XPATH filter help for a Set finding Criteria based groups with ExplicitMembers

I actually have two problems that I'm trying to solve here.  The issue i'm trying to solve related to criteria based groups that allow manually managed members to be imported from AD.  Say I have a criteria based group for all contractors.  if someone adds a member to this group in AD, this newly added member is imported as an ExplicitMember.  If you go to the details of this group there is an error that the dynamic group has static members and you can't make changes unless you clear out those explicitmembers.

One approach we tried to fix this was to limit access to admins so they cannot modify membership of criteria groups.  this is possible since we put criteria groups in a single OU.  Our Server team didn't want to go this route.  next I setup and alert within FIM to notify me when a member was added to a criteria based group.  However the fix is still to manually go into the group and remove those members.

So, I thought why not create a set that would contain criteria based groups (MembershipLocked = True) that have Manually Managed Members (ExplicitMember = /Person) so that I can create a policy to remove ExplicitMember.  I came up with the following XPATH filter /Group[(MembershipLocked = True) and (ExplicitMember = /Person)] yet I cannot get this to work in a set.  If I create a search scope with this filter it works perfectly.

Why won't this XPATH filter work in a Set?

As always, thanks in advance for your help.

Kirk

June 25th, 2012 6:01pm

You cannot reference Group membership in a Set.

Check http://blog.msresource.net/2011/10/06/set-and-group-criteria-filters/ for some insight.

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2012 6:42pm

Old thread i know, but answer is usefull.

You can do the cleanup using powershell in stead;

 $DefaultUri = "http://localhost:5725"

if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

function QueryResource

{

    PARAM($Filter, $Uri = $DefaultUri)

    END

    {

        $resources = Export-FIMConfig -CustomConfig $Filter -Uri $Uri -OnlyBaseResources

        $resources

    }

}

$groups = QueryResource -Filter "/Group[(MembershipLocked = True) and (ExplicitMember = /Person)]" 

 foreach ($g in $groups){

    $name = ($g.resourcemanagementobject.resourcemanagementattributes | where {$_.attributename -eq "DisplayName"}).value    

         $a1="$name"

         $Group1 = Export-FIMConfig -customConfig "/Person[ObjectID = /Group[DisplayName = '$a1']/ComputedMember]" -Uri "http://localhost:5725" -OnlyBaseResources

         foreach($i in $Group1)

              {

#DO SUFF TO EACH GROUP MEMBER

              }

    

April 29th, 2015 3:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics