Hi, I am trying to provision groups into FIM from SQL. I have successfully provisioned users, but the groups are giving me a permissions error I'll post below. I have run the script to check if the sync account is properly configured and that was successful. I ran the sync to test the MPRs and it returned that there were "Missing attributes of Synchronization" in the Synchronization account controls group resources it synchronizes. However, I looked at the MPR and those attributes are specified in the "Target Resources". I even changed it to "All Attributes" and the script returned the same results. The MPR is enabled. Nothing is reported in the "Search Requests". Is there another place I am supposed to look granting permissions to manage the attributes? Many thanks for any help. I'm stumped. Sami There is an error executing a web service object creation request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Fault Reason: Policy prohibits the request from completing. Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><RequestAdministratorDetails><FailureMessage>The Request contains changes that violate system constraints. Exception: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.FilteredResourceActionProcessHelper.DoPreProcessRequest(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.PreProcessRequestFromAttribute(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromAttribute(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><RequestFailureSource>SystemConstraint</RequestFailureSource></RequestAdministratorDetails></RequestFailures> Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request) at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody) at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource() Inner Exception: Policy prohibits the request from completing.

Using PowerShell to check your MPR configuration for synchronization. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Sami, The error is likely because the request being submitted to create the group is attemping to set an attribute that is not permitted by the FIM service, or set a value that is not permitted. You are creating this group through sync, correct? Can you check the metaverse and see what the properties of the group there are, before it is exported unsuccessfuly to the FIM service DB? Thanks, Nima

Hi Nima, Correct--I am creating it through sync. In the metaverse, here's what I see for one of the groups. Do any of these look incorrect? : AccountName: 0041 DisplayName: 0041 Domain: mydomain Filter: <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[OfficeLocation = ''0041'']</Filter> MembershipAddWorkflow: None MembershipLocked: true Scope: Universal Type: Security MVObjectID: {2B4D73A8-E615-4050-A489-2E1020A6121A} Thank you again for any help. I appreciate it. Sami

Hi Markus, I used that tool and it reports the following: "Missing attributes of Synchronization: Synchronization account controls groups resources it synchronizes: MVObjectID AccountName Displayname Filter MembershipAddWorkflow MembershipLocked Type Domain Scope ObjectSID" However, when I look at the Sync Rule in the portal, the following are in the "Action Parameter": AccountName ComputedMember Description DetectedRulesList DisplayedOwner DisplayName Domain DomainConfiguration Email ExpectedRulesList ExpirationTime ExplicitMember Filter MailNickname MembershipAddWorkflow MembershipLocked MVObjectID ObjectSID Owner Scope SIDHistory Temporal Type The sync rule is enabled. I even tried setting it to "All Attributes" instead of "Specific Attributes" and got the same message. Am I missing a step somewhere to correct this? I appreciate any help. Thank you, Sami

Something I just noticed. When I run the script to verify the MPR configuration, it reports all of the MPRs listed in the script as missing. However, they are in the portal and I can create users in FIM and AD--just not groups. It's making me wonder if something could be corrupted somewhere? Any ideas or help is greatly appreciated. Many thanks, Sami

Thanks to Glenn Zuckerman for helping me with this. It turns out I had an error in the memberFilter attribute, which actually threw the "failed-creation-via-web-services" error with an "object reference not set to an instance of an object" error.