FIM Admin Accound ObjectSID is deleted by FIMMA Sync Rule - ADMA is not doing its job.
Hi! I'm trying to populate FIM DB with AD Accounts. ObjectSID is configured to flow from AD to FIM DB. My problem is Any time I run FIMMA Export, it deletes the SID of my FIM Admin Account. After this I lost my FIM admin access, and the only solution It is to install everything again from scratch. It supossed that ADMA should populates the SID, but when finnally it does, the FIM Admin account only gets "normal user priveligies". And again.. re-install is the only solution. Any recommendation on how to avoid this painful situation? Alejandro
November 28th, 2010 10:32pm

One way is to filter out the administrator account from both the AD and FIM MAs. Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow). Agreed - nasty loophole to avoid ... everyone makes this mistake once ...Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 2:08am

If you're coming in the situation of lost objectSIDs and cannot access the FIM Portal anymore, there might be two workarounds to get back access: Use PowerShell to fix objectSID misconfigurations. Look here Use FIM MA to repopulate the objectSID from Active Directory In the latter case you may temporary reconfigure the FIM & Active Directory MA so that attribute flow can happen from Active Directory to FIM DB (including joining of objects if they are disconnected). Keep in mind that both workarounds may have some prerequisites, e.g. FIM MA can access and update the FIM DB. It supossed that ADMA should populates the SID, but when finnally it does, the FIM Admin account only gets "normal user priveligies". Something else should be going wrong here. I did the “re-deployment” of Admin’s objectSID with the FIM MA successfully and had full Admin privileges afterwards. /Matthias
November 29th, 2010 3:19am

One way is to filter out the administrator account from both the AD and FIM MAs. Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow). Correct and even stronger, this is the recommended best practice. In addition to that, you should also create a backup account (disabled in AD DS) and synchronize the required attributes manually. See "A method to set the required attributes for the FIM Portal access" for more details. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 11:37am

One way is to filter out the administrator account from both the AD and FIM MAs. Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow). Correct and even stronger, this is the recommended best practice. In addition to that, you should also create a backup account (disabled in AD DS) and synchronize the required attributes manually. See "A method to set the required attributes for the FIM Portal access" for more details. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 29th, 2010 11:37am

Thanks Guys!!! I'm configuring the filters now. Markus: One question about Backup Account: does ADMA import Disabled Accounts??Alejandro
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 12:25pm

The short answer is yes, the MA imports disabled accounts. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 29th, 2010 12:45pm

The short answer is yes, the MA imports disabled accounts. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 12:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics