Hi there. I am looking for your guidance regarding 2 issues, the first, can we limit the no. of users and groups a user can create, for example I want to limit users to create only 2 DLs or Security groups, help desks can create 20 users for example. the other, inregional environment, Can we limit the scope of the search for a user and where he can creates users, to elaborate more, I have 1 domain with so many regional admins, I want admin of US to create users in the US OU and can See only users in the US OU, admin of asia can create users in asia and can search and modify users in asia. I want that to be dynamic in the UI so are there a way to script the sets and the MPRS so when a new region is added it is done automatically, I can imagine that each admin can see a specific set and has MPRS applies to grant him the permission, how ever I want the UI to reflect that as well, is it possible. ThanksRegards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com

Thinking off the top of my head here - haven't tried this at all, and I'm not sure whether you'd need to write custom workflows... For problem 1 you add a custom attribute to the Person object which is the number of users they have created. You add a step to the workflow which runs on user creation and which increments the count on the Requestor. Then you create a set of helpdesk people with a user creation count of less than 20, and you use this set in your MPR which gives the rights to create users. On the second problem, I think you may end up having to write a custom workflow here. I saw a demo on one of the earlier RC versions where the guy automatically created groups by attaching a workflow to the Department attribute. It went something like this: when the Department is changed check to see if it's a new department that we don't know about already, and if so, create the department group. Likewise I think you'd need something like that which checked the region and, if it was a new one, created the other required objects. I can't help you any more here though, hopefully someone else can. http://www.wapshere.com/missmiis

Hi Carol, Thank a lot for your reply, for problem 1 that is waht I have thought also, but I wasn't sure to use a CWF or use AD quote, I will give both a shot and see which one will fit more, I will check when the FIM creates an objects how it stambs the owner of this object, if it stambs it with the user creates the object then AD quote will be much faster and effective way. for problem 2, can we create a set and MPRS from the CWF, mmm tricky but this is a good start that my developers will start working from it, but i am not sure if this is possible or not:(. Thanks a lot for spending the time replying in my post. MahmoudRegards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com

Hi Again, Can we use powershell to create sets and MPRs or the FIM 2010 webclient, are there any good resources about that?Regards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com

Hi Again, Can we use powershell to create sets and MPRs or the FIM 2010 webclient, are there any good resources about that? Regards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com I'm sure you can. I had some good success creating groups through powershell, and really all you're doing is changing the object types and attributes that you're populating. Have a look in the Script Box for inspiration (and do post you own scripts if you come up with something cool!)http://www.wapshere.com/missmiis

Can we use powershell to create sets and MPRs or the FIM 2010 webclient, are there any good resources about that? The FIM ScriptBox. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation