I am working through the introduction to inbound sync example in my test environment. We are looking to upgrade our ILM 2007 in the near future to FIM 2010. I am using the "administrative" user I used to configure the FIM portal. I can see the user when I go to users in the IdentityManagement site on sharepoint, and it is a member of the Administrators set. This administrative user happens to be a SYSADMIN in SQL in this test environment.I get the following error when I run export for each item in the sync:There is an error executing a web service object modification request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Fault Reason: Policy prohibits the request from completing. Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"></RequestFailures> Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(UniqueIdentifier objectId, CultureInfo locale, Put putBody) at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() Inner Exception: Policy prohibits the request from completing.This is the corresponding error in the event log:Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 462, Message: Permission denied. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader() at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId) --- End of inner exception stack trace --- at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

I've gotten similiar errors after performing custom schema extensions in the portal. Try peforming a Full Import from the FIM MA after refreshing the schema.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

You might want to make sure all of the required MPRs are enabled. The powershell script located at the address below might be useful to determine if your configuration is correct: http://social.technet.microsoft.com/Forums/en/ilm2/thread/559143af-3171-46db-90c7-4bbd92889cf2 Mark

Script blows up when I run it:Error: Cannot convert value "<export-flow-set cd-object-type="DetectedRuleEntry" mv-object-type="detectedRuleEntry"><export-flow cd-attribute="SynchronizationRuleID" id="{A3E4DC5A-983A-45B7-A886-A0AAEAD1610B}" suppress-deletions="true"><direct-mapping><src-attribute>synchronizationRuleID</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="DisplayName" id="{F852DF41-F958-414F-A782-DDA13E4289A2}" suppress-deletions="true"><direct-mapping><src-attribute>displayName</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="Connector" id="{5D29C5A0-07A3-46C5-9C19-69897AF641D0}" suppress-deletions="true"><direct-mapping><src-attribute>connector</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="ResourceParent" id="{E08283D1-4467-4C2E-8ABB-953EE7BB001F}" suppress-deletions="true"><direct-mapping><src-attribute>resourceParent</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="dn" id="{781981F2-59AC-4AE6-86E3-9F8A67EAF05C}"><sync-rule-mapping mapping-type="expression" sync-rule-id="{8EC99DF8-5095-47BF-AEDE-C7DC5F024A50}" sync-rule-mapping-id="{8EC99DF8-5095-47BF-AEDE-C7DC5F024A50}" initial-flow-only="true"><sync-rule-value><export-flow><dest>dn</dest><src><attr /></src><fn id="Guid" /></export-flow></sync-rule-value></sync-rule-mapping></export-flow><export-flow cd-attribute="MVObjectID" id="{384E70A6-AB32-4BA8-B991-1EBC93B13BD9}" suppress-deletions="true"><direct-mapping><src-attribute intrinsic="true">object-id</src-attribute></direct-mapping></export-flow></export-flow-set><export-flow-set cd-object-type="ExpectedRuleEntry" mv-object-type="expectedRuleEntry"><export-flow cd-attribute="StatusError" id="{8A09195D-C075-4E89-B404-A684DB2D7780}" suppress-deletions="true"><direct-mapping><src-attribute>statusError</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="SynchronizationRuleStatus" id="{C21E9355-5CAD-46BE-8735-CED2D448681F}" suppress-deletions="true"><direct-mapping><src-attribute>status</src-attribute></direct-mapping></export-flow></export-flow-set><export-flow-set cd-object-type="Person" mv-object-type="person"><export-flow cd-attribute="dn" id="{27C40B80-DE10-4FD6-B856-26E2AA9058C1}"><sync-rule-mapping mapping-type="expression" sync-rule-id="{F48BDD2C-C93C-4853-8712-648EB54B9A2F}" sync-rule-mapping-id="{F48BDD2C-C93C-4853-8712-648EB54B9A2F}" initial-flow-only="true"><sync-rule-value><export-flow><dest>dn</dest><src><attr /></src><fn id="Guid" /></export-flow></sync-rule-value></sync-rule-mapping></export-flow><export-flow cd-attribute="MVObjectID" id="{94D5650B-BA39-4B77-88FC-EC98E941B396}" suppress-deletions="true"><direct-mapping><src-attribute intrinsic="true">object-id</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="DisplayName" id="{9BF18D59-58F2-4FF0-813D-E25AFEF5D1AC}" suppress-deletions="true"><direct-mapping><src-attribute>displayName</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="EmployeeID" id="{C71280FD-E722-485D-AC3A-7E76CA323FA4}" suppress-deletions="true"><direct-mapping><src-attribute>employeeID</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="FirstName" id="{00096409-A83C-43E2-A9FA-087BB92D1F17}" suppress-deletions="true"><direct-mapping><src-attribute>firstName</src-attribute></direct-mapping></export-flow><export-flow cd-attribute="LastName" id="{99932F99-48E9-4339-BCE6-4EE633B52528}" suppress-deletions="true"><direct-mapping><src-attribute>lastName</src-attribute></direct-mapping></export-flow></export-flow-set>" to type "System.Xml.XmlDocument". Error: "There are multiple root elements. Line 1, position 1545." System.Management.Automation.PSInvalidCastException

There is an MPR not enabled yet, which is indicated by the "PermissionDeniedException: ManagementPolicyRule "This script will tell you what's missing: Using PowerShell to check your MPR configuration for synchronizationCheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I added my user to the synchronization engine set so the MPR's would apply to it. I do not understand what the "built-in synchronization account" is or how to make it work, but with my admin user in the sync group it worked fine.I was not able to get the powershell script to run, but from reading the code I found out the change I needed to make.Thank you for your help.

I'm getting the same error when I run the script. Is here something I need to enable?