Is there any reason to bring the default 'Built-in Synchronization Account' and 'FIM Admin' User into the Sync Engine? I can't think of a reason to do this although I haven't seen or heard of anyone filtering them out in the FIM Service MA. The FIM Admin (installation) account gets an object SID during installation but I'm not sure if the 'Built-in Synchronization Account' needs a SID synchronised from AD.

In one of the training by OCG, they recommend not to flow in those two accounts (by marking them as disconnector) IIRC, the sync account also has the sid populated during installation. I am pretty sure that's the case, otherwise u won't be able to sync in he "sync account's sid"

I don't. I always make connector filter rules for them in the FIM MA to block them ever getting into the metaverse. IMO the FIM MA should come pre-configured like that.http://www.wapshere.com/missmiis

The risk is that you typically flow objectSID from AD into the FIM Service (so users can log in to the Portal). If you accidently flow the wrong SID into the administrator or FIM Service account, you could make it very difficult (impossible?) to log into the Portal. You can filter those accounts (as suggested above), or just not include the OUs / Containers that contain those accounts when you configure the AD MA. I prefer to filter based on OU because I don't want there to be any chance that the AD MA will touch any important system accounts by accident. Rex

Thanks for the responses all - sounds like this might be a best practice to configure the FIM Service MA to filter out these two accounts.

Carol, if you still needed to flow in the accounts into MV from AD don't you run into "objectSid" already present error? Is it correct to say that if you don't manage the accounts in FIM then filtering them out in FIMMA would work but not otherwise? Hope you come back to this posting to see this.... if not, I'll post back again. Thanks, AnuAnu

sure, but the thing is mis-configured MA overwriting the objectSid is far more common than someone go to the FIMPortal and mess with the two important accounts (i have seen numerous cases where the objectSid is messed up, but never seen one where someone "accidentally" messes up with sid in FIMPortal)