Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 88 | 89 | (Page 90) | 91 | 92 | .... | 204 | newer

    0 0
  • 11/13/14--14:40: Remove SR when its applied
  • Hi all

    I was wondering if someone had a suggestion for me how to solve this issue.

    To explain: I have made an outbound SR that set pwdlast=0 to FIM AD user account. so far so god. I wan't this behaviour because I wan't to trigger/force a password sync, the next time user logon.

    The issue I am seeing, is that this SR gets applied several times, over and over again. I have not enabled: Run at policy update!

    So I created an WF thats removes this SR, but I am not sure how to/what to trigger it.. I want it removed just after it has expired the password/been applied.

    If the SR is not supposed to be run several times, that would be great to sort out aswell.

    Best regards Andre


    0 0

    FIM 2010 R2

    We have a group in AD.We are not able to find the group in AD Connector Space.

    Possibilities analysed:

    1)Container is fine.

    2)It is under scope.

    We can find the other groups from the same OU and with exactly similar attribute values.

    Can somebody let me know if there are any other possibilities for this issue.

    0 0

    Hi Everyone,

    I am performing DL management Scenario in which i Have hybrid environment and in this when a Requestor is sending a Request to Group Owner he is receiving the Email but in thatApprove and Decline button is not present along with that when i am opening the email in that it is mentioned the following information which is present in my screenshot


    this is the following error which i can see on the mail and i can perform the DL management in the through FIM portal.

    I am not able to figure this out and is this an issue of Exchange?

    You response will be highly appreciated.


    Aman Khanna

    0 0

    I am able to launch the setup, but then when I click the "Next" button, nothing happens. I tried with elevated prompt as well, no different. Any insight?

    And this is the setup log generated:

    === Logging started: 11/14/2014  14:45:56 ===
    Action 14:45:56: INSTALL.
    Action start 14:45:56: INSTALL.
    Action 14:45:56: FindRelatedProducts. Searching for related applications
    Action start 14:45:56: FindRelatedProducts.
    Action ended 14:45:56: FindRelatedProducts. Return value 0.
    Action 14:45:56: PrepareDlg.
    Action start 14:45:56: PrepareDlg.
    Info 2898. For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 13 pixels height.
    Info 2898. For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 19 pixels height.
    Action 14:45:56: PrepareDlg. Dialog created
    Action ended 14:45:56: PrepareDlg. Return value 1.
    Action 14:45:56: AppSearch. Searching for installed applications
    Action start 14:45:56: AppSearch.
    AppSearch: Property: MS_EXTENSION_LOCATIONDIR, Signature: FindMSExtensionLocation
    AppSearch: Property: MS_EXTENSION_LOCATIONDIR14, Signature: FindMSExtensionLocation14
    AppSearch: Property: MS_EXTENSION_LOCATIONDIR15, Signature: FindMSExtensionLocation15
    AppSearch: Property: MACHINENAME, Signature: FindMachineName2
    AppSearch: Property: DOMAINNAME, Signature: FindFIMDomainName
    AppSearch: Property: FIMDBNAME, Signature: FindFIMDBNAME
    AppSearch: Property: NETFRAMEWORK20INSTALLROOTDIR, Signature: NetFx20InstallRootSearch
    AppSearch: Property: NETFRAMEWORK35, Signature: NetFramework35
    AppSearch: Property: BHOLDFIMINST_WEBPORT, Signature: BholdFimFindREM_WEBPORT
    AppSearch: Property: BHOLDFIMINST_WEBSITENAME, Signature: BholdFimFindREM_WEBSITENAME
    AppSearch: Property: IIS, Signature: IISInstalledVersion
    AppSearch: Property: BHOLDFIMMACHINENAME, Signature: BholdFimFindMachineName
    AppSearch: Property: BHOLDFIMDOMAINNAME, Signature: BholdFimFindCoreDomainName
    AppSearch: Property: SQLUSER_INSTALLED, Signature: FindSQLUSER_INSTALLED
    AppSearch: Property: SQLSERVERNAME, Signature: FindSQLHostName
    Action ended 14:45:56: AppSearch. Return value 1.
    Action 14:45:56: BholdFimcaAPPLICATIONGROUP.
    Action start 14:45:56: BholdFimcaAPPLICATIONGROUP.
    Action ended 14:45:56: BholdFimcaAPPLICATIONGROUP. Return value 1.
    Action 14:45:56: caBHOLDMACHINENAME.
    Action start 14:45:56: caBHOLDMACHINENAME.
    Action ended 14:45:56: caBHOLDMACHINENAME. Return value 1.
    Action 14:45:56: caBHOLDWEBPORT.
    Action start 14:45:56: caBHOLDWEBPORT.
    Action ended 14:45:56: caBHOLDWEBPORT. Return value 1.
    Action 14:45:56: caDOMAINNAME.
    Action start 14:45:56: caDOMAINNAME.
    Action ended 14:45:56: caDOMAINNAME. Return value 1.
    Action 14:45:56: caSQLDATABASE.
    Action start 14:45:56: caSQLDATABASE.
    Action ended 14:45:56: caSQLDATABASE. Return value 1.
    Action 14:45:56: caSQLINTEGRATED.
    Action start 14:45:56: caSQLINTEGRATED.
    Action ended 14:45:56: caSQLINTEGRATED. Return value 1.
    Action 14:45:56: caSQLSERVERNAME.
    Action start 14:45:56: caSQLSERVERNAME.
    Action ended 14:45:56: caSQLSERVERNAME. Return value 1.
    Action 14:45:56: caSQLSERVERSETTINGSFOUND.
    Action start 14:45:56: caSQLSERVERSETTINGSFOUND.
    Action ended 14:45:56: caSQLSERVERSETTINGSFOUND. Return value 1.
    Action 14:45:56: LaunchConditions. Evaluating launch conditions
    Action start 14:45:56: LaunchConditions.
    Action ended 14:45:56: LaunchConditions. Return value 1.
    Action 14:45:56: WixUI_WelcomeDlg_Next.
    Action start 14:45:56: WixUI_WelcomeDlg_Next.
    Action ended 14:45:56: WixUI_WelcomeDlg_Next. Return value 1.
    Action 14:45:56: ValidateProductID.
    Action start 14:45:56: ValidateProductID.
    Action ended 14:45:56: ValidateProductID. Return value 1.
    Action 14:45:56: CostInitialize. Computing space requirements
    Action start 14:45:56: CostInitialize.
    Action ended 14:45:56: CostInitialize. Return value 1.
    Action 14:45:56: FileCost. Computing space requirements
    Action start 14:45:56: FileCost.
    Action ended 14:45:56: FileCost. Return value 1.
    Action 14:45:56: CostFinalize. Computing space requirements
    Action start 14:45:56: CostFinalize.
    Action ended 14:45:56: CostFinalize. Return value 1.
    Action 14:45:56: MaintenanceWelcomeDlg.
    Action start 14:45:56: MaintenanceWelcomeDlg.



    0 0

    I have FIM installed and was initially getting an Object does not exist on server error whenever i went to Manage Profile Tepmplates or with a user accoutn tried the request a smart card link..

    I enabled verbose logging and this is the error

    Error loading all profile templates. Container path: CN=Profile Templates,CN=Publik Key Services,CN=Services,CN=Configuration,DC=Company,DC=Com

    I validated that the container does not exist. I manually created it and now i get past the error but all lists of profiles are empty as the container is empty.

    At what point should this have been created/populated?



    0 0

    An amateur question: I have two domains in two different forests. I need to allow users from both domains log in to the FIM portal and create/manage  users/groups in both domains. However,  users in one domain will not be part of any groups in another forest. Do I need a Cross Forest configuration?


    0 0

    Hi All,

    As per my requirement, I need to reconcile only one user named "xyz" into FIM from AD. For that i have defined a filter in Configure Connector filter page of AD MA. After that i am doing a FullImport of ADMA which is working fine. But When i perform a FullSynchronization on AD MA, it is throughing me a "connector-filter-rule-violation". So, Inorder to fix it, i have removed that filter from Configure Connector filter page and deleted the connector space objects of that AD MA.

    But, still I am facing the same error i.e. "connector-filter-rule-violation" on doing Full Sync of AD MA.

    Could any one please help me out.



    0 0

    There will be a crossover where he'll see

    his old friend The Flash (Grant Gustin), and villain Captain Boomerang will be making an appearance to rock the boat for Oliver. Check out what Guggenheim had to say about Roy becoming Arsenal, the introduction of Ray Palmer and the big crossover with The Flash, among other topics.


    0 0

    I am exporting modifications in large numbers through FIM PowerShell connector, and I have yet to understand the 3 different export script sections, mainly Begin Export Script and Export Script.

    From the definition given by Microsoft, 

    The begin export script is run at the beginning of an export run step. During this step, you can establish a connection to source systems and conduct any preparatory steps prior to exporting data from the connected system.

    The Synchronization Service will call the Export Data script as many times as is necessary to process all of the pending exports. Depending on whether or not the connector space has more pending exports than the connector’s page size, the presence of reference attributes, or passwords, the export data script may be called multiple times and possibly multiple times for the same object.

    And I followed the definition closely.

    My plan is because I'm planning to export to O365, then I will do the connection once in Begin Export Script, like this:

    [CmdletBinding()]param([ValidateNotNull()][System.Collections.ObjectModel.KeyedCollectionstring], [Microsoft.MetadirectoryServices.ConfigParameter]$ConfigParameters,[ValidateNotNull()][PSCredential]$PSCredential,[Microsoft.MetadirectoryServices.OpenExportConnectionRunStep]$OpenExportConnectionRunStep,[ValidateNotNull()][Microsoft.MetadirectoryServices.Schema]$Schema)Set-StrictMode-Version3Import-Module(Join-Path-Path([Microsoft.MetadirectoryServices.MAUtils]::MAFolder)-ChildPath'FIM.O365.psm1')-Verbose:$false-ErrorActionStopImport-ModuleMSOnline-Verbose:$false-ErrorActionStopConnect-MsolService-Credential$PSCredential-ErrorActionStop

    However, when I tried to use the command get-msoluser in Export Script, it gave me this error: You must call the Connect-MsolService cmdlet before calling any other cmdlets. So, is something like this possible?

    Secondly, I have over 20k modification to export. My Export Script at high level looks something like this:

    $putExportEntriesResults=new-object -TypenameMicrosoft.MetadirectoryServices.PutExportEntriesResults



       #do stuffs here...

       $csEntryChangeResult =[Microsoft.MetadirectoryServices.CSEntryChangeResult]::Create($CSEntry.Identifier,$CSEntry.AttributeChanges,"Success")




    When I run the actual export, I actually have to wait until the whole export finishes before I see any feedback on how many updates were successful, or failed. How should my export script be modified in order for me to get updates as the export is happening?

    Thank you all for your time.

    0 0


    We've been using the OpenLDAP XMA to get FIM to work with Oracle Internet Directory (OID), but I've been told by one of my colleagues that that connector doesn't really do deltas with OID.  Then I just found this:

    (Generic LDAP Connector for FIM 2010 R2 Technical Reference)

    and I was wondering if anyone has worked with this connector with OID, and knows if it is able to perform deltas with OID?

    I've been testing it with OID, but it doesn't seem to pick up changes in the OID unless I do full import full synch.



    0 0


    None of the FIM 2010 SQL Server Agent Jobs


    exist on my SQL server.  How can I restore these?


    0 0


    As User AccountName  is a fairly common attribute that needs to be generated Unique, I want to create/generate a unique AccountName in the FIM Portal. Specifically, take a LastName and a FirstName, generate a AccountName in the format of<LastName><FirstName> and check whether it exists in the FIM Portal. If it does, FirstName first one character will be added to the end,if it is also exists in fim portal then FirstName first two character will be added to the end  and so on  checked until a unique value is discovered.if any one have any idea or any solution or code for developing this logics on this please share with me.


    Anil Kumar

    0 0


    I'm having an issue deploying MIM Service and Portal. 

    I have downloaded the MIM CTP from the Microsoft Connect and following the MIM CTP test lab guide for PAM. 

    I'm on page 25/26 trying to launch the Service and Portal msi to install. When I launch the setup as the 
    administrator I get the following error.

    When I enabled msiexec logs, the only error I see is shown below. Any ideas?

    Any Ideas appreciate...

    0 0

    I have a scenario where the client wants to have a list of all groups displayed when creating/updating/viewing users and wants to select multiple groups using check boxes. Based on that the user will need to be added to the groups. How can that be done in FIM? I was thinking of having a multi-valued attribute say "Groups" to point to the groups (just like groups point to the users using their member attribute). However, I am not sure how do I then populate the Groups attribute to display all the groups along with a check box and then update the attribute. Has anybody done that?

    0 0

    number oneForest

    a server withactive directory2012
    a server runningFIM2010 R2sp1


    a server withExchange 2010
    Activedirectoryserver2008 r2

    I'msetting up aglobal address list withFIMServer

    configureagentswith defaultattributes

    Forestusersnumberone, theyaresynchronizedto the numbertwoForest

    Forestusersnumberone, theyare nottransferredto the numbertwoForest.

    userssee them asdeleteand are not added, attached the error.

    Forestgroupsthe numberone Forestsynchronizedto the numbertwo


    that usersarenot synchronizedand groupsaresynchronizedifthe forestboth.

    is there anyattribute to beremoved for beingExchange2010 andAD 2008.

    thatI takeiswhen they are forestandexchangedifferent version?


    0 0

    I am using declarative provisioning. I have two sync rules to provision users and groups respectively from the portal to AD. I have another two sync rules to import users and groups from AD to the portal. The first two sync rules got higher precedence than the later two. The attributes have equal precedence in MV. Each of the sync rule is associated with a workflow and an MPR.

    Now, I am able to provisioning new users and groups from Portal to AD fine. However, when I delete them in the portal and do an delta import and delta sync on the FIM MA, the deleted users and groups are recreated in the FIM portal instead of deleting them from the AD.

    What am I doing wrong? How do I deprovision the users/groups from AD?

    Thanks a lot!


    0 0

    We have Sharepoint 2010 with FIM that came with that product.  We just realized that the 'verbose' tracing was turned on and the log file

    C:\Program Files\Microsoft Office Servers\14.0\Service\fimDiagnostics.svclog got really big (60GB).  I edited the config file to only record "Error" events instead of Verbose as per this article:

    Can I just delete this file or is there some way to keep the file but clear its contents?


    0 0

    Hi All,

    I am using FIM Sync Manager to synchronise various attributes between our domains.  We have several logon domains and one resource domain.  The resource domain contains disabled accounts with the user's mailboxes, these are linked to the user's logon domain accounts for authentication.  I can use the common sid attribute between the 2 as a basis for my join rules in FIM and this allows me to sync other attributes back and forth.

    This is all working fine, however . . . when a user moves from one part of the business to another (ie change of job role) which means they change logon domain I am having a problem.  The user has a new logon account created and the Exchange admins re-link their existing resource domain account to this new account.  In real terms this rewrites the resource domain account's msExchMasterAccountSid attribute with the objectSid attribute from the user's new logon account.  My join rule in FIM is based on these 2 attributes, however the change does not cause FIM to disconnect the accounts, even though they don't match (and there is a new match) the old logon account keeps the resource account joined.

    Question is, how can I go about making FIM disconnect these accounts once the join rule that brought them together is broken.

    Thanks for reading.


    0 0
  • 11/18/14--12:43: Can we use IdFix with FIM?
  • Hi,

    So IdFix is recommended when deploying O365 and DirSync/AADSync. (

    However, is there anything stopping us from running this tool before deploying FIM? It looks like it might give us some valuable data information.


    0 0

    The error from the syn manager is stopped-extension-dll-exception. Below is the error from the event log. I have verified the FIM sync service account has full access. I have even remoted in and browsed to the DLL's directory with the service account.

     System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions' is denied.
       at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
       at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
       at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
       at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
       at System.Threading.CompressedStack.runTryCode(Object userData)
       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
       at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
       at System.Xml.XmlTextReaderImpl.OpenUrl()
       at System.Xml.XmlTextReaderImpl.Read()
       at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
       at System.Xml.XmlDocument.Load(XmlReader reader)
       at System.Xml.XmlDocument.Load(String filename)
       at Mms_ManagementAgent_CHExtension.MAExtensionObject.Initialize() in C:\TFS\Source\Workspaces\Identity Management\Main\FIM\CHExtension\CHExtension.vb:line 54

    The other thing I find odd is, why does the error log have a reference back to the source code directory? 



older | 1 | .... | 88 | 89 | (Page 90) | 91 | 92 | .... | 204 | newer