How to add a members of a particular group into a set
Hi all,
A warm welcome to my pool of doubts!
I need to create a set of users whose members should be a member of a particular group in AD.
say for example,I have a group in AD called XYZ.I want to create "good boys" set in fim portal whose members are the members of XYZ only.
My required is like this because i have an external system into which i need to export users of that particular group only.Bundu
July 1st, 2011 11:55am
Do you have that group in FIM? What system is authorative on group members?
If you have it and it contains all the members you want, then you can use XPATH like:
/Person[ObjectID = /Group[ObjectID = 'ObjectID of the good boys group']/ComputedMember]
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:02pm
Yes i have the the group in FIM and FIM is authorative on group members.
Can you throw some more light on it.
I created a set ,under criteria-based members
what should be selected as "resource"..............user?......group?
or do you want me to do something else?Bundu
July 1st, 2011 12:22pm
You should select your set's Advanced View -> Extended Attributes -> And then edit the Filter property.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:25pm
Thanks Robert.
I am getting access denied error.
I have checked "Administrator control set resources" target resource selected attributes "filter" is selected.
No other MPR is disabled.
any suggestions?Bundu
July 1st, 2011 12:42pm
Check also:
Administration -> Filter Permissions -> Administrator Filter Permission
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 12:52pm
Sets can't reference group membership - thus this isn't possible out of the box.
Reference
http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx - "Unsupported Filter Definitions"My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
July 2nd, 2011 3:47am
Tried the same .No luck:(
Any other suggestion?still getting access denied.
I even created a new MPR for "administrators can modify filter attribute of sets".still no luckBundu
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 8:03am
Thanks Brian.
If its not possible then why am i getting access denied error?It must be related to some MPR.am i correct?it should be unexpected error or so.
Please let me know if you seen someone tried Robert's suggestion?Bundu
July 4th, 2011 8:06am
Access Denied is a sort of generic catch all error. Don't be misled into thinking there's an MPR blocking you. There isn't. The RMService is blocking this.
You're not permitted to dereference the members of a group in the criteria of a set. It's not supported (see Brian's URL). The general opinion of the PG (from what I understand, I'm not a member of the PG and don't have insider-information) is
that groups are managed objects and sets are configuration objects, thus sets can't be built from managed objects.
That being said, currently you can work around this limitation by not expressing an object type in your XPath, e.g. /*[ObjectID = /Group[Object=ID = 'Target']/ComputedMember]. This isn't supported and the "hole" could be plugged at any time, therefore
the only real and appropriate answer I can give is that you must utilise an action WF (custom activity) that will "synchronise" changes to the group into the set. For manually-managed membership this is achievable and not too complex. For criteria-based
membership this is much more of an issue.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 10:52am
Thanks Paul.
I got this from MSDN
http://msdn.microsoft.com/en-us/library/ff393652.aspx
Example: Identifying Users Who Have Conflicting Roles or Permissions
The following XPath filter identifies users who are members of both the "Interns" group and the "Full Time Employees" group. You can use this XPath filter to determine whether there are users in sets or groups that produce conflicting roles or permissions.
/Person[ObjectID = /Group[DisplayName = 'Interns']/ComputedMember and ObjectID = /Group[DisplayName = 'Full Time Employees']/ComputedMember]
The previous code example uses the DisplayName attribute to identify the groups of interest. However, a better practice would be to use a unique identifier to identify the groups, such as their ObjectID attribute.
If the above is not achievable then i have to follow custom workflow approach.
Bundu
July 4th, 2011 11:03am
Brian, thanks for clearing that up. I actually tried this in a Microsoft's Business Ready Security Demo Environment and it worked there. Still, if this is unsupported, it might work, but it should not be used.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 11:07am
so finally its custom WF.
Thanks all for the support and patience.Bundu
July 4th, 2011 11:59am
The above XPath is valid FIM XPath. However not all valid FIM XPath can be used in the criteria filter for groups and sets. Indeed, you're actually quite limited. With regards dereferencing the values of other objects the only permitted
filters are as follows:
For a SET
You may only dereference the COMPUTEDMEMBER and EXPLICITMEMBER (not sure why you'd bother with the latter) of a SET when the predicate to identify that set is the OBJECTID, e.g. /Person[ObjectID = /Set[ObjectID = 'd49426e3-913f-4881-af08-b1cb5256980f']/ComputedMember].
For a GROUP
The same as a Set but you may also dereference the COMPUTEDMEMBER and EXPLICITMEMBER of another Group.
Note the workaround I mentioned earlier of:
/Person[ObjectID = /*[ObjectID = 'd49426e3-913f-4881-af08-b1cb5256980f']/ComputedMember]
If that even still works.
In a SearchScope for example, the following is perfectly valid:
/Person[ObjectID = /Group[AccountName = 'SG_SQL_SERVER_ADMINS']/ComputedMember]/Manager
That would yield the Managers of anyone in the SQL SERVER ADMINS group.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 3:42pm
you could write a powershell script to populate FIM Sets based on AD Groups. you can have AD Group and FIM set mappings in a csv file
and Powershell can enumerate AD group membership and populate the SET(s). we can have this script out of FIM process and run in specific frequencies. With this script, we can use existing AD Groups for MPR authorizations. As the SETs are being synchronized
with AD Groups through scheduled Powershell scripts.
August 4th, 2011 12:08pm
Paul.....is there anything out there or do you currently have an example of the custom workflow for synchronizing the group membership to a set like you have talked about?
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 6:06pm