Hello All,

The group having no owners information in the FIM portal, Looking for a powershell script that will fetch all the group having no owner information in the FIM portal, I have tried and need inputs how to achieve that.

Below is the Query I am trying to build

# Load FIMAutomation module
if(@(Get-PSSnapin | ? { $_.Name -eq "FIMAutomation" } ).Count -eq 0)
{
    Add-PSSnapin FIMAutomation;
}
 $ImportState = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportState]
 $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
 $importObject.ObjectType = “Group”
 $importObject.State

Kindly advice.

Regards,
Anirban Singha(Bangalore,India)

We need to provision, sync and deprovision shared mailboxes through FIM.

I have searched extensively, and found several places mentioning, that it is not supported by older versions of ILM/FIM. I also found mentions of it might be coming in the future, but the latest version of ExchangeUtils makes no mention of shared mailboxes.

I understand that we can always "just" provision using Powershell, but Powershell through manage code is something we try to avoid if we can.

So before we go down the bumpy Powershell road... Is there a better/other way to provision mailboxes in FIM 2010R2 than using powershell?

---Sig---

All,

I all of a sudden seem to be getting a recurring app crash when running a ECMA2 (incidentally, during Delta Import operation).  It was working fine last week, and the only thing that may be different is the number of records being returned to the ECMA2 (5 - 10 last week, 350 today when I run it).  Here is the error:

I know that this topic has been touched on several times, but all of the issues seem to still exist. I have an existing implementation of FIM 2010 R2 SP1 (sync, portal, registration and reset). I need to stand up FIM Reporting. The backend SQL server is SQL 2012, so installing SCSM 2010 isn't even an option. I've been trying to do a command line installation to get around the old check for the SCSM 2010 hotfix and have not been able to get it to work. I've found a few posts / blogs that have example command line options, but none of them work. Even the one supplied by Microsoft on TechNet does not work. Every command line option I try seems to be trying to configure other components. Is there a way to just install FIM Reporting from the command line?

It would be nice if Microsoft would have an official stance on this.

Thanks,

Mark

Mark Creekmore - BlueVault Software http://www.bluevaultsoftware.com

Just checking to see if this is the case. If yes, are Group Managed Service Accounts supported (server 2012)? Or only standalone. If not, is it a feature currently under consideration?

TIA,

James

Is there a well-defined evaluation order for evaluating criteria from one set to another?

The technet article for best practices for FIM 2010 has a section about modeling custom entitlements with Set Transition MPRs.  It recommends avoiding the same entitlement with different transition sets, and my question has to do with following that best practice.

I have several criteria-based sets that get various combinations of entitlements, but let me simplify to illustrate my question.  Let's say I have three sets:

• Set A, based on criteria coming from my HR system.  Set A has a Transition Out MPR with a custom workflow activity that sets a date attribute D some days into the future.
• Set B is a temporal set based on D.
• Set E is the set of all users whose "Resource ID is in A" or "Resource ID is in B."  The Transition In and Out MPRs that implement the entitlement are associated with Set E.

The idea is that when the user enters A, she also enters E and gets the entitlement.  When she leaves A she enters B, remaining in E; and when she leaves B she also leaves E and loses the entitlement.  This all works if the criteria and workflows and such are evaluated in the order A, B then E, or if the criteria for A and B are re-evaluated when it checks to see if the user is in A (or B).  It could fall apart dramatically with a different order of evaluation.

I am running FIM 2010 R2.  Is FIM smart enough to order the evaluations correctly (or re-evaluate as necessary)?  I think the alternatives are:

1. Adding the entitlement TMPRs to each of the sets like A and B, going against the recommendations.
2. Replicating the criteria for A and B into each entitlement set.  Eventually I'll have around a half dozen sets like A or B and a dozen or more entitlement sets, and it will cause a lot of work if the criteria ever are changed.

Thanks in advance, -Les

Hi,

I am back with this error again, I posted earlier and though that I had found the cause of this. Previous post is here: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/01f0a134-06ad-4423-92ae-165eba169419. I had reviewed all my Sets, WF, MPRs and SRs to ensure that there are no conflicting rules.

the failed-modification-via-web-services error only occur to certain or a few objects, it only occurred on about 56 objects.

The error detail shown on the object in the Synchronization Service Manager is :

"Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception: Other
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation ofPRIMARY KEY constraint 'PK__#A0E8A54__5330D0773EDCE1BF'. Cannot insert duplicate key in object'dbo.@transitionOutApplicableRuleBuffer'. The duplicate key value is (13520, 43658, 147).
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>6ffcb0b5-2357-4aaa-b044-b59c34cea4fd</CorrelationId></DispatchRequestFailures>"

All the objects failed with a similar error description. In the FIM portal the request stays in the "Validating" state.  I also confirmed that there are no validations on any attribute that could cause this.  As I have indicated above this only happen to certain user objects.

By looking at all the requests on these objects, they all had one thing in common - On a few requests there is a remark which states:

"Requests cancelled by system because it was not recoverable after a service restart, the last requeststatus recorded prior to cancelling was, Validating"

I think what is happening, is that there are still rules in a queue or buffer somewhere which had not completed yet. The synchronization service is exporting these because no confirmation is received - resulting in the duplicate key error above.

My question is:

Is it possible to remove these failed requests without deleting the object in the FIM Portal? (really don't want to do that as that will mean that the business rules will not apply on these objects)

Thanks

Johan Marais 

JkM6228

Hi,

I'm using declarative provisioning rules and web service connector.

The data flow is as follows:

HR_webservice_MA (source) -> AnotherSystem_webservice_MA

I have designed the Full Import workflow for HR MA and Full Import, Export: Add, Modify for AnotherSystem MA.

I have an interesting issue with Modify workflow web service.

In web service I have defined a user:

publicclassSAP_AD_User

   {

       [DataMember]

       publicInt32 UserId {get;set; }    [anchor]

       [DataMember]

       publicstring EmployeeNumber {get;set; }

       [DataMember]

       publicstring FirstName {get;set; }

       [DataMember]

       publicstring LastName {get;set; }

       [DataMember]

       publicstring FullName {get;set; }

       [DataMember]

       publicstring UserName {get;set; }

       [DataMember]

       publicstring JobTitle {get;set; }

       [DataMember]

       publicstring Company {get;set; }

   }

In Modify workflow I call a web service method ModifyDVSUser(SAP_AD_User user):

In Foreach AnchorAttribute -> Switch<AnchorAttributeNameWrapper>-> I assign user.UserId = Convert.ToInt32(anchor.Value). And when I put out the value within the log element before calling the web service, I get the correct value. I also write out the type and it isSystem.Int32.

But in web service the value is not assigned only for UserId attribute - it is always 0 (the other string attributes are correctly assigned with the values). First I thought it may be somehow related that it is an anchor value, but when I changed theUserId type to string (in web service and in workflow), then the value was passed. So it is somehow related to the integer type. Should only string values be passed to the web service or am I missing something?

Thank you in advance!

Hello,

I am creating an IMAExtensibleFileExport management agent for FIM 2010.

Is there a way of searching the connector space to retrieve an object with a specified Guid without using WMI?

Thank you in advance,

Andreas Xenos

Hi,

In an Outbound sync rule for a text based MA (export only), Is there a way (codeless) to lookup in the MV and get the Firstame and the lastname of the manager which is a reference DN.

I am attempting to install the FIM 2010 R2 SP1 Service and the install is "ending prematurely."  This is the second instance of the service and is in a different forest than the first instance, sync engine, and databases.  There is a forest trust between the two, with ForestA trusting ForestB with selective authentication and ForestB trusting ForestA with forest wide authentication.  The databases and service accounts are in ForestA.  The Service install that is failing is in ForestB.  This setup was up and running with FIM 2010 RTM.

I've found the following references to the install process failing at the same point, but with a different error (I'm seeing "Access Denied").

http://www.fimspecialist.com/fim-r2-sp1-fim-service-and-portal-setup-wizard-ended-prematurely/

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2668b83-f54b-4e34-b8e8-84c1540f2a42

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/d9157272-a9cb-448b-96f1-dc7be372357b

The account that I'm using to run the install is in ForestA and is a local admin on the Server.  I am able to manually add the fimservice account to the local "Performance Monitor Users" group on the server.

I've created a log file using the following command:

msiexec /i "Service and Portal.msi" /L*v c:\temp\fiminstall.log

This looks to be the offending step from the install log:

Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.AddServiceToPerformanceMonitors

Adding FIMService account to 'Performance Monitor Users' group

Property name = 'ServiceAccount', value = 'ForestA\fimservice'.

DomainName='ForestA'

AccountName='fimservice'

Domain AD found

Exception thrown by custom action:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied.

   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

   at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser)

   --- End of inner exception stack trace ---

   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)

   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)

   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)

CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Any suggestions?

Thanks!

-Ryan

the main computer that I use to work on the FIM portal randomly started getting 'sys' undefined errors and the portal is 100% unusable now on this machine.  As far as I know nothing changed I was using it one minute then reloaded the FIM portal and it started happening.  here is what the portal looks like when you to to navigate to pages in the portal:

I am at a total loss as to what is causing it.  The portal works just fine from other machines and I dont appear to see the issues with other webpages on this machine.  

Anyone ever seen this issue? not sure if I need to contact microsoft support.  

We use MIIS for galsync.

Is it OK to full import & full synch of several GAL MA at same time ?

My customer wants to have changes in FIM Portal to be scheduled at a specific date (and time). Is there a possiblity in FIM 2010 R2 Portal to schedule a request? Let's take user modification as example. The customer wants to have an input field on the user modification RCDC with something like "Modification Date" where he/she can enter a date. After submitting the request, the user modification must not be done until the date from "Modification Date" parameter is reached.

Can I create a custom workflow activity and keep it on-hold until the date is reached (like during the approval phase in the built-in approval activity)?

Thanks in advance for any ideas.

Milos

Hello All,

 When I create Criteria-based Distribution Group in FIM 2010, it create Global Security Group in AD.

I had used the below custom expression in Syncing the group.

CustomExpression(IIF(Eq(type,"Distribution"),IIF(Eq(scope,"Universal"),8,IIF(Eq(scope,"Global"),2,4)),IIF(Eq(scope,"Universal"),-2147483640, IIF(Eq(scope,"Global"),-2147483646,-2147483644))))

Is something wrong with the CustomExpression ?

Regards,
Anirban Singha(Bangalore, India)

Hi all

I've been asked to take a look at a new installation of FIM to provide give some advice before my client gets a consultant in.  There a are few problems but it seems to me that they are quite close to having this working and we might be able to sort these few thing out.

The design is:

External AD - will only hold user accounts (10000+).

FIM (4.1.3114.0) will be used as a portal to create/manage the External AD accounts.

Internal AD - only used in this context as a source of users for FIM who are allowed to manage the External AD accounts.

Problem 1: The users from the Internal AD do not get created in FIM.  They appear in the Metaverse with attributes: accountName,displayName, domain, email, firstName, lastName, objectSid and the attribute flow and sync rules are configured as shown below:

If I do a preview the status for Inbound Synchronization of all the attributes in the sync rule shows as "Applied" but the Connector Updates EAF shows the final value of (deleted) for the DetectedRulesList attribute and the Connector is shown as Deprovisioned - Automatic Deletion.

Is this something that will be straightforward to fix for a non-FIM guy like me? Any help or advice would be appreciated.

I'll come back with Problem 2 once I've had another look at it.

Thanks, Steve

Hello, 

I'am trying to use the Powershell Activity in my script i do a simple write in a file but nothing happens and i have  this error 

System.InvalidOperationException: Une exception de type 'Microsoft.ResourceManagement.Workflow.WorkflowExtensionException' a été levée.
   à FimExtensions.FimActivityLibrary.PowerShellActivity.Execute(ActivityExecutionContext context)
   à System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   à System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   à System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   à System.Workflow.Runtime.Scheduler.Run()

Any idea how to resolve this ? 

Thanks

In FIM GAL MA, there is smtp suffix setting.

What purpose smtp suffix setting is used for  ?