Hi Everyone,
I am having troubles with FIM/AD group management. We currently have our environment setup so that groups are managed through FIM but only for user accounts. If we were to FIM manage a group that had admin users in it the admins would be stripped out on the next sync, this is due to their admin account not existing in the FIM portal. Is my solution to get the admin accounts into portal? If so what is the best way to do that?
We have two ADMA's one for users the other for admins each linking back to different OUs in AD. To create an admin account we check a box on a users FIM account, provisioning logic fires and the account is created in the admin OU. On the sync the admin account is joined to the appropriate MV object. I could setup projection logic to project into FIM portal however it would have to be a different resource type other than 'person'. This causes an issue with criteria base FIM managed groups because you can only base criteria off of one resource type. For instance our department shares are all managed through FIM, the criteria being "Select 'User' that match all of the following conditions" You can do "Select 'User' and 'Admin' that match all of the following conditions".
This leads me to believe that the admin accounts would need to project as 'people' within portal. However this is not possible, due to their regular accounts already being joined to a 'person' objects, if I'm not mistaken.