Can i get some kind of report with all memberships and rights for a user in FIM2010?
Hello. Im new with fim, right now i have a simple virtual config with two domains, and FIM2010 SyncService + Portal. Im trying to solve this scenario: when new User created in ad1, fim creates a contact in ad2. Im not clear with scenario tasks in my case. Could you write a little steps for this tasks? My additional task is to get some kind of report with all memberships and rights for a user in FIM2010. Do you know something about FIM standart tools for this task or maybe its a hard-scripting issue? Thanks a lot for reading my perfect English :)
April 28th, 2011 7:13am

On your first question, you need to recreate the classic "GAL Sync" solution that's been around since MIIS/IIFP days, and is still supported in FIM with the "Active Directory global address list (GAL)" MA. This solution is well documented on TechNet (start with this thread) and comes with a pre-packaged VS.Net solution "GALSync.sln" in C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\SourceCode\GalSync on your FIM Sync server. On your second point, if you take a look at the "My Security Groups" search scope you will see that the filter is defined as this: /Group[(Type='Security' or Type='MailEnabledSecurity') and Owner='%LoginID%'] This gives all group memberships for the logged on user ... and is visible on the FIM LHS menu item "My SGs" ... but what you need is the group memberships of ANY user. To do this I would edit the default VIEW USER RCDC, creating an extra "Memberships" tab, and adding a UOCListView object wired up with the following variation on the above query: /Group[(Type='Security' or Type='MailEnabledSecurity') and Owner='%ObjectID%']Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 8:32pm

Isn't "my security groups" the groups of which you are owner? and not the groups of which you are member? :)/Frederik Leed
April 29th, 2011 8:41am

Of course you're right ... so you would need to adjust the xpath accordingly: /Group[(Type='Security' or Type='MailEnabledSecurity') and (ComputedMember='%ObjectID%' or ExplicitMember='%ObjectID%')]Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2011 10:01am

Thanks for responce. Now i have an enviroment with Exchange 2003 in one forest and Exch 2010 + FIM 2010 in another. I need sync GAL only from 2003 to 2010, no changes in 2010 forest need to be sync with 2003 forest. Im start to create a mangment agent with this settings: Name: Exchange 2003 forest GAL MA Connect to AD Forest: provide an account with Domain Admin rights and uncheck Sign and Encrypt LDAP Traffic under the options button. Configure Directory Partitions: select a correct partition, under containers button select OU with users Configure GAL: 1) Gal Container Configuration: Source: select same OU from step before. 2) SMTP Mail Suffix - add valid suffix Provision Hierarchy: default settings Object Types: default settings Attributes: default settings Configure Connector Filter: default settings. Now im click next and take a error from Syncronization Service Manager: "Stay Disconnector validation error: `msExchRecipientTypeDetails` of `user` is no longer available." I cant solve this issue without your help. Thank you for reading.
May 20th, 2011 7:06am

Of course you're right ... so you would need to adjust the xpath accordingly: /Group[(Type='Security' or Type='MailEnabledSecurity') and (ComputedMember='%ObjectID%' or ExplicitMember='%ObjectID%')] Bob Bradley, www.unifysolutions.net (FIMBob?) AFAIK, ComputedMember includes ExplicitMember, so XPATH query will be: /Group[ComputedMember='%ObjectID%']
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 7:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics