Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 51 | 52 | (Page 53) | 54 | 55 | .... | 204 | newer

    0 0


    I have my FIM Service/FIM Portal in a separate server and FIM Password Registration and Password Reset portal in another server. Installation is successful. I have also followed MS docs to configure the workflows and MPRs for password reset and registration. When I login to a test machine and open the url, it prompts for username/password. Once authentication, it gives me "next" button to continue registration. When i press Next it throws error 3008 and says unable to communicate to FIM Service. Can someone please help. I am badly stuck.


    0 0

    I have sleep command in the script, that could make the script run for 30 minutes. If the powershell script runs for long time, would it get stuck? The script completes sometimes, but sometimes, it is just postprocessing.

    param( $AcctName, $OwnerName)
    Import-Module ActiveDirectory
    $ADUser = Get-ADUser -LDAPFilter "(sAMAccountName=$AcctName)" -SearchBase "OUpath" -Server "dcname"
    while ($ADUser -eq $Null){

    Start-Sleep -Second 180
    $ADUser = Get-ADUser -LDAPFilter "(sAMAccountName=$AcctName)" -SearchBase "OUpath" -Server "dcname"

    If($ADUser -ne $Null)
    Start-Sleep -Second 360
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
    Set-mailbox $AcctName -Type Shared
    Add-MailboxPermission -Identity $AcctName -User $OwnerName -AccessRights 'FullAccess'

    0 0

    I'm attempting to provision users with the AD Domain Services MA in FIM 2010R2, and hitting an error "constraint-violation" - connected data source error = "The parameter is incorrect".  If I click "Validate object against schema..." it comes up with no errors.  Not seeing anything useful in the Event Log or the MA log.  Can anyone suggest how to debug/trace this to find out what's wrong here?  FWIW the AD MA is working for updates to existing users, just provisioning new ones that is the problem



    0 0
  • 04/08/14--18:40: ReplaceString for brackets
  • Hi, I've been trying to replace a bracket in the sync rule, i.e.


    but FIM is complaining the function ReplaceString is not correctly formatted.

    Also I notice

    If I use CustomExpression 


    FIM fails with ReplaceString is not correctly formatted.

    but if I select FIM function -> ReplaceString and enter oldstring as ) and newstring as #, FIM would happily accept.

    Any idea how I can get around this?



    0 0

    Hi Everyone,

    I am trying to provision users from HR System to AD. But getting error for few users. Few are getting into AD very fine but few are not getting provisioned and showing "Constrain-violation error" on ADMA Export. If I click to see details on error it is stating "Required attribute "cn" is missing". 

    I tried to run FIMMA Sync manually and found that into AD connector 'dn' for AD is getting deleted into Export attribute flow and FIM is trying to remove old connector and adding a new one. Also, I looked for event viewer and it is throwing no error at all.

    Please suggest!!!

    Thanks~ Giriraj Singh Bhamu

    0 0


    How Questions are displayed by user’s (Finnish, English, German, French, Spanish, Chinese (simplified), Russian) in these language.whether in SSPR Portal or Window Login(Ctrl+Alt+Del)

    Please provide any solution in Steps by Steps detail.


    Anil Kumar

    0 0

    Hi everybody

    I'm new to FIM and are trying to setup a synchronization between our HR system and AD, using the FIM sync service only (no portal). I have successfully set up an import of a csv file from the HR system, and created the users and groups in AD using an extension and C# code. What I'm stuck on is adding the users to the created groups.

    A direct mapping in the FIM gui seems not to be possible due to the member variable is a reference variable, so I tried to add group membership to my user creation code (see below), but thats not working at all. I'm guessing it's because I don't have access to all objects in the agents space, only what is currently being created.

    Any help or pointers as to where I can put the code to do this is much appreciated

    My user creation code. What's not working is the last two lines where I try to lookup the Department Group and add the new user to it. It says the Object (DN) for the groups does not exist, even though it does (exist)

    void IMVSynchronization.Provision (MVEntry mventry)
                ConnectedMA managementAgent;
                int connectors = 0;
                CSEntry csentry;
                ReferenceValue DN;

                managementAgent = mventry.ConnectedMAs["AD-user"];
                connectors = managementAgent.Connectors.Count;

                if (connectors == 0)
                    if (mventry.ObjectType == "person")
                        string ansattNr = mventry["employeeId"].Value;
                        string username = "lds" + ansattNr;                   
                        string fullname = mventry["displayName"].Value;

                        DN = managementAgent.EscapeDNComponent("CN=" + fullname).Concat("OU=Managed-users,OU=Users,DC=test,DC=local");

                        csentry = managementAgent.Connectors.StartNewConnector("user");

                        csentry.DN = DN;
                        csentry["CN"].Value = fullname;
                        csentry["employeeID"].Value = ansattNr;
                        csentry["SamAccountName"].Value = username;
                        csentry["userPrincipalName"].Value = username + "@test.local";

                ReferenceValue groupDN = managementAgent.EscapeDNComponent("CN="+ mventry["department"].Value).Concat("OU=IDM-Departments,OU=Users,DC=test,DC=local");


    0 0
  • 04/09/14--16:14: Why so many disconnectors?
  • Hi,

    In the FIM terminology, a connector space object, if it is linked to a metaverse object is known asconnector and disconnector if it is not linked.

    So, under which circumstances would a FIM system develop disconnectors?

    One I can think of is if the deprovisioning rule is set to "Explicit disconnector".

    Also, all the OUs from the AD MA scope are represented as disconnectors - doesn't this impact performance when doing a Sync operation?

    What else would create a disconnector?

    thank you.

    0 0

    Hi All,

    Hope you all well,

    My Current FIM environment is:-

    1). Server A (FIM Portal 1)

    2). Server B (FIM Portal 2)

    3). Server C (Both FIM Portals pointing to FIM Service Server C)

    4). Server  D (FIM Sync Server)

     Now my question is, I am facing error "Service not available" while accessing the FIM Portal 2 or FIM Portal 1 from server C and D. Actually, FIM Portal URL's is not accessible consistently on all the servers. Some time it works, some times not.

    I have checked by setting the SPN for FIM Service account but in vain.

    For reference Please find the below screen shot.


    Any help would be appreciated.


    ajay kumar

    0 0


     I setup FIM 2010 portal and sync service on a couple of servers a few months ago and now it's time to add in the SSPR server. Unfortunately I can't remember the URLs and accounts I entered on the setup wizard which specified the SSPR server and account name. Rather than re-run the setup wizard and risk cocking something up, is there an XML or config file I can use on the FIM server to check this information?


    0 0


    i'm new to fim and use just the fim2010 synchronization engine with some rules extensions.

    I have 2 ActiveDirectories and want to Provision a Group(used as Distribution list) from ActiveDirectory A as a contact object in ActiveDirectory B with the SMTP address of the Group as the targetaddress of the contact.

    Can you give me a hint how to accomplish that?

    Should i use the ShouldProjectToMV() Method in the rulesextension from the AD Connector of Domain A and out the Group as a Special mvtype? How do i join (what anchor to use) the Group to Domain B if i also sync normal contact objects as well?

    Thanks you for your help!

    0 0

    I am new to FIM,

    I have an attribute named "employeeJobFamily" it is user type.

    I am trying to update all users that have thevalue = "General" in that attribute by the value in their manager"employeeJobFamily" Attribute.

    1)I created a Set that can get all these users, 

    2) trying to create a WF that can get the value for this Attribute"employeeJobFamily" from the Manager.

    I need help with how I can query another person attribute and retrieve this value.

    I am open to any other idea



    0 0

    Firstly Søren Granfeldt thank you for writing and releasing this MA! I'm using it for Account Expiration dates already!! My issue is when trying to connect to Exchange Online (O365) to manage mailboxes.

    I'm using the Granfeldt PowerShell MA to access data in Office 365 but not just the dirsync (is the user licensed) but also properties on the Exchange Online.

    I can connect to Exchange Online (O365)  when running the script as the service account (FIMService). It connects using stored credentials to Exchange Online using Remote PowerShell and Importing the session with -AllowClobber. However I get an error on the Import-PSSession line saying that $Session is undefined / Null when the MA Runs it.

    I have a couple of questions.

    1) If I edit the import.ps1 script (Import Script) do I need to refresh the PowerShell MA Schema for it to pick up the changes or does it load and run this on the fly?

    2) Has any one ran an Import-PSSession with the Granfeldt  PowerShell and gotten a script Error: Script error in line 24: [Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.] - (At {REMOVED}
    +     Import-PSSession -Session $mySession -AllowClobber -WarningAction SilentlyCo ...

    The error is under the $mySession variable, it should connect just fine, I've gone so far as hard coding the password into the script.

    3) Is there any way to make the import script "Run as Admin / Elevated" ?

    Thanks in advance!!!!

    Jonathan Manley

    0 0
  • 04/10/14--19:05: Cross forest password reset
  • Hi,

    We have FIM Sync, Portal, SSPR Registration, SSPR Reset deployed in Forest A.

    Users currently exist in Forest B. There is a 2-way trust between Forest A & B.

    Forest B users can successfully Register for SSPR (by enrolling in the questions/answers) from workstations in Forest B.

    When a user in Forest B tries to Reset their password, they successfully answer the questions, but when they try to type in the new password the following error appears:

    Could someone please point us in the right direction as to why its failing?

    thank you,


    0 0

    Hi Everyone,

    While installing Fim Service Portal i am gertting an Error: Service 'Forefront Identity Manager Service' (FIMService) failed to start. Verify that you have sufficient privileges to start system services.


    Please find the below Screenshots:

    Please Help!!


    Thanks~ Giriraj Singh Bhamu

    0 0

    I am setting up FIM 2010 R2 and required to integrate Symantec VIP to be used at the SMS OTP gate instead of FIM's SMS OTP gate. Does anyone know how I can achieve this? I have never tried this before and have no clue on how to go about it.

    I will greatly appreciate your help here

    0 0


    I need to understand what does DeleteAdds statistics will define ?

    And when the identity will be identified both to Delete and Add ?

    We tried to delete an identity from Metaverse and from connected database as well, deprovision rule is defined. the identity got deleted from Metaverse but when the same was exported to SQL the identity was marked as DeleteAdd and it didnt get deleted from the connected DB.


    Jyothishree SP

    0 0

    I'm currently seeing some export errors on my AD MA. In my user source (an custom MA) I had 4 deletions and 6 adds in one import run. This caused 4 MV objects to be deleted and 6 MV objects to be added.

    Now it seems that my unique username function (MV extension) re-used some AD AccountNames as the MV stated that these were no longer in use.

    Now I think the problem lies in the fact that my AD MA users have their DN based upon CN=sAMAccountName,OU=...". The ones being deleted and added have the same DN and this probably results in a delete-add.

    Should the AD MA be able to handle this or should I think of a different DN strategy?

    0 0


    I am creating Inbound Rule for data coming from a text file.

    For employee status logic is:-

    employee end date>today's date=Active

    Employee end date<today's date=Inactive

    How do I get today's date in Inbound Rule?



    0 0

    I've recently installed Forefront Identity Manager 2010 R2 and we are in the process of creating a tenant connection to Office 365 and setting up Exchange Federation.

    I have installed FIM 2010 R2 and have setup DIRSYNC, and we've noticed an account and group were automatically created in the AD Domain USERS OU.

    MSOL_xxxxxxxxxxxxxx (user)

    MSOL_AD_Sync_Richcoexixtence (group) with the MSOL user the only member.

    2 questions:

    1). What is this User/Group used for? (as during the install I had to supply another AD Domain credential which I would have thought would have been used for the SYNC process.

    2). Can this MSOL user/group be pre-created or have the password modified in some fashon? (our Security folks want to "set" the password on the MSOL user to a known value?)?


older | 1 | .... | 51 | 52 | (Page 53) | 54 | 55 | .... | 204 | newer