Hi all

I was wondering if someone had a suggestion for me how to solve this issue.

To explain: I have made an outbound SR that set pwdlast=0 to FIM AD user account. so far so god. I wan't this behaviour because I wan't to trigger/force a password sync, the next time user logon.

The issue I am seeing, is that this SR gets applied several times, over and over again. I have not enabled: Run at policy update!

So I created an WF thats removes this SR, but I am not sure how to/what to trigger it.. I want it removed just after it has expired the password/been applied.

If the SR is not supposed to be run several times, that would be great to sort out aswell.

Best regards Andre

Andre

FIM 2010 R2

We have a group in AD.We are not able to find the group in AD Connector Space.

Possibilities analysed:

1)Container is fine.

2)It is under scope.

We can find the other groups from the same OU and with exactly similar attribute values.

Can somebody let me know if there are any other possibilities for this issue.

Hi Everyone,

I am performing DL management Scenario in which i Have hybrid environment and in this when a Requestor is sending a Request to Group Owner he is receiving the Email but in thatApprove and Decline button is not present along with that when i am opening the email in that it is mentioned the following information which is present in my screenshot



this is the following error which i can see on the mail and i can perform the DL management in the through FIM portal.

I am not able to figure this out and is this an issue of Exchange?

You response will be highly appreciated.

Thanks,

Aman Khanna

I am able to launch the setup, but then when I click the "Next" button, nothing happens. I tried with elevated prompt as well, no different. Any insight?

And this is the setup log generated:

=== Logging started: 11/14/2014  14:45:56 ===
Action 14:45:56: INSTALL.
Action start 14:45:56: INSTALL.
Action 14:45:56: FindRelatedProducts. Searching for related applications
Action start 14:45:56: FindRelatedProducts.
Action ended 14:45:56: FindRelatedProducts. Return value 0.
Action 14:45:56: PrepareDlg.
Action start 14:45:56: PrepareDlg.
Info 2898. For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 13 pixels height.
Info 2898. For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 19 pixels height.
Action 14:45:56: PrepareDlg. Dialog created
Action ended 14:45:56: PrepareDlg. Return value 1.
Action 14:45:56: AppSearch. Searching for installed applications
Action start 14:45:56: AppSearch.
AppSearch: Property: MS_EXTENSION_LOCATIONDIR, Signature: FindMSExtensionLocation
AppSearch: Property: MS_EXTENSION_LOCATIONDIR14, Signature: FindMSExtensionLocation14
AppSearch: Property: MS_EXTENSION_LOCATIONDIR15, Signature: FindMSExtensionLocation15
AppSearch: Property: MACHINENAME, Signature: FindMachineName2
AppSearch: Property: DOMAINNAME, Signature: FindFIMDomainName
AppSearch: Property: FIMDBNAME, Signature: FindFIMDBNAME
AppSearch: Property: FIMPORTALLOCATION, Signature: FindFIMPORTALLOCATION
AppSearch: Property: FIMSERVICEADDRESS, Signature: FindFIMSERVICEADDRESS
AppSearch: Property: NETFRAMEWORK20INSTALLROOTDIR, Signature: NetFx20InstallRootSearch
AppSearch: Property: NETFRAMEWORK35, Signature: NetFramework35
AppSearch: Property: BHOLDFIMINST_WEBPORT, Signature: BholdFimFindREM_WEBPORT
AppSearch: Property: BHOLDFIMINST_WEBSITENAME, Signature: BholdFimFindREM_WEBSITENAME
AppSearch: Property: IIS, Signature: IISInstalledVersion
AppSearch: Property: BHOLDFIMBHOLDUSER_INSTALLED, Signature: BholdFimFindBHOLDUSER_INSTALLED
AppSearch: Property: BHOLDFIMUSERDOMAIN_INSTALLED, Signature: BholdFimFindUSERDOMAIN_INSTALLED
AppSearch: Property: BHOLDFIMINSTALLEDONDOMAIN_INSTALLED, Signature: BholdFimFindINSTALLEDONDOMAIN_INSTALLED
AppSearch: Property: BHOLDFIMINSTALLED_APPLICATIONGROUP, Signature: BholdFimFindAPPLICATIONGROUP
AppSearch: Property: BHOLDFIMMACHINENAME, Signature: BholdFimFindMachineName
AppSearch: Property: BHOLDFIMDOMAINNAME, Signature: BholdFimFindCoreDomainName
AppSearch: Property: BHOLDDPORT_INSTALLED, Signature: FindBHOLDDPORT_INSTALLED
AppSearch: Property: BHOLDDOMAIN_INSTALLED, Signature: FindBHOLDDOMAIN_INSTALLED
AppSearch: Property: BHOLDMACHINENAME_INSTALLED, Signature: FindBHOLDMACHINENAME_INSTALLED
AppSearch: Property: SQLSERVERNAME_INSTALLED, Signature: FindSQLSERVERNAME_INSTALLED
AppSearch: Property: SQLDATABASE_INSTALLED, Signature: FindSQLDATABASE_INSTALLED
AppSearch: Property: SQLINTEGRATED_INSTALLED, Signature: FindSQLINTEGRATED_INSTALLED
AppSearch: Property: SQLUSER_INSTALLED, Signature: FindSQLUSER_INSTALLED
AppSearch: Property: SQLSERVERNAME, Signature: FindSQLHostName
Action ended 14:45:56: AppSearch. Return value 1.
Action 14:45:56: BholdFimcaAPPLICATIONGROUP.
Action start 14:45:56: BholdFimcaAPPLICATIONGROUP.
Action ended 14:45:56: BholdFimcaAPPLICATIONGROUP. Return value 1.
Action 14:45:56: caBHOLDMACHINENAME.
Action start 14:45:56: caBHOLDMACHINENAME.
Action ended 14:45:56: caBHOLDMACHINENAME. Return value 1.
Action 14:45:56: caBHOLDWEBPORT.
Action start 14:45:56: caBHOLDWEBPORT.
Action ended 14:45:56: caBHOLDWEBPORT. Return value 1.
Action 14:45:56: caDOMAINNAME.
Action start 14:45:56: caDOMAINNAME.
Action ended 14:45:56: caDOMAINNAME. Return value 1.
Action 14:45:56: caSQLDATABASE.
Action start 14:45:56: caSQLDATABASE.
Action ended 14:45:56: caSQLDATABASE. Return value 1.
Action 14:45:56: caSQLINTEGRATED.
Action start 14:45:56: caSQLINTEGRATED.
Action ended 14:45:56: caSQLINTEGRATED. Return value 1.
Action 14:45:56: caSQLSERVERNAME.
Action start 14:45:56: caSQLSERVERNAME.
Action ended 14:45:56: caSQLSERVERNAME. Return value 1.
Action 14:45:56: caSQLSERVERSETTINGSFOUND.
Action start 14:45:56: caSQLSERVERSETTINGSFOUND.
Action ended 14:45:56: caSQLSERVERSETTINGSFOUND. Return value 1.
Action 14:45:56: LaunchConditions. Evaluating launch conditions
Action start 14:45:56: LaunchConditions.
Action ended 14:45:56: LaunchConditions. Return value 1.
Action 14:45:56: WixUI_WelcomeDlg_Next.
Action start 14:45:56: WixUI_WelcomeDlg_Next.
Action ended 14:45:56: WixUI_WelcomeDlg_Next. Return value 1.
Action 14:45:56: ValidateProductID.
Action start 14:45:56: ValidateProductID.
Action ended 14:45:56: ValidateProductID. Return value 1.
Action 14:45:56: CostInitialize. Computing space requirements
Action start 14:45:56: CostInitialize.
Action ended 14:45:56: CostInitialize. Return value 1.
Action 14:45:56: FileCost. Computing space requirements
Action start 14:45:56: FileCost.
Action ended 14:45:56: FileCost. Return value 1.
Action 14:45:56: CostFinalize. Computing space requirements
Action start 14:45:56: CostFinalize.
Action ended 14:45:56: CostFinalize. Return value 1.
Action 14:45:56: MaintenanceWelcomeDlg.
Action start 14:45:56: MaintenanceWelcomeDlg.

 Thanks!

I have FIM installed and was initially getting an Object does not exist on server error whenever i went to Manage Profile Tepmplates or with a user accoutn tried the request a smart card link..

I enabled verbose logging and this is the error

Error loading all profile templates. Container path: CN=Profile Templates,CN=Publik Key Services,CN=Services,CN=Configuration,DC=Company,DC=Com

I validated that the container does not exist. I manually created it and now i get past the error but all lists of profiles are empty as the container is empty.

At what point should this have been created/populated?

Aaron

An amateur question: I have two domains in two different forests. I need to allow users from both domains log in to the FIM portal and create/manage  users/groups in both domains. However,  users in one domain will not be part of any groups in another forest. Do I need a Cross Forest configuration?

Thanks,
John

Hi All,

As per my requirement, I need to reconcile only one user named "xyz" into FIM from AD. For that i have defined a filter in Configure Connector filter page of AD MA. After that i am doing a FullImport of ADMA which is working fine. But When i perform a FullSynchronization on AD MA, it is throughing me a "connector-filter-rule-violation". So, Inorder to fix it, i have removed that filter from Configure Connector filter page and deleted the connector space objects of that AD MA.

But, still I am facing the same error i.e. "connector-filter-rule-violation" on doing Full Sync of AD MA.

Could any one please help me out.

Thanks

Prasanthi.

I am exporting modifications in large numbers through FIM PowerShell connector, and I have yet to understand the 3 different export script sections, mainly Begin Export Script and Export Script.

From the definition given by Microsoft, 

The begin export script is run at the beginning of an export run step. During this step, you can establish a connection to source systems and conduct any preparatory steps prior to exporting data from the connected system.

The Synchronization Service will call the Export Data script as many times as is necessary to process all of the pending exports. Depending on whether or not the connector space has more pending exports than the connector’s page size, the presence of reference attributes, or passwords, the export data script may be called multiple times and possibly multiple times for the same object.

And I followed the definition closely.

My plan is because I'm planning to export to O365, then I will do the connection once in Begin Export Script, like this:

[CmdletBinding()]param([ValidateNotNull()][System.Collections.ObjectModel.KeyedCollectionstring], [Microsoft.MetadirectoryServices.ConfigParameter]$ConfigParameters,[ValidateNotNull()][PSCredential]$PSCredential,[Microsoft.MetadirectoryServices.OpenExportConnectionRunStep]$OpenExportConnectionRunStep,[ValidateNotNull()][Microsoft.MetadirectoryServices.Schema]$Schema)Set-StrictMode-Version3Import-Module(Join-Path-Path([Microsoft.MetadirectoryServices.MAUtils]::MAFolder)-ChildPath'FIM.O365.psm1')-Verbose:$false-ErrorActionStopImport-ModuleMSOnline-Verbose:$false-ErrorActionStopConnect-MsolService-Credential$PSCredential-ErrorActionStop

However, when I tried to use the command get-msoluser in Export Script, it gave me this error: You must call the Connect-MsolService cmdlet before calling any other cmdlets. So, is something like this possible?

Secondly, I have over 20k modification to export. My Export Script at high level looks something like this:

$putExportEntriesResults=new-object -TypenameMicrosoft.MetadirectoryServices.PutExportEntriesResults

foreach($CSEntryin$CSEntries)

{

   #do stuffs here...

   $csEntryChangeResult =[Microsoft.MetadirectoryServices.CSEntryChangeResult]::Create($CSEntry.Identifier,$CSEntry.AttributeChanges,"Success")

      $putExportEntriesResults.CSEntryChangeResults.Add($csEntryChangeResult)|Out-Null

}

Write-Output$putExportEntriesResults

When I run the actual export, I actually have to wait until the whole export finishes before I see any feedback on how many updates were successful, or failed. How should my export script be modified in order for me to get updates as the export is happening?

Thank you all for your time.

Hi,

We've been using the OpenLDAP XMA to get FIM to work with Oracle Internet Directory (OID), but I've been told by one of my colleagues that that connector doesn't really do deltas with OID.  Then I just found this:

http://msdn.microsoft.com/en-us/library/dn510997(v=ws.10).aspx

(Generic LDAP Connector for FIM 2010 R2 Technical Reference)

and I was wondering if anyone has worked with this connector with OID, and knows if it is able to perform deltas with OID?

I've been testing it with OID, but it doesn't seem to pick up changes in the OID unless I do full import full synch.

Thanks,

Jim

Hello,

None of the FIM 2010 SQL Server Agent Jobs

FIM_DeleteExpiredSystemObjectsJob
FIM_MaintainGroupsJob
FIM_MaintainSetsJob
FIM_TemporalEventsJob

exist on my SQL server.  How can I restore these?

Thanks.

Hi,

As User AccountName  is a fairly common attribute that needs to be generated Unique, I want to create/generate a unique AccountName in the FIM Portal. Specifically, take a LastName and a FirstName, generate a AccountName in the format of<LastName><FirstName> and check whether it exists in the FIM Portal. If it does, FirstName first one character will be added to the end,if it is also exists in fim portal then FirstName first two character will be added to the end  and so on  checked until a unique value is discovered.if any one have any idea or any solution or code for developing this logics on this please share with me.

Regards

Anil Kumar

Guys,

I'm having an issue deploying MIM Service and Portal. 

I have downloaded the MIM CTP from the Microsoft Connect and following the MIM CTP test lab guide for PAM. 

I'm on page 25/26 trying to launch the Service and Portal msi to install. When I launch the setup as the 
administrator I get the following error.


When I enabled msiexec logs, the only error I see is shown below. Any ideas?

Any Ideas appreciate...

number oneForest

exchangeserver2013
a server withactive directory2012
a server runningFIM2010 R2sp1

numbertwoForest

a server withExchange 2010
Activedirectoryserver2008 r2

I'msetting up aglobal address list withFIMServer

configureagentswith defaultattributes

Forestusersnumberone, theyaresynchronizedto the numbertwoForest


Forestusersnumberone, theyare nottransferredto the numbertwoForest.

userssee them asdeleteand are not added, attached the error.

Forestgroupsthe numberone Forestsynchronizedto the numbertwo

myquestionis?

that usersarenot synchronizedand groupsaresynchronizedifthe forestboth.

is there anyattribute to beremoved for beingExchange2010 andAD 2008.


thatI takeiswhen they are forestandexchangedifferent version?

I am using declarative provisioning. I have two sync rules to provision users and groups respectively from the portal to AD. I have another two sync rules to import users and groups from AD to the portal. The first two sync rules got higher precedence than the later two. The attributes have equal precedence in MV. Each of the sync rule is associated with a workflow and an MPR.

Now, I am able to provisioning new users and groups from Portal to AD fine. However, when I delete them in the portal and do an delta import and delta sync on the FIM MA, the deleted users and groups are recreated in the FIM portal instead of deleting them from the AD.

What am I doing wrong? How do I deprovision the users/groups from AD?

Thanks a lot!

John!

We have Sharepoint 2010 with FIM that came with that product.  We just realized that the 'verbose' tracing was turned on and the log file

C:\Program Files\Microsoft Office Servers\14.0\Service\fimDiagnostics.svclog got really big (60GB).  I edited the config file to only record "Error" events instead of Verbose as per this article:

http://msdn.microsoft.com/en-us/library/windows/desktop/ff357801%28v=vs.100%29.aspx#BKMK_enableDiagnosticTracing

Can I just delete this file or is there some way to keep the file but clear its contents?

thanks,

Hi All,

I am using FIM Sync Manager to synchronise various attributes between our domains.  We have several logon domains and one resource domain.  The resource domain contains disabled accounts with the user's mailboxes, these are linked to the user's logon domain accounts for authentication.  I can use the common sid attribute between the 2 as a basis for my join rules in FIM and this allows me to sync other attributes back and forth.

This is all working fine, however . . . when a user moves from one part of the business to another (ie change of job role) which means they change logon domain I am having a problem.  The user has a new logon account created and the Exchange admins re-link their existing resource domain account to this new account.  In real terms this rewrites the resource domain account's msExchMasterAccountSid attribute with the objectSid attribute from the user's new logon account.  My join rule in FIM is based on these 2 attributes, however the change does not cause FIM to disconnect the accounts, even though they don't match (and there is a new match) the old logon account keeps the resource account joined.

Question is, how can I go about making FIM disconnect these accounts once the join rule that brought them together is broken.

Thanks for reading.

Steve

Hi,

So IdFix is recommended when deploying O365 and DirSync/AADSync. (http://www.microsoft.com/en-us/download/details.aspx?id=36832)

However, is there anything stopping us from running this tool before deploying FIM? It looks like it might give us some valuable data information.

Cheers.

The error from the syn manager is stopped-extension-dll-exception. Below is the error from the event log. I have verified the FIM sync service account has full access. I have even remoted in and browsed to the DLL's directory with the service account.

 System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
   at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
   at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
   at System.Threading.CompressedStack.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
   at System.Xml.XmlTextReaderImpl.OpenUrl()
   at System.Xml.XmlTextReaderImpl.Read()
   at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
   at System.Xml.XmlDocument.Load(XmlReader reader)
   at System.Xml.XmlDocument.Load(String filename)
   at Mms_ManagementAgent_CHExtension.MAExtensionObject.Initialize() in C:\TFS\Source\Workspaces\Identity Management\Main\FIM\CHExtension\CHExtension.vb:line 54

The other thing I find odd is, why does the error log have a reference back to the source code directory? 

Thanks,

Phil