Hello!! I imported 2000 groups of my production AD and I need to set that groups as criteria-based groups. The problem is to convert all the groups as Criteria-based and do a bulk upload of different criteria for the existents groups. Searching in the script box, I found this two scripts: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/c124a548-7013-405a-bce3-457c4dced8f3 http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/ac451c42-337a-4396-ad06-ce2a36e8001f I already mapped all the criterias in the excel, but I don't have enough knowledge in powershell to merge the scripts. Someone can help me? Thank in advance, Diego Shimohama- Diego Shimohama http://www.dshimo.com.br

I'm trying to export the criteria from MV to FIM in the FILTER field a string in this format: <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(EmployeeType = 'Employee') and (OfficeLocation = 'Geneva')]</Filter> But I got the follow error, I double checked all possible MPR: There is an error executing a web service object modification request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Fault Reason: Policy prohibits the request from completing. Fault Details: &lt;RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;&lt;RequestAdministratorDetails&gt;&lt;FailureMessage&gt;The Request contains changes that violate system constraints. Exception: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.FilteredResourceActionProcessHelper.DoPreProcessRequest(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.PreProcessRequestFromAttribute(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromAttribute(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)&lt;/FailureMessage&gt;&lt;RequestFailureSource&gt;SystemConstraint&lt;/RequestFailureSource&gt;&lt;/RequestAdministratorDetails&gt;&lt;/RequestFailures&gt; Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(UniqueIdentifier objectId, CultureInfo locale, Put putBody) at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() Inner Exception: Policy prohibits the request from completing.- Diego Shimohama http://www.dshimo.com.br

I made some changes to script, but I got this error: PS C:\>>> .\BulkSGUpdate.ps1 Filter <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialec t="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/P erson[(EmployeeType = 'Employee') and (OfficeLocation = 'Rome')]</Filter> Description Funciona? Owner 7fb2b853-24f0-4498-9534-4e10589723c4 DisplayedOwner 7fb2b853-24f0-4498-9534-4e10589723c4 SourceObjectIdentifier : sgGeneva TargetObjectIdentifier : sgGeneva ObjectType : Group State : Create Changes : {DisplayedOwner} AnchorPairs : Confirm Failure when making web service call. SourceObjectID = sgGeneva Error = Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The request message contains errors that prevent processing the request. at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResou rce() at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource() at Microsoft.ResourceManagement.Automation.ImportConfig.Create(String objectType, List`1 changeList) at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing() The script code: #---------------------------------------------------------------------------------------------------------- set-variable -name CSV -value "groups.csv" set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" set-variable -name DOMAIN -value "dshimo" set-variable -name SCOPE -value "Global" set-variable -name TYPE -value "Security" set-variable -name OWNER -value "Administrator" set-variable -name PREFILTER -value "<Filter xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" Dialect=`"http://schemas.microsoft.com/2006/11/XPathFilterDialect`" xmlns=`"http://schemas.xmlsoap.org/ws/2004/09/enumeration`">" set-variable -name POSTFILTER -value "</Filter>" #---------------------------------------------------------------------------------------------------------- function SetAttribute { PARAM($object, $attributeName, $attributeValue) END { write-host $attributeName $attributeValue $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 1 $importChange.AttributeName = $attributeName $importChange.AttributeValue = $attributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" if ($object.Changes -ne $null) {$object.Changes = (,$importChange)} else {$object.Changes += $importChange} } } #---------------------------------------------------------------------------------------------------------- function CreateObject { PARAM($objectType) END { $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject $importObject.ObjectType = $objectType $importObject.SourceObjectIdentifier = $objectName $importObject.TargetObjectIdentifier = $objectName $importObject } } #---------------------------------------------------------------------------------------------------------- if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} # Get Owner $ownerObject = export-fimconfig -uri $URI –onlyBaseResources -customconfig "/Person[AccountName='$OWNER']" if($ownerObject -eq $null) {throw "Owner not found!"} $ownerID = $ownerObject.ResourceManagementObject.ObjectIdentifier -replace "urn:uuid:","" # Import CSV and process each line import-csv($CSV) | foreach { # Check if a group with the same name already exists $objectName = $_.AccountName $exportObject = export-fimconfig -uri $URI -onlyBaseResources -customconfig "/Group[AccountName='$objectName']" if (${exportObject} -ne $null) { $filter = $PREFILTER + $_.Filter + $POSTFILTER # Create group and add attributes $newGroup = CreateObject -objectType "Group" SetAttribute -object $newGroup -attributeName "Filter" -attributeValue $filter SetAttribute -object $newGroup -attributeName "Description" -attributeValue $_.Description SetAttribute -object $newGroup -attributeName "Owner" -attributeValue $ownerID SetAttribute -object $newGroup -attributeName "DisplayedOwner" -attributeValue $ownerID # Import group into the FIM Portal $newGroup | Import-FIMConfig -uri $URI -verbose -debug write-host "`nGroup update request complete`n" } else {Write-Host "`Erro!!!"} } #---------------------------------------------------------------------------------------------------------- trap { $exMessage = $_.Exception.Message if($exMessage.StartsWith("L:")) {write-host "`n" $exMessage.substring(2) "`n" -foregroundcolor white -backgroundcolor darkblue} else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred} Exit } #---------------------------------------------------------------------------------------------------------- Can someone explain what's wrong?- Diego Shimohama http://www.dshimo.com.br

Hi Diego, Can you clarify your scenario? From your first post, are you trying to convert your existing static groups into dynamic groups? I'm looking at the script you've provided and it seems like you're trying to query for an person and creating a group with that person as the owner. All reference values such as Owner must have identifiers that begin with urn:uuid. Your script contains code that strips out the urn:uuid prefix. You can check on the errors by looking at the Forefront Identity Manager log in the event viewer. This should tell you why your web service call is failing. Let me know if you need help with this. Billy

Hi Billy, Thank you for answer. It’s exactly that I’m trying to do, trying to convert my existing static groups into dynamic groups. I just try to build a script using some samples of script box. But I don’t know anything about PS. I'll check my eventvwr. Thank you.- Diego Shimohama http://www.dshimo.com.br

Diego and I spent some time coming up with a script to do this task. I'll share the script below: if (@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) { Add-PSSnapIn FIMAutomation } function GenerateFilter { PARAM ($xpathFilter) END { return "<Filter xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" Dialect=`"http://schemas.microsoft.com/2006/11/XPathFilterDialect`" xmlns=`"http://schemas.xmlsoap.org/ws/2004/09/enumeration`">" + $xpathFilter + "</Filter>" } } function CreateImportChange { PARAM($AttributeName, $AttributeValue, $Operation) END { $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = $Operation $importChange.AttributeName = $AttributeName $importChange.AttributeValue = $AttributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" return $importChange } } function GetAttributeValueFromResource { PARAM ($exportObject, $attributeName) END { foreach ($attribute in $exportObject.ResourceManagementObject.ResourceManagementAttributes) { if($attribute.AttributeName.Equals($attributeName)) { if ($attribute.IsMultiValue) { return $attribute.Values } else { return $attribute.Value } } } return $null } } $csv = Import-Csv -delimiter `t -header "GroupName","Filter" "MyFile.csv" foreach ($entry in $csv) { $myGroupName=$entry.GroupName $myFilter = $entry.Filter $group = Export-FIMConfig -customConfig "/Group[DisplayName='$myGroupName']" -onlyBaseResources if ($group -eq $NULL) #if group doesn't exist, continue { continue } $filter = GenerateFilter -xpathFilter $myFilter #construct the web service operation $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject #the object type is Group $importObject.ObjectType = "Group" #we are modify the group we've identified above $importObject.SourceObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier $importObject.TargetObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier #Put operation is enum 1 $importObject.State = 1 #construct the operation to Replace filter, Replace attribute operation is enum 1 $importObject.Changes += CreateImportChange -attributeName "Filter" -attributeValue $filter -operation 1 #construct the operation to change membership add workflow to None. Replace attribute operation is enum 1 $importObject.Changes += CreateImportChange -attributeName "MembershipAddWorkflow" -attributeValue "None" -operation 1 #construct the operation to change membership locked to True. Replace attribute operation is enum 1 $importObject.Changes += CreateImportChange -attributeName "MembershipLocked" -attributeValue "True" -operation 1 #construct the operations to remove explicit members. Remove attribute operation is enum 2 $explicitMembers = GetAttributeValueFromResource -exportObject $group -attributeName "ExplicitMember" if ($explictMembers -ne $NULL) { foreach ($explicitMember in $explicitMembers) { $importObject.Changes += CreateImportChange -attributeName "ExplicitMember" -attributeValue $explicitMember -Operation 2 } } $importObject | Import-FIMConfig$undone.Count }