email notifications without an on-prem Exchange?

    I am guessing/hoping that Exchange Online can act as a SMTP server... but really how is it done?

    0 0


    We need to add a person to a group representing their post.  I have two view tables, one for users and one for posts.  The user has a postid attribute and the post has an immutableid.  I'm flowing the post into the MV and using an inbound sync rule to create a security group in the FIM Service.  Workflow (FIMWAL update) fires on completion of the 'create' request.  This will run a query to find the user that has the same postid as the post group immutableid which is the stored in the query key.  The query result is then flowed to the 'ExplicitMember' attribute of the group.  This works fine on create but not on a modify driven activity, that is when the users' postid changes.

    The objective is to remove the user from the post group when their postid no longer matches the immutableid of the group because the user has changed post.

    In the example above i used a manually-managed group as we couldn't find a way to write the value expression into the Filter attribute using the workflow thus enabling us to use a dynamic group which would be the nirvana in this instance.

    However, is there another way of removing the user programmatically from the group when there is a change to the postid. I have the MPR configured so that it will call a workflow when this attribute is modified on the user, i'm just stuck on what to run in the workflow.  Can Powershell be used in this example to work out what the post group is that the user is in before the postid was changed and then remove the user from that group??  Or is there a way of auto creating a dynamic group by being able to specify the correct xml to feed to [//Target/Filter]??


older | 1 | .... | 148 | 149 | (Page 150) | 151 | 152 | .... | 204 | newer