FIM CM AD Permissions : Managers group on Users group
Hello everyone,I'm using FIM CM with AD CS on a Windows Server 2008 R2. The AD DC is also a Windows Server 2008 R2.The third step in the FIM CM AD configuration (http://technet.microsoft.com/en-us/library/ee959229%28WS.10%29.aspx) concerns : "A user or group that is assigned a management role in the FIM CM environment must have permissions assigned on the users or groups that they will manage in the environment."I have two AD global security groups "Managers" and "Users". When I assign the permissions (Read + all the FIM CM extended rights) to the group "Managers" on a specifc user (member of "Users"), all my FIM CM workflows work perfectly. But, if I assign exactly the same rights to the group "Managers" on the "Users" group : a manager member of "Managers" cannot even find a user through the FIM CM Portal.(I don't have this problem if my manager is a Domain Admin)Did I miss something in my set up ? Any help will be useful :) and please ask if you need any other precision ...Thanks,Kevin K
February 5th, 2010 9:04pm

I haven't verified this yet; however, it is possible that the verification script in the Introduction to the Management Agent for Certificate and Smart Card Management also works for FIM.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2010 9:34pm

There are differences in the evaluation of READ permissions and the extended FIM CM permissions. We can (and do) evaluate FIM CM permissions against groups and apply the permissions to the members of those groups."READ" permission is not treated that way by AD, however. You can do one of two things to get around this.1. Grant read individually for managers on each user (probably via inherited ACE)2. Use the S4Users flag in web.config to tell FIM CM to use Service4User to evaluate builtin permissions (usually "authenticated users" have read on all objects).Add the following to the bottom of your web.config<appSettings> <add key="Microsoft.Clm.Security.Authorization.UseS4Flag" value="true" /> </appSettings> AhmadAW
February 5th, 2010 11:30pm

Thanks a lot for your very fast reply ! 1. I've already tried the following : in the advanced security settings (right click on my Users AD group), I select "Apply to : This object and all descendant objects" for the Read permission of the Managers AD group => But it didn't work. Is this what you mean by inherited ACE ? Is this the right configuration of it ? (I tried this setting also for all the FIM CM extended rights ...) 2. I checked my web.config file (under C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web), this is its last part <appSettings> <add key="Microsoft.Clm.Security.Authorization.UseS4Flag" value="true" /> </appSettings> </configuration> (end of file) Is this the default configuration ? Why this isn't working ? In my context : I would prefer to use the case 2. Please help ! :) Thanks ! Kevin K
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2010 5:16am

Little precision about the case 1 : setting Read inherited permissions on the OU containing my "Users" group solves the problem. But in my AD architecture I have several groups and I don't want my "Managers" group to be able to read all my groups in this OU. So either : 1. How do I set inherited Read permission on an AD security group (inherited to the members of this group) 2. Or how can I correctly use the S4Users flag (I would prefer this case) Thanks a lot in advance ! Cheers :) Kevin K
February 6th, 2010 4:33pm

Hi, I have the same issue, and this one makes me crazy :( How did you solve that issue? Thanks a lot
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 2:06pm

I'm seeing the same issues, this all worked in CLM so my question is what has changed.
July 20th, 2010 3:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics