How to add a members of a particular group into a set
Hi all, A warm welcome to my pool of doubts! I need to create a set of users whose members should be a member of a particular group in AD. say for example,I have a group in AD called XYZ.I want to create "good boys" set in fim portal whose members are the members of XYZ only. My required is like this because i have an external system into which i need to export users of that particular group only.Bundu
July 1st, 2011 11:55am

Do you have that group in FIM? What system is authorative on group members? If you have it and it contains all the members you want, then you can use XPATH like: /Person[ObjectID = /Group[ObjectID = 'ObjectID of the good boys group']/ComputedMember]
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:02pm

Yes i have the the group in FIM and FIM is authorative on group members. Can you throw some more light on it. I created a set ,under criteria-based members what should be selected as "resource"..............user?......group? or do you want me to do something else?Bundu
July 1st, 2011 12:22pm

You should select your set's Advanced View -> Extended Attributes -> And then edit the Filter property.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:25pm

Thanks Robert. I am getting access denied error. I have checked "Administrator control set resources" target resource selected attributes "filter" is selected. No other MPR is disabled. any suggestions?Bundu
July 1st, 2011 12:42pm

Check also: Administration -> Filter Permissions -> Administrator Filter Permission
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:52pm

Sets can't reference group membership - thus this isn't possible out of the box. Reference http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx - "Unsupported Filter Definitions"My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
July 2nd, 2011 3:47am

Tried the same .No luck:( Any other suggestion?still getting access denied. I even created a new MPR for "administrators can modify filter attribute of sets".still no luckBundu
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 8:03am

Thanks Brian. If its not possible then why am i getting access denied error?It must be related to some MPR.am i correct?it should be unexpected error or so. Please let me know if you seen someone tried Robert's suggestion?Bundu
July 4th, 2011 8:06am

Access Denied is a sort of generic catch all error. Don't be misled into thinking there's an MPR blocking you. There isn't. The RMService is blocking this. You're not permitted to dereference the members of a group in the criteria of a set. It's not supported (see Brian's URL). The general opinion of the PG (from what I understand, I'm not a member of the PG and don't have insider-information) is that groups are managed objects and sets are configuration objects, thus sets can't be built from managed objects. That being said, currently you can work around this limitation by not expressing an object type in your XPath, e.g. /*[ObjectID = /Group[Object=ID = 'Target']/ComputedMember]. This isn't supported and the "hole" could be plugged at any time, therefore the only real and appropriate answer I can give is that you must utilise an action WF (custom activity) that will "synchronise" changes to the group into the set. For manually-managed membership this is achievable and not too complex. For criteria-based membership this is much more of an issue.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 10:52am

Thanks Paul. I got this from MSDN http://msdn.microsoft.com/en-us/library/ff393652.aspx Example: Identifying Users Who Have Conflicting Roles or Permissions The following XPath filter identifies users who are members of both the "Interns" group and the "Full Time Employees" group. You can use this XPath filter to determine whether there are users in sets or groups that produce conflicting roles or permissions. /Person[ObjectID = /Group[DisplayName = 'Interns']/ComputedMember and ObjectID = /Group[DisplayName = 'Full Time Employees']/ComputedMember] The previous code example uses the DisplayName attribute to identify the groups of interest. However, a better practice would be to use a unique identifier to identify the groups, such as their ObjectID attribute. If the above is not achievable then i have to follow custom workflow approach. Bundu
July 4th, 2011 11:03am

Brian, thanks for clearing that up. I actually tried this in a Microsoft's Business Ready Security Demo Environment and it worked there. Still, if this is unsupported, it might work, but it should not be used.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 11:07am

so finally its custom WF. Thanks all for the support and patience.Bundu
July 4th, 2011 11:59am

The above XPath is valid FIM XPath. However not all valid FIM XPath can be used in the criteria filter for groups and sets. Indeed, you're actually quite limited. With regards dereferencing the values of other objects the only permitted filters are as follows: For a SET You may only dereference the COMPUTEDMEMBER and EXPLICITMEMBER (not sure why you'd bother with the latter) of a SET when the predicate to identify that set is the OBJECTID, e.g. /Person[ObjectID = /Set[ObjectID = 'd49426e3-913f-4881-af08-b1cb5256980f']/ComputedMember]. For a GROUP The same as a Set but you may also dereference the COMPUTEDMEMBER and EXPLICITMEMBER of another Group. Note the workaround I mentioned earlier of: /Person[ObjectID = /*[ObjectID = 'd49426e3-913f-4881-af08-b1cb5256980f']/ComputedMember] If that even still works. In a SearchScope for example, the following is perfectly valid: /Person[ObjectID = /Group[AccountName = 'SG_SQL_SERVER_ADMINS']/ComputedMember]/Manager That would yield the Managers of anyone in the SQL SERVER ADMINS group.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 3:42pm

you could write a powershell script to populate FIM Sets based on AD Groups. you can have AD Group and FIM set mappings in a csv file and Powershell can enumerate AD group membership and populate the SET(s). we can have this script out of FIM process and run in specific frequencies. With this script, we can use existing AD Groups for MPR authorizations. As the SETs are being synchronized with AD Groups through scheduled Powershell scripts.
August 4th, 2011 12:08pm

Paul.....is there anything out there or do you currently have an example of the custom workflow for synchronizing the group membership to a set like you have talked about?
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 6:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics