Hi, Assume we have about 50 existing AD Global Groups with user memberships defined. Is this scenario possible? - import the existing AD groups into FIM - modify these groups to be criteria based? - if its possible to change to criteria based, what will happen to existing group memberships? thanks

If you make the groups criteria based, it will be the criteria that solely controles the group memberships, unless you enable equal precedence. If you need both Criteria based membership and Manually controlled membership, you could create 2 FIMgroups and make them members of the access giving group. FIMCriteriaGroup & FIMManualGroup. Then in the portal, make one subject to owner approval and one criteria based. /Frederik Leed

If you make the groups criteria based, it will be the criteria that solely controles the group memberships, unless you enable equal precedence. If you need both Criteria based membership and Manually controlled membership, you could create 2 FIMgroups and make them members of the access giving group. FIMCriteriaGroup & FIMManualGroup. Then in the portal, make one subject to owner approval and one criteria based. /Frederik Leed

based on that is the following assumption correct? 1. I can import the existing AD Security Groups to AD 2. If I change these AD Groups to criteria-based - I will lose all the existing members So your recommendation is to: 1. leave the current manually managed AD groups 2. create new criteria based groups 3. put the above mentioned groups into a 3rd group. is that on the right track?

based on that is the following assumption correct? 1. I can import the existing AD Security Groups to AD 2. If I change these AD Groups to criteria-based - I will lose all the existing members So your recommendation is to: 1. leave the current manually managed AD groups 2. create new criteria based groups 3. put the above mentioned groups into a 3rd group. is that on the right track?

one more question/angle on the issue: 1. So I have 50 AD Groups. 2. How easy is it to add new users to these existing AD Groups (based on some attribute)? Can I do this WITHOUT importing the group into FIM? thanks

The AD MA can only replace the entire "member" attribute - it cannot modify. Also this must be done through the group object - it is not possible to modify a membership via the user oject (memberOf is backlinked and not writeable). You could conceivably "provision" your members to a text file or database table and have some out-of-band script that runs through adding or removing them from existing groups - but actually I think that would be a lot of work and could be hard to troubleshoot if it goes wrong. You'd be better with either fully managed groups, or fully-managed nested groups, as Frederik mentioned above.http://www.wapshere.com/missmiis

The AD MA can only replace the entire "member" attribute - it cannot modify. Also this must be done through the group object - it is not possible to modify a membership via the user oject (memberOf is backlinked and not writeable). You could conceivably "provision" your members to a text file or database table and have some out-of-band script that runs through adding or removing them from existing groups - but actually I think that would be a lot of work and could be hard to troubleshoot if it goes wrong. You'd be better with either fully managed groups, or fully-managed nested groups, as Frederik mentioned above.http://www.wapshere.com/missmiis

Carol, Thank you for the feedback. Are you familiar with MOC 50382 (FIM 2010 MS Curriculum)? In the first module they review FIM functionality. There is a distribution group called FIMInfo - which is manually managed. The lab then goes unto the Outlook Group add-in - whereby a user requests membership in this FIMInfo group. I have worked thru this lab - and it appears as if this AD Group 'member' attribute can be delta-modified...FIM seems to add/remove this 'member' attribute quite flawlessly. So if your statement: "The AD MA can only replace the entire "member" attribute - it cannot modify" is true...how do they achieve this in the MOC? thank you.

Carol, Thank you for the feedback. Are you familiar with MOC 50382 (FIM 2010 MS Curriculum)? In the first module they review FIM functionality. There is a distribution group called FIMInfo - which is manually managed. The lab then goes unto the Outlook Group add-in - whereby a user requests membership in this FIMInfo group. I have worked thru this lab - and it appears as if this AD Group 'member' attribute can be delta-modified...FIM seems to add/remove this 'member' attribute quite flawlessly. So if your statement: "The AD MA can only replace the entire "member" attribute - it cannot modify" is true...how do they achieve this in the MOC? thank you.

Your question 2 above asked if you could use FIM to add members to groups without importing the groups into FIM, and the answer to this is No.http://www.wapshere.com/missmiis

So let me see if I am getting this: - FIM cannot update already existing AD Security/Distribution Groups What options do we have then with FIM and populating/updating already existing AD Groups?

It can but it has to fully manage the group. So you have to import the group and all its members into FIM Sync, add the extra members outside FIM Sync somewhere (such as in the FIM Portal), sort out your attribute flow precedence, and then sync the group back through to AD with all its new members.http://www.wapshere.com/missmiis

So potentially could i do this route: - import the group and members into FIM - Now when a new user is created, a process could update the group membership in FIM (to replicate to AD) - if I make the precedence the same for both FIM and AD, then the current Admins can still modify the AD Group memberships from AD? While FIM will simply just update the group memberships only when new users are created?

So potentially could i do this route: - import the group and members into FIM - Now when a new user is created, a process could update the group membership in FIM (to replicate to AD) - if I make the precedence the same for both FIM and AD, then the current Admins can still modify the AD Group memberships from AD? While FIM will simply just update the group memberships only when new users are created?

To do it that way, you need to create a new group, make it member of the access giving group and import that new group to FIM and make it criteria based in there... that way FIM controles the criteria based handling of membership and the Admins can still controle the manually based handling. You could also, like i write earlyer, create another FIM managed group (and make it member of the access giving group), but make it manually managed. The FIM is able to handle the approval process as well and you can let the users request access to the group through the portal. Then you Admins can do something usefull in stead ;)/Frederik Leed

To do it that way, you need to create a new group, make it member of the access giving group and import that new group to FIM and make it criteria based in there... that way FIM controles the criteria based handling of membership and the Admins can still controle the manually based handling. You could also, like i write earlyer, create another FIM managed group (and make it member of the access giving group), but make it manually managed. The FIM is able to handle the approval process as well and you can let the users request access to the group through the portal. Then you Admins can do something usefull in stead ;)/Frederik Leed

OK, following you so far. So can I do the following: - import the existing group (and members) into FIM - happy with that - question 1: will this be setup as a Manually Managed FIM Group after the Import? - Admins can add/modify this group now via the FIM Portal, and not AD - happy with that - question 2: when a new user is created, how complicated is it to add this new account to one of these manually managed FIM groups? thanks

OK, following you so far. So can I do the following: - import the existing group (and members) into FIM - happy with that - question 1: will this be setup as a Manually Managed FIM Group after the Import? - Admins can add/modify this group now via the FIM Portal, and not AD - happy with that - question 2: when a new user is created, how complicated is it to add this new account to one of these manually managed FIM groups? thanks

- question 1: will this be setup as a Manually Managed FIM Group after the Import? <-- Yes if you don't change it. - Admins can add/modify this group now via the FIM Portal, and not AD - happy with that <-- Correct - question 2: when a new user is created, how complicated is it to add this new account to one of these manually managed FIM groups? <-- Just click and Add... if you need to do the automatically you need the criteria based nested group. /Frederik Leed

- question 1: will this be setup as a Manually Managed FIM Group after the Import? <-- Yes if you don't change it. - Admins can add/modify this group now via the FIM Portal, and not AD - happy with that <-- Correct - question 2: when a new user is created, how complicated is it to add this new account to one of these manually managed FIM groups? <-- Just click and Add... if you need to do the automatically you need the criteria based nested group. /Frederik Leed

getting clearer :-) thanks - to finalise: Question 1. So if I want FIM to automatically add a new user account to an AD group, the Group must be in FIM and be criteria-based, correct? Question 2. Can I import an existing AD group (with members) into FIM, and change it to a criteria-based group without losing its members? Question 3. What if I want an AD group that gets automatically populated when a new user is created AND the other requirement is that Admin must be able to manually modify the membership of this group too... ..is this where 2 groups would be required...they could be nested for instance? ..or in order to manually modify this group, Admins would need to do it from the FIM Portal...so Portal changes + criteria based changes together would be written to AD?

getting clearer :-) thanks - to finalise: Question 1. So if I want FIM to automatically add a new user account to an AD group, the Group must be in FIM and be criteria-based, correct? Question 2. Can I import an existing AD group (with members) into FIM, and change it to a criteria-based group without losing its members? Question 3. What if I want an AD group that gets automatically populated when a new user is created AND the other requirement is that Admin must be able to manually modify the membership of this group too... ..is this where 2 groups would be required...they could be nested for instance? ..or in order to manually modify this group, Admins would need to do it from the FIM Portal...so Portal changes + criteria based changes together would be written to AD?

Question 1. So if I want FIM to automatically add a new user account to an AD group, the Group must be in FIM and be criteria-based, correct? Yes Question 2. Can I import an existing AD group (with members) into FIM, and change it to a criteria-based group without losing its members? No, no unless the members all fall into the criteria you set ;) Question 3. What if I want an AD group that gets automatically populated when a new user is created AND the other requirement is that Admin must be able to manually modify the membership of this group too...is this where 2 groups would be required...they could be nested for instance? Correct. At least two groups here. 3 recommended. AccessGivingGroup - Not in FIM CriteriaBasedGroup - in FIM, managed by FIM ManuallyManagedGroup - in FIM, managed by Admins or/and by user request and owner approval /Frederik Leed

Question 1. So if I want FIM to automatically add a new user account to an AD group, the Group must be in FIM and be criteria-based, correct? Yes Question 2. Can I import an existing AD group (with members) into FIM, and change it to a criteria-based group without losing its members? No, no unless the members all fall into the criteria you set ;) Question 3. What if I want an AD group that gets automatically populated when a new user is created AND the other requirement is that Admin must be able to manually modify the membership of this group too...is this where 2 groups would be required...they could be nested for instance? Correct. At least two groups here. 3 recommended. AccessGivingGroup - Not in FIM CriteriaBasedGroup - in FIM, managed by FIM ManuallyManagedGroup - in FIM, managed by Admins or/and by user request and owner approval /Frederik Leed

Thank you Frederick for your patience ! I have seen the light ;) - we will use Nested Groups. Thank you.

Thank you Frederick for your patience ! I have seen the light ;) - we will use Nested Groups. Thank you.

Just an after-thought....early on, AD had the same group-membership issues - but this was resolved with Windows 2003 SP1. Why is FIM still stuck in yester-year?