Hi,

I am successfully provisioning users in AD via FIM however I need to add user in a specific group. By default all newly provisioned users are member of Domain Users and now I want to add them in another group say "FIMGROUP".

Your help will be appreciated.

Regards

You need to create the group in FIM as dynamic group and under criteria provide the rule. See here for details. https://technet.microsoft.com/en-us/library/Ee534903(v=WS.10).aspx

Thanks Nosh Sorry if I am not correct however I have already groups created in AD and I want that whenever new user provisioned in AD via FIM it will also become a member of the group in AD.

Correct. That is exactly what you are doing if you follow the link i sent. In order doe a user to be added to a group in AD via FIM, you need to implement the group management in FIM then synchronize it with AD. If you have a group in AD, create one in FIM with the same name and follow my previous link i sent you.

I am only Synchronising the users not group so it means that I need to Sync. group as well ? if yes then is there any other way to that as I really don't want to Sync Groups. Please also advise if I create a group with the same name then it wont conflict with the existing one

Hello,

one Thing you should decide before implementing Group Management is:

1. do you want to put the user once in that Group on provisioning but the Group will later be managed manually in AD or elsewhere ?

or

2. do you want to let FIM manage the Group the whole time and there will be no Manual Management of that Group.

In the first Option you Need to create your own custom activity or use a generic one like PowerShell to put users once in that Group on provisioning.

When second Option is what you want, implement Group Management with dynamic Groups in FIM.
Threre will be no conflict as you can join the ad Group with the Group in FIM.
After that FIM will manage the groupmembership of users in that Group.

/Peter

You can run powershell or write code in AD MA to add user to group.

I have the same need.  I am synchronizing a specific containers from my "primary" AD to many remote forests where these User accounts will be created, then need to be added to the remote forest "Domain Admins" group.

I am using a OUTBOUND Synchronization rule to provision the User accounts and sync passwords.  I am competent with PowerShell but have not found in any documentation how I can add a script to post process the provisioned User account and pass it to Add-AdGroupMember "Domain Admins" -Members $User 

Thanks, Stu

I am not sure why anyone would not want to use an out of the box function in FIM, called group management, since you are already paying CALs for it.

But, if you don't want to, you can simply write a powershell and call it from AM MA Import Flow. 

Our scenario is not typical. We are a Managed Service Provider and will be using FIM to push individual System Engineering accounts into over 60 Forests. We don't want to pull any information from our customer environments into FIM. Later we may convert to the new Privileged Account model with Windows Server 2016 and FIM.

Where can I learn how to call Powershell from AM MA Import Flow?

Stu

Sometimes there is a need for putting users only once in a group on inital flow, and after that manage that group memebership manually.

Beside FIM groupmanagement I also implemented such a scenario.

But you should keep some things in mind:

This initial add user to AD group should only be done, if user is "really" created in AD, not just provisioned.

I ended up in starting a Workflow with a PowerShell activity whenever objectSID is modified, which normally occurs only once when obhect is created.

(Ok it can also happen on migrations, but you have other problems too then with your IDM system ;-) )

A better way would may be to use Expected State Detection (DREs):

https://technet.microsoft.com/en-us/library/ff608269%28WS.10%29.aspx

But the first one works for me

/Peter

Pweter,

I'm a newbie to FIM and the documentation certainly make it a challenge.   Where can I find more about the approach you mention - "I ended up in starting a Workflow with a PowerShell activity whenever objectSID is modified, which normally occurs only once when object is created."

I have create the initial workflows (Add AD User & Remove AD User) for the sync, but have not seen how I would call powershell from one. I assume from "Activities" somehow

-Stu

I don't understand this. If users are not in FIM, you cannot manage them. Period. 

Where can I learn how to call Powershell from AM MA Import Flow?

1. First you need to learn about Management Agents.  Basic FIM Classical Provisioning and Synchronization

Because you are doing this in Classical Rules Extension, it is the same as ILM https://technet.microsoft.com/en-us/magazine/2009.07.ilm.aspx

To use code, you need and advanced flow rule.  You need it to be inbound, to make sure user exists before trying to add it to a group.

2. You need to know how to call powerShell in CSharep,  Here is a good example from Carol. http://www.wapshere.com/missmiis/provisioning-bpos-powershell-commands-as-cs-objects

I'm doing Declarative Provisioning, not classic.  I have Rules, workflows and sets. 

-Stu

That means you have users in FIM, don't you?  You can still do classical for the group portion.

The only way to accomplish this task is to require a real Windows developer?

Looks like a big product weakness to me.

-Stu

Not really, it is very little development.

In any case,  How is it a product weakness when you have an out of the box module? Because you don't want to use it?

We're trying to keep this solution as simple as possible while ensuring the security of our customers.  We don't accumulating customer PII in our systems.

If I do some type of sync filter Inbound on only the "Domain Admins" group from each forest, will I be able to add \ remove the user objects FIM owns and not remove the local accounts members in the  Domain Admin group that FIM is unaware of?

You sure can.

As Peter mentioned, there are 2 ways to add a user.

1. Add one, and never look at it again.  If all you care is to add the user once, you do this in the Provisioning rule. FIM does not care who is there and who is not. Simply add this user as well.

2. Synchronize always.  This is in the synchronization rule, where it constantly maintains the relationship between FIM and AD.

Of course there are other ways as well.

Thanks.  I will try the approach of syncing inbound the Domain Admins group and adding the new User to it. 

Nosh,

I have created 2 synchronization rules for Inbound \ Outbound for the "Domain Admins" group. I can see the Domain Admins group in the connector and the MV.

How do I add putting users into the Domain Admins group when my user is provisioned?

-Stu

Make sure there is a relationship criteria sAMAccountName -> sAMAccountName

Create the group in FIM portal called "Domain Admins" as criteria based, if you want users added automatically or as manual if you want to manually add them. here is a guide https://technet.microsoft.com/en-us/library/Ee534903(v=WS.10).aspx

In this setup, though you are managing all users in FIM, so if a user is not in FIM, it will be removed.

Guys,

Peter and I have explained this multiple times in this thread.  Group management is basic FIM Stuff.  You really need to do some reading.  The forum is not to provide FIM training.  The fact that you still don't get it is because you don't have the fundamentals of this product.

Hello,

I have done it through FIM Group management however I am not agreed with Nosh as I have got error "SYNC-RULE-FLOW-PROVISIONING-FAILED" if group is already exists in AD. When I go to the detail of the error I found "already exists in management agent "ADMA".

Well its cool if you create group in FIM and set the criteria.

JB

JB - Because you have not specified a proper Relationship criteria to ensure the groups are joined in the Metaverse.  You can always join this group manually in MV, since it is one group only - one time deal. 

I would suggest you all to not take the FIM Salespeople comments at face value when they say "FIM is easy".  Is is not.