Hi all,

I have a scenario, lets say I have two Management Agent which are SQLMA and ADMA. I enabled the projection rules from SQLMA at the same time I enable projection rules from ADMA as well.

So now I have a UserA (projected from SQLMA) and UserB (projected from ADMA).

When comes to provisioning, I enable provisioning rules to create an object to another Management Agent lets say HRMA. In this case, what can I do to choose to provision UserB instead of UserA?

Does it have a way to determine which Contributing MA the object came from so that I can create a condition in provisioning code?

Thanks. 

Just wanted to ask the Community,

how would I get all accounts that have a high Retry count: value from the Connector Space?

Hi!

I need to move user account to "Disabled" OU and disable it (uac=514) when user is deleted from HR DB.

Now I have a sync rule which can make user active or inactive depends of it status field in HR DB by this sync rule (0=Active, all another values=disabled)

It is like this:

IIF(Eq(employeeStatus,"0"),512,514)-userAccountControl

and I have a location sync rule flow like this:

IIF(Eq(employeeStatus,"0"),"cn="+displayName+",OU=Active,OU=....",IIF(Eq(employeeStatus,"2"),"cn="+displayName+",OU=Active,OU=.....",IIF(Eq(employeeStatus,"3"),"cn="+displayName+",OU=Active,OU=....",IIF(Eq(employeeStatus,"1"),"cn="+displayName+",OU=Disabled,OU...","cn="+displayName+",OU=Disabled,OU=....")))) ->dn

I have found this thread:

https://social.technet.microsoft.com/Forums/en-US/0729c303-b3c2-4be4-bbbc-f81382671303/disable-a-user-from-ad-if-it-removed-from-source?forum=ilm2

There is recomendation to use such sync rule:

IIF(IsPresent(EMPSTATUS),512,514) => userAccountControl"

But I need to check value of EMPSTATUS and it can have not only one value. User can be active or at sick leave and this status not only 512.

So I need to construct more complicated expression to handle this.

I have a such questions:

1. How I can disable and move user to "Disabled" OU ?

2. What will happened if my user was deleted in HR DB by mistake and at next sync cycle it will be in active state in HR DB?

3. Is my service (or manually created in FIM Portal) accounts will not be disabled? They are not in HR DB, so they will not be connected and disabled by this rules, right?

4. How I can delete this user from all groups?

Thanks!

1

I cannot load the MIMPAM module.

First the program complains that it does not exist. When I pinpoint to it, I get the message the dotnet version is too new. Can someone explain it? My server is 'Azure 2012 R2' VM.

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> Import-Module .\MIMPAM.psd1

Import-Module : The assembly 'Microsoft.IdentityManagement.WinTools.dll' was not loaded because no assembly with that name was

found. Verify the assembly name, and then try again.

At line:1 char:1

+ Import-Module .\MIMPAM.psd1

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (:) [Import-Module], DllNotFoundException

    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> gacutil -i .\Microsoft.IdentityManagement.WinTools.dll

Microsoft (R) .NET Global Assembly Cache Utility.  Version 3.5.30729.1

Copyright (c) Microsoft Corporation.  All rights reserved.

Failure adding assembly to the cache:   This assembly is built by a runtime newer than the currently loaded runtime and cannot be loa

ded.

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM>

GH

Hi,

I upgraded to SP1 on MIM and the pop up windows when clicking on something like "About Forefront Identity Manager" get stuck on loading.

If I clear the browser's cache the pop up load OK--but is that something I'm going to have to tell all of my users to do? Does anyone have a more elegant solution for this issue?

Thank you!

I cannot load the MIMPAM module.

First the program complains that it does not exist. When I pinpoint to it, I get the message the dotnet version is too new. Can someone explain it? My server is 'Azure 2012 R2' VM.

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> Import-Module .\MIMPAM.psd1

Import-Module : The assembly 'Microsoft.IdentityManagement.WinTools.dll' was not loaded because no assembly with that name was

found. Verify the assembly name, and then try again.

At line:1 char:1

+ Import-Module .\MIMPAM.psd1

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (:) [Import-Module], DllNotFoundException

    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> gacutil -i .\Microsoft.IdentityManagement.WinTools.dll

Microsoft (R) .NET Global Assembly Cache Utility.  Version 3.5.30729.1

Copyright (c) Microsoft Corporation.  All rights reserved.

Failure adding assembly to the cache:   This assembly is built by a runtime newer than the currently loaded runtime and cannot be loa

ded.

PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM>

GH

Hello!

Can anybody say is FIM or MIM can work with Office365 services (SharePoint,Exchange,Skype for Business) and provision access to them for users?

As I understand this is not "out of box" possibility, which solutions are you using?

Thanks!

1

FIM Community Information Center Article

 

Wiki Page: FIM2010 Troubleshooting: Stopped extension dll load

 

Go to the FIM Community Information Center

 

Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be

If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!

I'm looking for the Dell driver \VEN_1180&DEV_0592&SUBSYS_01FC1028&REV_12\4&cc5b14e&0&0BA4

Some one know where i can get it?

I've got the most recent version of the SAP ECC6 Web Services Connector Running In my Environment running in a fresh install of MIM 2016. I downloaded the most recent version of the web services connector and the associated SAP ECC6 sample project. After a fair amount of work getting the proper BPAP's published (instructions didn't match the UI) we got the solution to sync user objects using the built-in user object. I can get user related things to run end-to-end. However,

I also need Roles to sync.  This appears to use BAPI_HELPVALUES_GET.  That BAPI is published, however using the default configuration in the download it fails every time with a Method not allowed message on the SAP side.  The XML payload matches the parameters being described in the .wsconfig file so I expect that there is something wrong with the default parameters in the web services config example.   Has anybody else ACTUALLY gotten these sample files to run correctly to import Role and Group object types?  Were there any modifications required on your end to make it work?

Dearest Microsoft Technologists!

This is your last minute call for November Gurus!

You have just over a week left to submit anything you post to TechNet Wiki, into our competition, and you could win BIG!

With the management in turmoil due to MVP Summits and RL interruptions, there has been low publicity this month for the competition.

This simply means any half decent submission to TechNet Wiki can win a medal... and a place in history!

Changes are under way in this competition, and medals will count towards REAL WORLD PRIZES in the new year...

So get in while you can, and start making a name for yourself in your favourite technologies

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker - Azure MVP

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi,

The MIM Privileged Access Management API is not working. I'm using MIM 2016 with SP1 on Windows server 2012 R2 in Azure. Why o why?

############

Detailed Error Information:
Module    WindowsAuthenticationModule
Notification    AuthenticateRequest
Handler    ExtensionlessUrlHandler-ISAPI-4.0_64bit
Error Code    0x80070021
Config Error    This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false". 
Config File    \\?\C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API\web.config
Requested URL    http://mimservice2.pam.lan:8086/api/pamresources/
Physical Path    C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API\api\pamresources\
Logon Method    Not yet determined
Logon User    Not yet determined
 Config Source:
   31:       <authentication>
   32:         <windowsAuthentication enabled="true" useKernelMode="false"/>
   33:       </authentication>

##########

GH

I've created a simple mail notification workflow. When a "Job Title" attribute is manually changed in the FIM/MIM portal, an email is sent to HR. The new value is then exported to AD, and all is good.

When an administrator makes a change to this attribute in AD, the new value is synchronized and exported to the FIM service, however the workflow is not triggered. How can I make this work? 

Thank you

Martin

Hi,

We just migrated a FIM to MIM instance.

The initial MIM reporting jobs ran fine, but we brought over the production data and are now getting a timeout error on the incremental reporting job:

"This reporting job has been cancelled because the FIM Service instance handling the job has failed to respond within the pre-configured timeout window."

Anyone know how to find out which FIM Service instance is handling the job? And how to extend the timeout window?

Or any other ideas?

Thank you for any help!

Hi,

I'm using Mr Granfeldts excellent PS MA but I ran into a small problem.

During export the script is called multiple times depending on the number of objects and the batch-size configured in my Export run profile. The begin and end sections are called every time the script runs but I need a way to find out when the end time is called for the last time. Are there any control variables available that I can check? I could not find any documentation regarding that.

Thanks

Joakim

Hello Everyone,

I am experiencing an issue with the MIM Reporting failing on the Initial Sync. Both times I have experienced the issue has been with the MIM 2016 SP1 install media. SCSM Service manager is on a separate server with SQL and SCSM DW is on a separate server with SQL. I first complete the SCSM 2012 Service Manager and Data Warehouse installation, register the Data Warehouse and confirm the initial MPSync job finishes with all Management Packs imported/associated. Then I run the MIM 2016 SP1 Reporting installation and confirm the MIM Management Packs are all imported/associated and showing up in Reports in the SCSM console. Then I run the FIMPostInstallScriptsForDataWarehouse.ps1 script which completes successfully. When I run theStart-FIMReportingInitialSync.ps1 script and check the Reporting Job in the MIM Portal, it fails immediately and produces the below errors.

Firewall is off between the servers as well. Has anyone seen this issue before and have a solution?

Reporting Job Details: 

ObjectTypeName: Person,

AttributeName: ObjectType,

RequestIdentifier: 00000000-0000-0000-0000-000000000000,

ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4,

Value: Person,

DataType: String,

MultiValue: False,

Added: True,

SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>,

EventTime: 12/05/2016 19:38:27

Event Viewer:(Three errors connected to the issue)

Error
12/5/2016 11:38:17 AM
Microsoft.ResourceManagement.ServiceHealthSource
68 None

"The FIM Reporting ETL job failed while making a call to the System Center Service Manager Management Server SDK service.  This could be caused by a network or service interruption which is preventing communication between the FIM Service and the System Center Service Manager SDK Service, or by an internal error within System Center.

To fix this issue, ensure that there are no firewalls or network connectivity issues which may be preventing communication between these two services. Also ensure that the System Center Management and System Center Data Access services are running on the System Center Service Manager Management Server.

If you encounter this error after running your first ETL job, ensure that you have installed the FIM Reporting support scripts on your Data Warehouse machine.  You can find these scripts in the Service and Portal folder of your FIM media.

For more information about this error, view the most recent reporting job in the FIM Portal and look for any exceptions which may have occurred.
"

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

Reporting Job Manager: Reporting job halted due to error.

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

ObjectTypeName: Person, AttributeName: ObjectType, RequestIdentifier: 00000000-0000-0000-0000-000000000000, ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4, Value: Person, DataType: String,

MultiValue: False, Added: True, SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>, EventTime: 12/05/2016 19:38:27 ---> System.InvalidOperationException: Cannot find management pack with identity Microsoft.Forefront.IdentityManager.Datawarehouse.Base
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseManagementPackManager.GetManagementPack(String managementPackKey)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(Guid objectIdentifier, String classType, String managementPackIdentity)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(DataWarehouseClassMapping mapping)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseProvider.ProcessBatch(List`1 batch)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExecuteBatchOfExtractTransformLoad(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExportData(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.RefreshSchema()
   at Microsoft.ResourceManagement.Reporting.JobManager.Run()

Hi I receive the following error when trying to complete a manual join in the Sync Service.

"Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Microsoft.directoryservices.metadirectoryserices.UI.ProperttySheetBase.MMSErrorMessages.resources was correctly embedded or linked into assembly"PropertySheetbase" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Full Error: Value cannot be null. Parameter name: value

I'll probably get flamed for asking such a stupid question, but I'm honestly stuck on this. All I can say in my defense is that I didn't know anything about Identity Manager a week ago!

OK so I've got everything installed, Sync, Portal and Service. Created MAs for MIM (FIM) and AD DS, and user information is flowing into MIM perfectly.

Now I'm trying to set the portal so users can update their own information, but the only way I can get this to work is by adding an attribute flow into the AD DS MA, and there's not a single guide I can find which says you need to do this. So I think that must be wrong.

I've created an Outbound Sync Rule, MPR and Workflow. In the Outbound Sync Rule I've added the attributes I want users to be able to update. But this doesn't work either. When I run a Full Import and Sync on the MA it still just shows Inbound Synchronization for the statistics.

I've not enabled provisioning, as I'm not really ready to start creating users with the portal just yet. Nor have I enabled "Create resource in external system" for the Outbound Rule as I'm presuming I'm only updating.

Any help very much appreciated :)

Andrew France - http://andrewsprivatecloud.wordpress.com

Hello!

I'm trying to automate Initial Password Communication with email.

I have a working process of user provision to AD, but can't do it with this instruction:

http://social.technet.microsoft.com/wiki/contents/articles/2121.fim-how-to-use-workflows-to-automate-the-calculation-and-notification-of-initial-passwords.aspx

This video have the same instruction. One difference is the order of activities in workflow, but I think that this is not a reason.

https://technet.microsoft.com/en-us/video/automate-the-calculation-and-notification-of-initial-passwords-with-fim-2010.aspx

Correctly I understand that:

1. Email is generating when user is provisioned to AD (AD MA Export run profile) ?

2. I don't need a MPR to achieve this goal?

So, what I have:

1.AD User Outbound Sync rule

2.Workflow parameters

3.Outbound Attribute Flow

4.Action Workflow with 3 activities

5.Password Generation Function

6.Adding target resource to Sync Rule

7.Email Notification

Main problem what users are created in AD in disabled state, because of they don't get passwords. When I trying to enable them I get error that users can't be enables, because password doesn't meet password policy.

Can anybody say where can be a problem?

Any help very appreciated.

Thanks!

1

Hi All,

We have developed a PowerShell script that fetches groups from FIM portal expiring in a quarter and trigger email notifications to the group owners. This script works fine when executed in PowerShell console. But when we make this script as part of Windows Task Scheduler, it does not trigger email notification. No errors logged in History tab of the task nor event viewer. We are currently trying with 10K groups which are owned by 10K different owners. The functionality is to send 1 email notification with all 10K recipients in TO list of the email notification.

When I narrow down the filter to fetch fewer groups like ~4K groups in the script and then execute the Task Scheduler it triggers the mail notification.

Any help or clue would be appreciated.

Thanks,

Veena