FIM Group Management
Hi, We still have some questions around FIM and AD Group Management: Q1 Why can FIM not delta update an existing AD Group? AD had the same problem in its early days, and Windows2003 SP1 resolved this issue - why is FIM so many years behind? Q2 Can we not use a FIM invoked script and use the DSMOD Group command to delta update existing AD Groups? or use a Powershell command like something from here: http://www.wapshere.com/missmiis/powershell-activity ? Q3 from a previous post "The AD Management Agent can only replace the entire Group "member" attribute - it cannot modify" so my next question is this: if the FIM Group is criteria based does it also replace the 'entire group member attribute' on every sync? I mean we have a group with 15,000 objects in it...so if we add user number 15,001, will it need to replicate the entire member attribute which now contains 15,001 objects in it again? Thank you
February 10th, 2011 4:25am

... from a previous post "The AD Management Agent can only replace the entire Group "member" attribute - it cannot modify" Can you please provide a link to this post? This is news to me, and I would be surprised to find this is truly the case. I know this limitation applies with AVP files (your 15001 example), but not LDIF or XAML I wouldn't have thought, and I believe the AD MA is implemented in XAML (???). Right or wrong, this is a significant claim to make, and one that needs substantiating. My gut feel is that based on evidence I think I've seen with the FIM sync server and the group member attribute, this isn't the case.Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 9:11am

Q3 from a previous post "The AD Management Agent can only replace the entire Group "member" attribute - it cannot modify" you didn't get an idea. FIM can't have a group with half of its members flowing from AD DS MA and another half from FIM MA. all members must exist in the source MA. that's all. What Carol meant with 'can only replace the entire group membership' is that all members must be on the FIM portal. you can't have a group with 1 member on the portal and 10 members in AD. as for export run - AD DS MA will only do differences. it will not replace all 15000 members. however, SQL MA with users/groups and membership in a separate table _will_ do delete all members of the group in a table first and add all members later. but I might be wrong. it was so with ILM.
February 10th, 2011 10:14am

Using Equal Precedence on the member attrribute, you could have 1 member in the Portal and 10 in AD BUT all members would have to be in the MeteVerse or they will be removed from the AD group. If a member is disconnected in the MV, then it will be removed from the group. This is why Equal Precedence was put in to the Sync Service in FIM. So that you could do multi-master for migrations, etc.Eric
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 1:28pm

Eric, I agree with you, but talking about equal precedence will not solve the original request for converting AD security group into dynamic one on the FIM portal and keeping all its members. As far as I remember such a conversion should reset group membership and recalculate it from scratch. Furtunately the scenario you described makes me possible to have contacts and public folders to be member of a group as they do exist in the SQL MA connector space while FIM MA doesn't know anything about them. I have equal precedence turned on the member attribute for SQL MA and FIM MA - once one MA (SQL) will generate an update to the members list it will be exported to the AD DS MA and to the FIM MA. but, once again. for the beginning its easier not to think about equal precedence.
February 10th, 2011 2:12pm

Q3 from a previous post "The AD Management Agent can only replace the entire Group "member" attribute - it cannot modify" you didn't get an idea. FIM can't have a group with half of its members flowing from AD DS MA and another half from FIM MA. all members must exist in the source MA. that's all. What Carol meant with 'can only replace the entire group membership' is that all members must be on the FIM portal. you can't have a group with 1 member on the portal and 10 members in AD. as for export run - AD DS MA will only do differences. it will not replace all 15000 members. however, SQL MA with users/groups and membership in a separate table _will_ do delete all members of the group in a table first and add all members later. but I might be wrong. it was so with ILM.
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 5:50pm

Eric, I agree with you, but talking about equal precedence will not solve the original request for converting AD security group into dynamic one on the FIM portal and keeping all its members. As far as I remember such a conversion should reset group membership and recalculate it from scratch. Furtunately the scenario you described makes me possible to have contacts and public folders to be member of a group as they do exist in the SQL MA connector space while FIM MA doesn't know anything about them. I have equal precedence turned on the member attribute for SQL MA and FIM MA - once one MA (SQL) will generate an update to the members list it will be exported to the AD DS MA and to the FIM MA. but, once again. for the beginning its easier not to think about equal precedence.
February 10th, 2011 9:49pm

OK, so the initial discussion where I quoted from was http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/77399768-326a-4f8b-b6eb-3f4615462468 - perhaps there was a misunderstanding on my part. Let me rephrase my question/scenario: - there are 20 groups in AD, each group has 1,000 users in it already. - we are about to introduce FIM to sync data from HR to AD/Exchange - HR Oracle will create new users; and these new users need to become members of some of those 20 AD groups mentioned above (without affecting the current membership of these groups) question: how can this be achieved with FIM?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 12:02am

the easiest solution is to have a dynamic group nested to your existing group (as was already proposed in another thread). this will add new users into this dynamic group while leaving original group untouched.
February 11th, 2011 2:18am

Evgeniy - will review that idea. However, is there no way that FIM can invoke something like DSMOD or Powershell to add users to existing groups?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 2:32am

it can. create a custom WF activity to start powershell scripts or modify objects in AD directly. but this makes no sense to do group membership this way.
February 11th, 2011 8:31am

OK, thanks will investigate the options.
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 8:40am

OK, thanks will investigate the options. Evgeniy - why do you say it makes no sense though?
February 11th, 2011 8:42am

the easiest solution is to have a dynamic group nested to your existing group (as was already proposed in another thread). this will add new users into this dynamic group while leaving original group untouched.
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 10:00am

it can. create a custom WF activity to start powershell scripts or modify objects in AD directly. but this makes no sense to do group membership this way.
February 11th, 2011 2:04pm

Because the idea of FIM is to manage objects according to your configured policies. To verify whether everything is OK, your system needs to take a look at the desired state and compare it with the current state. This includes the management of the membership of a group. Taking now individual operations for single group members out of the group management process disables your FIM to determine whether your current group membership aligns with your policy definition. In this case, you can also just directly modify the group membership in AD DS with a script - FIM wouldn't add any value to this, which is why it makes no sense. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 1:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics