For an AD MA, I have attribute flow rules only for account and objectSID - these values flow correctly and can be seen in CS and in MV. But MIIS_CSObject also has domain, fqdn and UPN - how/where does it get these from? It doesn't seem to get them from the CS (unless there are hidden attributes and hidden flow rules?)

It is correct, neither of these attributes are stored in the connector space. The related method sends a query (I belief in form of a DSCrackNames API call) to the DC the ADMA would use to exchange data. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Marcus Do you know if that runs under the context of the AD MA account? Trying to work out why this method/query would be failing but all other AD MA import and sync is working....

CS Objects that come from the AD MA or the GAL MA can have special attributes that are retrieved at the time the CS Object is constructed to pass back through WMI. These attributes are the fully qualified domain name, the domain name, the account name, and the user principal name. This is done in the context of the caller making the WMI call, which is probably why you are seeing the failure. Ensure the user account has the rights to query this information from AD using DsCrackNames(), or remove those elements from the list of properties you are requesting in your SELECT statement and WHERE clause.

Thanks Bruce FYI the error was not permissions but the fact that the WMI call does not correctly handle a username which exceeds 16 characters. All other FIM functions apart from the Password Reset WMI call handle this correctly, but the PW reset call does not, and does not produce a specific error message. Workaround is to use account name shorter than 16 characters for the AD MA account.