FIM CM - Restrict User Search Results
When a FIM CM Manager searches for a user in the CM Portal, all users including Administrative Accounts &
Service Accounts are returned in the search results. Is it possible to limit the search results to 'real' users?
Surely we only want to return users that are a member of a Subscribers security group anyway?
Cheers
Tom Houston
November 3rd, 2011 1:27pm
On Thu, 3 Nov 2011 17:21:22 +0000, Thomas Houston wrote:
When a FIM CM Manager searches for a user in the?CM Portal, all users including Service Accounts are returned in the search results. Is it possible to limit the search results to 'real' users??Surely we only want to return users that are a member of a Subscribers
security group anyway?
A couple of things here:
1. Aside from the new managed service accounts there's nothing to
differentiate a "service account" from a "regular" user account.
2. It is possible, and sometimes required, to issue certificates to a
"service account" which is why, when you add the Certificates snap-in to an
MMC console, one of your choices is Service Account.
3. Regarding your statement about only wanting to return users who belong
to a Subscribers security group, what about accounts to which certificates
have been issued in the past, but will no longer be issued certificates
moving forwards? For example you've issued encryption certificates and a
user has been terminated. You still may want to manage his encryption
certificates (recover on behalf of) yet you've disabled the account and
removed it from the "Subscribers" group. Or you're using a security model
where you're setting the extended CM permissions at the domain or OU level
and not using a Subscribers group?
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Hackers have kernel knowledge.
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2011 2:58pm
Thanks for the feedback Paul. One of our customers has a specific requirement not to return
all user account objects in a search. In FIM 2010 we can use Search Scopes to achieve this..
Taking into consideration your three points, do you know whether this is possible in FIM CM?
Even if it's by specifying a search base, e.g. OU=User Accounts,DC=fabrikam,DC=local.
Cheers
Tom Houston
November 3rd, 2011 4:55pm
On Thu, 3 Nov 2011 20:49:21 +0000, Thomas Houston wrote:
Thanks for the feedback Paul. One of our customers has a specific requirement not to return
all user account objects in a search. In FIM 2010 we can use Search Scopes to achieve this..
Taking into consideration your three points, do you know whether this is possible in FIM CM?
As far as I know, no, you can't scope a search in FIM CM to just a specific
set of users.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Debug: The act of placing shoe leather against a small creeping creature.
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2011 7:41pm
The search operation against AD is performed from the FIM CM Portal using the clmAuthAgent account. This account is nested in the Pre-Windows 2000 Compatible Access group. If you can remove the group from certain OUs in your environment you should be able
to filter the search results. However, be aware of compatibilty issues with other applications when modifing a OU Default-ACls.
An alternative could be to remove the clmAuthAgent from the Pre-Windows 2000 Compatible Access group and give clmAuthAgent explicit List permissions on OUs you want to enumerate. But, I never tested such a configuration./Matthias
November 4th, 2011 9:29am