What is the optimum method for assigning selected pre-existing AD users with Admin capabilities within FIM Portal? Is it possible to honor the following constraints? 1. The Admin account is not required to be managed by FIM. 2. The Admin account is in an OU that is not 'seen' by FIM as the AD MA account does not have delegated permission on the OU. 3. Once an AD Security Group has been configured with appropriate Portal and FIM privileges, can the delegation for individual users be managed purely through the Group membership without using the portal. Thanks, AB

Not sure if I understand you question correctly. It sounds like, you want to assign FIM admin rights to accounts that are not synchronized - is this correct? If so, the best practice recommendation is to not manage FIM admin accounts by using the FIM synchronization service.You should also have at least one backup account (an account that is disabled in AD).We already had a scenario where a customer has managed it to delete the FIM admin account... "Not to be managed by FIM" translates here to "not managed by using the FIM synchronization service; however, the account must exist in the FIM service database.Also, keep in mind that a user's SID must be populated in the FIM service database to enable a user to access the FIM portal.See "Enabling FIM Portal Access for a Regular AD User Account" for more details on this. To populate the related accounts in FIM, you can use a PowerShell script.Just using the security group membership in AD to grant FIM admin rights to an account is not possible since you still have to populate at least the SID attribute. Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus, Your answer adequately covers my question. If there is a doc on FIM security delegation model or operational security patterns I'll appreciate the link. Cheers, AB

Cool! There is no document like this available yet.It would be helpful if you could open a Suggestion Box item with a bullet list that covers what you want to read about.Like always, the more details you provide, the higher the chances that the document covers what you are looking for :-) Also, this would be a great opportunity for others to add items they want to see covered... Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation