Finding portal attribute references

October 20, 2016, 2:38 am

≫ Next: MIM 2016 synchronize users and groups from ad to ad

≪ Previous: Metaverse Attribute Contributing MA

Is there a good technique (perhaps a PowerShell script?) to find where portal attributes are referenced/in use?

I'm trying to delete an obsolete attribute from the portal which was previously used in a few places, but I'm getting a "processing error" when I go to unbind the attribute from the user resource - presumably meaning it's in use or referenced somewhere.

I've hunted through sets, filters permissions, workflows and cleared all values on users etc., etc. but cannot find where this thing is referenced/in use.

Any tips or tricks would be hugely appreciated.

↧

MIM 2016 synchronize users and groups from ad to ad

October 20, 2016, 4:14 am

≫ Next: Taking Precautions FIM 2010 R2 Deployment

≪ Previous: Finding portal attribute references

Hi,

i'm often reading this question here, but no anwsers with expected details. In my lab i'm setup synchronisation service and portal. Now i'm configured the Management agents for both domain's (no trust between them). Our AD1 has a structure that would be synchronized with AD2. I'm reading a lot, but most guides are for importing from different sources to ad or from ad. Is there any guide where i can look for an 1:1 sync.

Actual i get Information from Domain A but my portal shows no user Information but the sync Service meta database has the correct information. So my first mistake should be the correct FIM MA Import.

Is it possible to change the metaverse dn of a user or group. I want to change from "CN=Max Mustermann, OU=Test1,OU=Test,DC=contosoA,DC=com" to "CN=Max Mustermann, OU=Test1,OU=Test,DC=contosoB,DC=com". Is tha possible?

↧

Taking Precautions FIM 2010 R2 Deployment

October 20, 2016, 9:34 pm

≫ Next: cd-existing-object error after enabling AD recycle bin

≪ Previous: MIM 2016 synchronize users and groups from ad to ad

Hello All,

i am part of a team working on a big MIM project. So MIM will be touching the Identities of several critical systems. Just appreciate some thoughts and advice from FIM\MIM pros out there on sound, time tested FIM\MIM deployment practices\precautions I can take to reduce margins for error that can negatively impact connected systems.

Pointers to relevant blogs\articles are welcome.

Thanks

Akinzo

↧

cd-existing-object error after enabling AD recycle bin

October 21, 2016, 12:51 am

≫ Next: Unable to retrieve schema error when attempting to configure PowerShell Management Agent

≪ Previous: Taking Precautions FIM 2010 R2 Deployment

I am using MIM 2010 to sync my Development AD domain with Production Domain. Recently I had deleted some core MIM groups and users in Dev because of which I reverted the VMware snapshot of my DC. After that I enabled recycle bin in my DC.

Now when I execute the whole refresh process which include the following steps:

1. ProdMA Delta Import

2.DevMA Delta Import

3. ProdMA Delta Sync

4. DevMA Delta Sync

5. DevMA Export

6. DevMA Delta Import

I get completed-transient-objects status when I run the profiles DevMA Delta Import and DevMA Delta Sync.

In DevMA Export I get the error cd-existing-objects error.

Any ideas?

↧

Unable to retrieve schema error when attempting to configure PowerShell Management Agent

October 21, 2016, 12:47 pm

≫ Next: Password Sync between AD and Oracle DB

≪ Previous: cd-existing-object error after enabling AD recycle bin

When I attempt to create/configure a new PowerShell Management Agent and provide the schema script in the Connectivity Section, I receive the following error:

Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343.

I made sure that my schema file is saved in the expected path that I put in the schema script textbox (c:\scripts\schema.ps1).

I also provide the username, password, as well for the account I would like to use.

This is the code currently in my schema script:

new-object -typename psobject -prop @{"Anchor-id|string" = """objectclass|string" = "user""accountName|string" = ""
}

I also took this code and ran PowerShell as the user which is going to be configured to use the PowerShell management agent and it works successfully without permission issues.

The error I am seeing in the event logs for the FIMSynchronizationService is:

Error: The extensible extension returned an unsupported error.
The stack trace is:

"Microsoft.MetadirectoryServices.ExtensibleExtensionException: Object reference not set to an instance of an object.at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2GetSchema.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.3.1935.0"

The warning that I receive for the PowerShell management agent source is:

Object reference not set to an instance of an object.

Is there something I am missing or something I am doing wrong to configure this?

The build I currently have for PowerShell management Agent: 5.5
The build of MIM I have is 4.3.1935.0

↧

Password Sync between AD and Oracle DB

October 22, 2016, 8:43 am

≫ Next: Can this be done with multi email addresses

≪ Previous: Unable to retrieve schema error when attempting to configure PowerShell Management Agent

I am trying password sync between AD and oracle DB,for this I write down password extension code also.

Object is present in metaverse and I can able to see AD and Oracle MA in connector space.PCNS and SPN is also configured and getting proper event from DC to change passwors and sent to FIM target server.At FIM server side in event viewer I can able to capture Begin and End connection which is mentioned in custom password extension but SetPassword/ChangePassword function is not called.Full import and full sync is also done as expected.

Appreciate any help on this.

↧

Can this be done with multi email addresses

October 24, 2016, 6:05 am

≫ Next: Lync provision using the Granfeldt PowerShell MA

≪ Previous: Password Sync between AD and Oracle DB

I know that more then one account can be set up for the email, however, what I would like to happen is that all the email from the other email accounts come to the "master" email account. (The one I work from the most). Without it effecting the other accounts, example, email 1. 123@domain.net email 2. 234@outlook.com email 3. 345@domain.com. The other email address will only get their email.

Part 2. Would the email address to be the "master" have to be a outlook email address?

↧

Lync provision using the Granfeldt PowerShell MA

October 24, 2016, 6:56 am

≫ Next: Unable to connect to the synchronization service

≪ Previous: Can this be done with multi email addresses

Hello!

I'm trying to enable Lync services for my users using this guide:

https://blog.kloud.com.au/2016/01/28/provisioning-users-for-lync-skype-for-business-with-fim-mim-using-the-granfeldt-powershell-management-agent/

As I understand enablement of Lync services is processed when we are run "Export" for PS MA.

But when I start export - nothing happens.

Can anybody say where can be a problem?

Thanks!

↧

Unable to connect to the synchronization service

October 24, 2016, 7:23 pm

≫ Next: Oracle Database MA Error - MIM 2016

≪ Previous: Lync provision using the Granfeldt PowerShell MA

Hello everyone,

I'm using MIM and i have a problem with synchronization service. I Cannot start synchronization service console

unable to connect to the synchronization service some possible reasons are:

1- the service is not started

2- your account is not a menber of a reequired security group

FIM synchronization service already started, all SQL Services started - my ad account already in MIMSyncAdmins,MIMSyncOperators,MIMSyncJoiners and local admin group, Last week, It's working normally but It get this issue now, I tried restart server many time but it still happen error, Can someone help me ? Thanks you all

↧

Oracle Database MA Error - MIM 2016

October 25, 2016, 3:46 am

≫ Next: MIM 2016:- Assign just in time based local Admin account rights to local system

≪ Previous: Unable to connect to the synchronization service

Using the built-in Oracle database connector on a fresh install of MIM 2016 Sync and trying to connect with data on the Connect to Database property sheet. I get this error.

"Could not find any resource appropriate for the specified culture or the neutral culture. Make sure "Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MMSErrorMessage.resources" was correctly embedded or linked into the assembly "PropertySheetBase" at compile time, or that all the satellite assemblies required are loadable and fully signed.

A subsequent pop up says that a parameter cannot be null but we are filling in all of the essential information.

On the same box, I have confirmed we can connect to the server using tnsping and can log on successfully and query the table using Oracle command line client sqlplus with same credentials. Server is 11g and latest Oracle client is installed.

Anyone know of a solution or a workaround?

Mike

↧

MIM 2016:- Assign just in time based local Admin account rights to local system

October 25, 2016, 4:38 am

≫ Next: MIM PAM group question

≪ Previous: Oracle Database MA Error - MIM 2016

Hello MIM Experts,

Is there any way to manage time based local administrator group permission with MIM 2016?

I have google it and found one option that

Create domain group for each workstation(like localadmin_MC1, localadmin_MC2......etc) and through AD group policy add these groups to the local administrator of each workstation. WIth the help of MIM 2016 PAM feature we can create role for each domain group and manage time based local administrator group membership. But we have 100k workstations in our environment and creating 100k domain groups are not best practice.

Now the question is, do we have another option available for this requirement?

↧

MIM PAM group question

October 25, 2016, 5:30 am

≫ Next: FIM portal error - Service not available

≪ Previous: MIM 2016:- Assign just in time based local Admin account rights to local system

Hello all,

I am setting up MIM PAM in my lab environment and I am unable to make it work in the way as described.

CORP forest: one DC Windows 2012 R2

PRIV forest: one DC Windows 2016 TP5 with MIM 2016 SP1 PAM feature only

I have enabled PAM optional feature in PRIV forest. Followed the deployment guide for several times (https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) and here is my problem.

When I run New-PAMgroup command I get ms-ds-shadowPrincipal created, but not the AD group itself. The PAMgroup has same sourceAccountSID and privAccountSID. It is listed as NOT ACTIVE.

When I run Set-PAMgroup to set the group active it runs, even with verbose no problems are reported but the problem remains. The PAMgroup is not active.

Next, what I tried is to activate users role which has privileges of above group which is shadow group of the group listed as member of Domain Admins in CORP forest. I activated the role and I tried to logon to CORP domain wanting to have Domain Admin privileges. Even more odd is that whoami /groups lists CORP nested groups, but user doesn't have Domain Admin privileges. At last I have also ran ntdsutil group membership evaluation while the role is active and I do not see the user is member of the group. In theory this shouldn't be seen through ntdsutil but I wanted to see what will I get.

At last, please do not ask me if I have followed deployment guide cos I did, several times. So here are my questions:

1. why I don't have AD group created along with ms-ds-shadowPrincipal

2. why is PAMgroup listing the same SID from CORP forest on both source and priv account SID

3. how the solution utilies SID history? Unless the group I don't get should have it which would make the most sense at all.

In event viewer on MIM server I have:

Time bound membership has not been enabled in the PRIV forest. - this is also something I do not know how to enable.

thx for advice

↧

FIM portal error - Service not available

October 25, 2016, 7:12 am

≫ Next: MIM 2016 SP1 Dialog Windows.... what has happened????

≪ Previous: MIM PAM group question

FIM portal was working well, but after some time I tried to open it in localhost and got error Service not available. What can be the problem? I doubt that any changes were made to FIM.

In event viewer I get errors:

The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.

And warnings:

Alternate access mappings have not been configured. Users or services are accessing the site http://fimfim with the URL http://localhost. This may cause incorrect links to be stored or returned to users. If this is expected, add the URL http://localhost as an AAM response URL. For more information, see: http://go.microsoft.com/fwlink/?LinkId=114854"/>

↧

MIM 2016 SP1 Dialog Windows.... what has happened????

October 25, 2016, 7:26 am

≫ Next: MIM 2016 upgrade to SP1 date format is switched to M/d/YYYY - why??

≪ Previous: FIM portal error - Service not available

I upgraded or MIM 2016 software to MIM 2016 Sp1. (4.4.1237.0) and all the Windows now look awful. OK it's only meant for admins but even so, it's shocking.

I guess it preserved all customizations so I must be thankful, but

How can I return to the look/feel of the "classic" model?

↧

MIM 2016 upgrade to SP1 date format is switched to M/d/YYYY - why??

October 25, 2016, 11:06 pm

≫ Next: Changing MV attribute value after disconnection

≪ Previous: MIM 2016 SP1 Dialog Windows.... what has happened????

After the successful(?) upgrade of our MIM 2016 system to SP1 (build 4.4.1237.0) when I start checking the system, I notice that all dates are now in M/d/YYYY (US style) format. Before the upgrade they were according to the local (UK) settings i.e. dd/mm/yyyyy

MIM was upgraded to SP1 on same server no server settings changed, just MIM software.

I check that the Timezone used by Portal is still GMT as before upgrade. The dates and times are "correct" just displayed "wrongly".

This seems to affect at least the RCDC user edit form and the Search Request form, possibly all MIM forms.

How can I force MIM to display dates in local format?

↧

Changing MV attribute value after disconnection

October 26, 2016, 12:03 pm

≫ Next: Delete CS object

≪ Previous: MIM 2016 upgrade to SP1 date format is switched to M/d/YYYY - why??

Hello, I'm a bit new to FIM and I had a question on changing a MV attribute after it disconnects from an MA. I have users who are provisioned from AD and get attributes from various MAs. Some of these attributes are imported from an MSSQL view. So, what I would like to do is once they're not in the view, an MV attribute will change its value to "disconnected" which will then be picked up by another MA and it will propagate to an LDAP. I've been trying to setup some deprovisioning rules in an the MSSQL MA extension to write directly to the LDAP once it becomes disconnected but no luck. Any help would be greatly appreciated!

↧

Delete CS object

October 26, 2016, 1:28 pm

≫ Next: MIM SP1 Portal look

≪ Previous: Changing MV attribute value after disconnection

I have set up the Lync connector using MIMPowerShellConnectors of Nilesh Ghodekar. (https://github.com/Microsoft/MIMPowerShellConnectors/wiki/Lync-Connector)
Its FIM 2010 R2, 4.1.3733.
The solution is based on code less setup.

It works great to provision and setting attributes.

But I wonder if I misunderstand something in deprovisioning.

Be course I need to filter the users in who should have Lync or not I set up exactly as in the guide, using a System Scoping Filter.
In the same way I want to determ if a user should not have Lync anymore I want the syncronization to trigger a delete of the CS Object my Lync connector and therefor do a disable-csuser. But instead it just leave the object as a filtred object.

Is it possible to trigger a delete for a object in this CS code less, or have I misunderstood the concept?

↧

MIM SP1 Portal look

October 27, 2016, 3:45 am

≫ Next: the image or delta doesn't have a distinguished name

≪ Previous: Delete CS object

Hi,

After upgrading to MIM SP1 portal look and feel has been changed. There are some issues with new view. In case I have users of the portal who are just seeing few nav bar links portal is leaving huge space between header and the rest of the page (I think the rest is centered vertically, not directly under the header as it was before). It doesn't look nice but additionally in such case when you go to some search user page there is message (which was previously showing in the center) covering search box.

How this can be fixed? (some css or something in SharePoint template)?

Regards

Borys

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

↧

the image or delta doesn't have a distinguished name

October 27, 2016, 4:55 am

≫ Next: MIM 2016 and SharePoint 2016 syncing

≪ Previous: MIM SP1 Portal look

I have an ECMA2 MA (export only) with a synchronization rule, which calls a webservice in the PutExportEntries method. Everything works fine en the web-service is called with no errors after the export.

But in the event viewer I receive the following error.

BAIL: MMS(8500): d:\bt\38553\private\source\miis\server\sync\syncstage.cpp(782): 0x80230301 (The image or delta doesn't have a distinguished name.) BAIL: MMS(8500): d:\bt\38553\private\source\miis\server\sync\syncstage.cpp(648): 0x80230301 (The image or delta doesn't have a distinguished name.) Forefront Identity Manager 4.1.3671.0

Does anybody have a clue why the error occurs?

↧

MIM 2016 and SharePoint 2016 syncing

October 28, 2016, 8:29 am

≫ Next: Set criteria

≪ Previous: the image or delta doesn't have a distinguished name

Hello,

I am running into an issue where I am unable to fully sync all information to SharePoint and could use some guidance. For some reason I cannot get the Manager to push into SharePoint. Other information will however push and update.

I have 3 tasks running in the Task Scheduler. A FullSync (Once daily), DeltaSync (30 minutes), and a PhotoProfileUpdate. When I review their history in SSM they show success 98% of the time. Occasionally I will get a completed warnings on the SPMA DeltaImport. The details specify "exported-change-not-reimported" and reference the manager field.

I know the field is pulling for AD because when I search the Metaverse I can see managers for users and am able to click them to confirm the linking is correct. Not sure what I am missing as users will add/delete and change information as it is updated in AD. Only thing not pushing is the Manager info.

Ideas?

↧

Latest Images