we are in process of re-structuring our domain infrastructure. Planning to rename samaccountname in domain using MIM. Let me know if
it possible to rename samaccountname using MIM console?
↧
How to rename samaccountname in a domain using MIM?
↧
Lost Delete Button for Admins on user object
Somehow, I did something that cause the delete and new button to be removed from Admins view.
I see the buttons on other objects fine.
Thanks,
Nosh
Nosh Mernacaj, Identity Management Specialist
↧
↧
Restore "User Administrators" set
I found the hard way that this set is important.
deleted the set “User Administrators”. In doing so, I lose “New” and “Delete” Buttons on user’s set.
I can reproduce this in another environment and I get the same result. I now know this is important.
The set in question has a well known ObjectID “77197b15-6f61-40ea-8d69-10f3f1fe4904”
There is very little mention of this set anywhere, but I am convinced it is hardcoded based on that objectId.
How can I restore it without doing a DB restore, which I cant do?
Thanks in advance
Nosh Mernacaj, Identity Management Specialist
↧
Openldap delta-import removes all group members
Hi,
we are currently experiencing a strange issue with delta imports via OpenLdap
Issue
While using delta import to get the changes from OpenLdap via AccessLog certain groups are left with only one member.
To restore all members we have to do a full import.
The behavior only occurs if an existing group member is removed and added in the same (Deltalog) step.
Removing and adding in separate steps works fine.
Environment
- MIM Syncservice v4.6.34.0 (edited)
- MIM Generic LDAP Connector v1.1.1170.0
- Openldap 2.4
Steps to reproduce
Example ldif file:
```
dn: reqStart=20200527050001.000001Z,cn=log
objectClass: auditModify
reqStart: 20200527050001.000001Z
reqEnd: 20200527050001.000002Z
reqType: modify
reqSession: 4593433
reqAuthzID: cn=admin,ou=admins,o=contoso,c=com
reqDN: cn=test,ou=groups,o=contoso,c=com
reqResult: 16
reqMod: member:- uid=dummy,ou=users,o=contoso,c=com
reqMod: member:+ uid=user3,ou=users,o=contoso,c=com
reqMod: member:+ uid=user4,ou=users,o=contoso,c=com
reqMod: member:+ uid=dummy,ou=users,o=contoso,c=com
reqMod: entryCSN:= 20200527050001.258824Z#000000#001#000000
reqMod: modifiersName:= cn=admin,ou=admins,o=contoso,c=com
reqMod: modifyTimestamp:= 20200527050001Z
reqEntryUUID: 428ab767-6257-4435-81cb-852523b1b871
```
1 The group "test" contains the users in Openldap and Connectorspace
- dummy
- user1
- user2
2 The ldif-file is imported in openldap
3 The group "test" contains the users
- In Openldap
-- dummy
-- user1
-- user2
-- user3
-- user4
- In Connectorspace
-- dummy
-- user1
-- user2
4 Delta import is run, after this "test" in the (Openldap) Connectorspace only contains the user
- dummy
If we then do a full import we get the correct users in "test" in the OpenLdap Connectorspace
- dummy
- user1
- user2
- user3
- user4
---
Has anyone encountered this strange behavior and found a solution for it or is this a bug?
↧
Microsoft Identity Manager SharePoint 2019
I have setup Microsoft Identity manager in a SharePoint 2019 environment. Not using the portal only sync service.
There is custom fields setup in SharePoint UPA (wrTitle, wrkPhone, MyDept). I am trying to sync those fields back to AD but every time I run a full sync or a delta sync if I search for a user in the metaverse those fields are blank.
I did added those fields in the Metaverse designer, the funny thing is I have 2 test account and the first run I did it did sync the fields back to AD but any other accounts arecoming blank.
I am using the same account used in our previous 2013 environment with FIM which has all the necessary permissions to write changes to AD.
I did clear the connector and refresh schema as well and every time I import I do get blank values for those 4 fields, it feels like MIM is not picking up that the values from SP don't match AD.
any help would be appreciated if you could point me in the right direction.
↧
↧
Azure Password Protection with Banned Password List policy change and MIM SSPR
Hello Everyone,
My client is updating password policies and they are introducing Azure Password Protection with Banned Password List and they have MIM SSPR. I question is how we can enforce that protection into MIM SSPR.
Thank you.
↧
Cross-forest group membership management with MIM2016
Hello,
I'm very new to MIM and I'm trying to implement group membership management across multiple forests.
Several forums referenced this guide (however it is for FIM2010 not MIM2016): https://docs.microsoft.com/en-us/previous-versions/mim/ff720154(v=ws.10)
There are some points that I don't really understand (and I think that the guide is not completely migrated from the original site) I hope someone can explain:
- Sync MPR: https://docs.microsoft.com/en-us/previous-versions/mim/ff720154(v=ws.10)#synchronization-mpr -> it states that the MPR is triggered when an object's membership is changed and triggers the FSP provisioning workflow. Based on my testing and understanding, it will only apply to group objects and sets - so only this type of object will be added to the sync policy scope. Am I missing something?
- FSP set: https://docs.microsoft.com/en-us/previous-versions/mim/ff720154(v=ws.10)#to-create-activedirectory-people-fsps-sets -> it says that "The Resource ID should be in the FSP set that is associated with the forest for which the domain in this set provisions. " Does it mean that I should add this set to the FSP provisioning set (declared in the domain configuration object)? How will be the user FSPs added to the set?
- FSP sync rule: https://docs.microsoft.com/en-us/previous-versions/mim/ff720154(v=ws.10)#to-create-the-synchronization-rule-for-activedirectory-user-fsps -> displayname attribute is also added to the outbound attribute flow, but I think that FSP objects in AD do not have displayname attribute. Can I omit this attribute?
- What will happen if there are membership changes outside of MIM? If I understand correctly, the next MIM sync will add the user's FSP to the provisioning set which will trigger the sync MPR -> but it should fail as the FSP already exist in the target domain. Should I create an inbound sync rule to match FSPs with Person objects?
Thank you in advance for your help!
↧
Getting error "The required field cannot be empty"after updating an RCDC
Hello,
I've updated my RCDC to control the first and last name when creating a new account in MIM, I added a regular expression that forces the first character to be a-zA-Z, but after uploading the file, I cannot add users anymore. I uploaded the original file
again, but it didn't work, it's still giving the same error "The required field cannot be empty".
Is there a way to find what's the exact value/field that is causing this issue ?
Thanks in advance
↧
MIMWAL Referenced Assemblies not found
Hi all,
I'm looking at installing MIMWAL. I'm using the documentation from here:
The documentation says I need 4 assemblies from a specific version of FIM:
Following files from FIM hotfix build v4.1.3496.0 (https://support.microsoft.com/en-us/kb/2906832)
1. Microsoft.IdentityManagement.WebUI.Controls.dll
2. Microsoft.IdentityManagement.WFExtensionInterfaces.dll
3. Microsoft.ResourceManagement.dll
4. Microsoft.ResourceManagement.WorkflowContract.dll
I've come up against 404 page not found, or that the hot fix is no longer available.
It seems that the referenced Windosw SDK is unavailable as well.
Is there a fully up-to-date install guide or can someone please point me to where I can locate these files?
Any help would be greatly appreciated.
-- Tim.
↧
↧
Nested reference for allowed requestor in MPR doesn't work?
The goal is to have a single MPR to allow modification of one set of attributes by a list of "department managers" users in each department for users only in their department.
So I might have department 1, with users a, b, c, and department manager d, and department 2, with users e, f, and g, and department manager h. Department manager d should be able to modify firstname and lastname of users a, b, and c, but not of any other users.
I have set up a list of department resources with a multivalue reference attribute containing these "department managers". I have added a single value reference attribute to the user resource for "department reference" and have it populated with these departments resources.
I thought that I would be able to create an MPR to grant access to modify those attributes to "relative to resource" DepartmentReference/DepartmentManager (as one might do with an MPR to allow access to modify some attributes by "Manager"). But it doesn't work.
Is there some way I can do this without adding another attribute to users and having a workflow update it every time a user's departmentreference or the department managers list in department reference changes?
↧
Recieving Stopped-server errors in FIM 2010 R2
Hello all,
I randomly get stopped-server error during my export to FIM Services MA. When I look at event viewer i receive:
System.InvalidOperationException: The export session has timed out waiting for responses.
That amount of time can be configured using the exportActivityTimeoutInSeconds attribute of the resourceSynchronizationClient element within the Forefront Identity Management Synchronization Service application configuration file. The default duration is 600 seconds. If the volume of requests is very high, then using that attribute to increase the duration would be advisable.
However, one should investigate why no responses to export requests have been received within the default amount of time. Requests created on behalf of the Forefront Identity Manager Synchronization Service should be investigated to determine whether they are taking an unexpectedly long time to process.
What would be causing this? If i run the export again, its okay. Is it because the FIM service database was locked because of a SQL maintenance job? or is there a permission issue? I'm at a lost.
Just in case, we recently migrated our FIM SQL databases to a new server. Is there some configuration I may have missed to cause this?
Thank you in advance.
↧
Device instance path of plugged in devices
Hi,
I wanted to know how a external plugged-in device is uniquely identified by windows device manager. Whether Device instance path of these devices is inbuilt into or being assigned by system after insertion?. If this device instance path ID is assigned to device by windows to uniquely identify , then whether this ID will be changed when the same device is inserted to other USB interface on the same windows machine?.
Thanks
↧
PAM (privileged access management privilege account) settings
一、【问题描述】:域控是Windows Server 2016,和Exchange 2015, skype for business,高度耦合,特权账号的对接和管理?
Active Directory 域服务的 Privileged Access Management
1、 [problem description]: the domain controller is Windows Server 2016,and highly coupled with exchange 2015, Skype for business, and the connection and management of privileged accounts?Privileged access management for Active Directory Domain Services
https://docs.microsoft.com/zh-cn/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services
二、【诉求】:AD 域控的相关对接账号该如何管理?
2、 [appeal]: how to manage the relevant docking accounts of ad domain control?
↧
↧
AD Accounts
What does it mean where an account LastLogonTimeStamp is 01/01/1601 00:00:000 AND the PwdLastSet is also 01/01/1601
00:00:000; What does it mean where an account LastLogonTimeStamp is 01/01/1601 00:00:000 BUT the PwdLastSet field has a date/time?
00:00:000; What does it mean where an account LastLogonTimeStamp is 01/01/1601 00:00:000 BUT the PwdLastSet field has a date/time?
↧
Maximum number of additions to a multi-value attribute in one request
Just curious, is there a maximum number of adds to a multivalue attribute in a single request in the MIM Portal? Like for the Add Member for a Security Group, how many users can I add to that box in one request? Is there a max or is unlimited?
↧
How do i register a security key (for windows log-in) for my regular Microsoft accounts that are added to my Azure AD tenant?
Hi,
I would like to set up a security key for regular microsoft accounts used on my Windows PC.
I have an AAD tenant where security keys have been enabled for all users. When creating a user in AAD, setting up the key for that user in myprofile.microsoft.com and then AAD joining my PC, I can login to my PC with the registered security key to that particular account.
However, if I invite an external user with a regular "@outlook" or "@hotmail" account to my AAD, I cant login to myprofile.microsoft.com since this user is not added to the "Microsoft Services" tenant and can not access application '19db86c3-b2b9-44cc-b339-36da233a3be2'(My Access). Instead I tried setting up the security key in account.microsoft.com for microsoft accounts.
Since my PC is AAD joined with the AAD user, the security option is there during login and with that I tried signing in to my "@hotmail" account on my PC with the security key I set up for that account. That seemed to initially work until it finally said "You can't sign in with this account. Try another account"
Does anyone know how to set up security keys for regular microsoft accounts or how to possibly add this user as an external user to the 'Microsoft Services' tenant.
Thanks!
↧
SignInActively.LastSignInDateTime causes stopped-extensible-extension-error
While using the new Graph management agent. When I choose the attribute SignInActively.LastSignInDateTime the Full Import ends with stopped-extensible-extension-error
Response: {
"error": {
"code": "BadRequest",
"message": "Invalid Request: $select is not supported for these properties.",
"innerError": {
"date": "2020-07-14T10:16:34",
"request-id": "510469ab-3db5-4c83-acf4-ef08f20c7084"
}
}
}
Response: {
"error": {
"code": "BadRequest",
"message": "Invalid Request: $select is not supported for these properties.",
"innerError": {
"date": "2020-07-14T10:16:34",
"request-id": "510469ab-3db5-4c83-acf4-ef08f20c7084"
}
}
}
GH
↧
↧
domain isn't in our system. Make sure you typed it correctly.
I clicked on the link: https://compliancy-group.com/3-easy-steps-to-get-your-microsoft-business-associate-agreement in order to get the Microsoft Business Associate Agreement. Step 1 asks me to log into the office 365 admin center. When I do, and sign
in with my Microsoft Account ID, I get the message, "thisdomain.org isn't in our system. Make sure you typed it correctly." Yet I can sign into this forum, for example, without problem. I've
tried 3 known Account IDs and get the same message on all of them. What's going on? (sorry if this is not the right forum)
↧
SMS code for account verification does not arrive + support only accessible after account verification
Last week, I posted a question on answers dot microsoft dot com using my hotmail account.
I got two emails mentioning a new reply to my question and one email saying that someone sent me a private message about this post.
Why I try to check the replies or read the private message, I am led to a page titled "Enter your mobile number to verify your account"
I entered my number several times but the SMS with the code never arrived. After a few tries, I get "Usage limit exceeded. Try again tomorrow.". This is a mobile phone number in Belgium.
After a few days, I give up and try to look for support, but everytime I try to open a post on a Microsoft support forum, I am brought to the same page "Enter your mobile number to verify your account" with the same problems.
How can I proceed to solve this and access the replies to my question?
I can access my hotmail account ygramoel@hotmail.com without problems.
(By the way: how can I select font sizes in this form????)
I got two emails mentioning a new reply to my question and one email saying that someone sent me a private message about this post.
Why I try to check the replies or read the private message, I am led to a page titled "Enter your mobile number to verify your account"
I entered my number several times but the SMS with the code never arrived. After a few tries, I get "Usage limit exceeded. Try again tomorrow.". This is a mobile phone number in Belgium.
After a few days, I give up and try to look for support, but everytime I try to open a post on a Microsoft support forum, I am brought to the same page "Enter your mobile number to verify your account" with the same problems.
How can I proceed to solve this and access the replies to my question?
I can access my hotmail account ygramoel@hotmail.com without problems.
(By the way: how can I select font sizes in this form????)
↧
Support for Nested group in Azure
HI Team
Apology in advance if this is not the right forum. I dont find solid info about support for Azure nested groups synchronised from onPrem AD. I found that SSPR featue support nested groups
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
But we need to manage other features such App access, Azure Licencing and InTune enrollment. I am unable to find info if this is supported or not.
thanks a lot
regard
Sa
NSW DECC
↧