When a FIM CM Manager searches for a user in the CM Portal, all users including Administrative Accounts & Service Accounts are returned in the search results. Is it possible to limit the search results to 'real' users? Surely we only want to return users that are a member of a Subscribers security group anyway? Cheers Tom Houston

On Thu, 3 Nov 2011 17:21:22 +0000, Thomas Houston wrote: When a FIM CM Manager searches for a user in the?CM Portal, all users including Service Accounts are returned in the search results. Is it possible to limit the search results to 'real' users??Surely we only want to return users that are a member of a Subscribers security group anyway? A couple of things here: 1. Aside from the new managed service accounts there's nothing to differentiate a "service account" from a "regular" user account. 2. It is possible, and sometimes required, to issue certificates to a "service account" which is why, when you add the Certificates snap-in to an MMC console, one of your choices is Service Account. 3. Regarding your statement about only wanting to return users who belong to a Subscribers security group, what about accounts to which certificates have been issued in the past, but will no longer be issued certificates moving forwards? For example you've issued encryption certificates and a user has been terminated. You still may want to manage his encryption certificates (recover on behalf of) yet you've disabled the account and removed it from the "Subscribers" group. Or you're using a security model where you're setting the extended CM permissions at the domain or OU level and not using a Subscribers group? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Hackers have kernel knowledge.

Thanks for the feedback Paul. One of our customers has a specific requirement not to return all user account objects in a search. In FIM 2010 we can use Search Scopes to achieve this.. Taking into consideration your three points, do you know whether this is possible in FIM CM? Even if it's by specifying a search base, e.g. OU=User Accounts,DC=fabrikam,DC=local. Cheers Tom Houston

On Thu, 3 Nov 2011 20:49:21 +0000, Thomas Houston wrote: Thanks for the feedback Paul. One of our customers has a specific requirement not to return all user account objects in a search. In FIM 2010 we can use Search Scopes to achieve this.. Taking into consideration your three points, do you know whether this is possible in FIM CM? As far as I know, no, you can't scope a search in FIM CM to just a specific set of users. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Debug: The act of placing shoe leather against a small creeping creature.

The search operation against AD is performed from the FIM CM Portal using the clmAuthAgent account. This account is nested in the Pre-Windows 2000 Compatible Access group. If you can remove the group from certain OUs in your environment you should be able to filter the search results. However, be aware of compatibilty issues with other applications when modifing a OU Default-ACls. An alternative could be to remove the clmAuthAgent from the Pre-Windows 2000 Compatible Access group and give clmAuthAgent explicit List permissions on OUs you want to enumerate. But, I never tested such a configuration./Matthias