Hello,

Since the information normally flows from AD to FIM. I want to change the flow for Group Management, where the flow is from FIM to AD. So FIM would be in charge of adding and removing users from certain groups. When I did the switch some Users that had their Primary Group set in AD, after the switch, FIM removed that group from the "Members of" for that user, and assigned Domain Users (513) as their Primary Group. I had to go back and fix their Primary Groups, is there a way to prevent that from happening. 

Or is there a Synchronization Rule I can write up with a "Custom Expression" as for Inbound/Outbound?

Thanks

In order for FIM To manage groups in AD, you need.

All users and groups in scope need to be present in FIM.  If users were removed, that is most likely because they are not in FIM, or are not members of those groups in FIM.

The users were in FIM, for example user A was a member of Group X in both FIM in AD, but in FIM user A had "domain users" assigned as their primary group, then I changed their Primary Group to Group X, and this was before the switch. So after the switch, FIM removed Group X from user A's list of groups they are a member of, and then re-assigned "domain users" as their Primary Group. 

What FIM did was before the switch, which ever user did not have "domain users" as their primary group, and had a different group set as primary group, after the switch, FIM removed that "different" group for that user from the list, and re-assigned "domain users" as their Primary Group in FIM. But in AD the user has the same primary group. 

I am sorry, but I don't understand your problem.  First of, what does Primary Group mean?  Change primary group where? 

Is the membership in FIM manual, or criteria based. If you look in FIM, is the right user in the right groups?

I believe you ought to hire a professional on this, as I am awfully sorry to say that you are missing the basics of FIM. 

It is mandatory that groups and all the members(users and groups) are in FIM, to be able to manage them, else FIM will remove them from members list.

Venkatesh,

How is different from my response?!

All Users are in FIM, my problem is , I want to be able to control Group Membership of Security Groups in FIM and not AD. I currently ad User into groups on the AD side, but I want to control it through FIM, and have the information flow over to AD. 

You are saying the same thing, but don't understand the dynamics.

First of, this statement of yours is not correct "Since the information normally flows from AD to FIM".

1. You have all users and groups in FIM and AD and they are joined in FIM Metaverse.

     - AD MA import users and groups to FIM Metavers and then to FIM Portal

2. Somehow (manually or dynamically) you add\remove users to groups in FIM (Manage groups in FIM)

3. You export the membership to AD (manage groups in AD)

   - AD MA export users and groups to AD. 

Now that the semantics are clear, what is the issue.  Which step is not working?

Ok so the first image is AD, and this User's primary group is circled in blue. Now once the membership is being exported to AD from FIM, FIM removed that group from this User's list, second image. So FIM removed the User from that group on the FIM side, but the User is still there on AD side, why is that? 

 

• Edited by amreenai 13 hours 15 minutes ago removed images for privacy concern

1. FIM Does not care about primary or else. It simply adds or removes members.  Primary is an AD function.

2. Is user in FIM?

3. Is AD user joined to FIM?

4. Is the group in FIM manual or dynamic.  If Dynamic, what is the criteria of that group in FIM?

HOU-Network Admins is not present in FIM, and FIM does not know about it.

1. For the user removed from group in AD, seems to me that the environment is setup such that FIM has authority and you are adding the user in AD Directly. FIM will override it.

2. For HOU-Network Admins, this is a group managed in AD and it is not exported to FIM.

Yes, the AD Users is in both FIM and AD. And the AD User is joined to FIM, so  whatever information was on this user in AD, is flowing to FIM. And now the flow is changed so FIM controls everything.

The HOU-Networks Admin group is in FIM, however it is set to manual. 

I just don't understand how that this User is a member of every other groups they are listed for, but not that that particular group which is assigned as their Primary Group. 

FIM does recognize that HOU-Network Admins is this User's Primary Group. In FIM and AD, I have the attribute "Primary Group ID" as you can see on the image attached, when you go on the "Extended Attributes" on the User in FIM, the ID listed is actually the Primary Group Id for HOU-Network Admins. It just doesn't recognize it in the "Group Membership" tab.

• Edited by amreenai 13 hours 14 minutes ago

It seems to me that you are handed this environment but,

1. You don't understand basics of FIM, and it is hard to explain to you. 

2. You don't understand how it was setup and what the requirements were.  It seems to me that a lot of customizations were configured in this environment. 

Whatever you are showing me, as primary group ID, means nothing and will not enforce anything. 

If you say that HOU-Network Admins is manual, it means just that. You have to manually add the user to it in FIM and then you will see it in AD, provided the rest is implemented properly.

You need to understand group management in FIM.  Here you have user1 and groupA and groupB.  User1 is member of GroupA in FIM, so it is also in AD.  User1 is not member of GroupB in FIM, therefore it is not in AD.

I understand, I truly appreciate your feedback, but I hope to work around this situation somehow!

Ok so the first image is AD, and this User's primary group is circled in blue. Now once the membership is being exported to AD from FIM, FIM removed that group from this User's list, second image. So FIM removed the User from that group on the FIM side, but the User is still there on AD side, why is that? 

 

• Edited by amreenai Monday, June 01, 2015 6:08 PM removed images for privacy concern

Yes, the AD Users is in both FIM and AD. And the AD User is joined to FIM, so  whatever information was on this user in AD, is flowing to FIM. And now the flow is changed so FIM controls everything.

The HOU-Networks Admin group is in FIM, however it is set to manual. 

I just don't understand how that this User is a member of every other groups they are listed for, but not that that particular group which is assigned as their Primary Group. 

FIM does recognize that HOU-Network Admins is this User's Primary Group. In FIM and AD, I have the attribute "Primary Group ID" as you can see on the image attached, when you go on the "Extended Attributes" on the User in FIM, the ID listed is actually the Primary Group Id for HOU-Network Admins. It just doesn't recognize it in the "Group Membership" tab.

• Edited by amreenai Monday, June 01, 2015 6:09 PM

Im sorry but I have yet to see the issue. I explained to you why things are the way they are. Now if you wish to change that, tell me what you need and i can try to explain how to accomplish that. But you have to know what you want and with all due respect, you need to learn the basics.

I do understand the basics. I don't think you're understanding my problem. I want to control Group Management by: Information coming from FIM, going to the Meta-Verse then to AD. I don't want AD to control group management. In AD there are Primary Group's assigned to the Users, some people have Domain Users, some have other groups. I want FIM to be able to recognize those Primary Groups. AD is not removing any User from groups, only FIM is. My problem is I want FIM to recognize Primary Groups as membership for a group. If User A's primary group is Domain Admins then if you look up Domain Admins under FIM, User A will not be there. In a way FIM ignores the primary group attribute. So for the previous example if FIM takes control of the group membership it will try to tell AD, "this is the group members and it does not include UserA." This in turn generates an error because AD tries to remove UserA from Domain Admins. 

The attribute for primary group in AD is primaryGroupID.

In your case you need to add an export to primaryGroupID from FIM Portal --> MV and MV --> AD MA.

This is a user attribute, so on user object add.  Find the name of the system attribute for primarygroup in Portal (since this is a custom attribute and I don't know what you have name it) and map it to Metaverse (also a custom attribute, most likely) and then to AD --> primaryGroupID

But be aware. This will not ensure the user is member of the group. be sure to cover that part first.

I have the attribute primaryGroupID in both AD and FIM, currently the flow is: ADMA primaryGroupID -> MV -> FIMMA. Both FIM and AD have the attribute primaryGroupID. It is applied to the User. Before allowing FIM to manage Group Membership, I want all the AD Users and the Groups they belong to to sync over to FIM, I don't want to manually go add everyone in FIM that belong to certain groups in AD. I want everything and everyone to sync over automatically. FIM does that to couple groups but not all, especially to those Users that don't have Domain User's as their primary group. I think the way Microsoft designed this product is very complicated, and Microsoft itself doesn't provide help or consulting for this product since it's so new. 

1. The product is not new. It has been since 2003 as MIIS then ILM 2007 and FIM 2010 for last 5 years. FIM added the build-in group management. 

2. Now to attributes you show me are coming from AD to FIM, you want those arrows reversed, so FIM has the authority.

3. The groups not managed in FIM, you need to define the business requirements for them and translate them into criteria. You make the groups dynamic (based on the criteria) and then FIM manages all groups.

4. Remember, FIM does what it was asked to do.  You need to tell it to do otherwise, if current methods are not working for you.

If I reverse the arrows, FIM has authority of assigning Primary Group, now the problem with that is, the person that does the assigning of groups will need to know the primaryGroupID ie: 1234 for Group A or 5678 for Group B. The person assigning the primary groups in FIM wouldn't know the primaryGroupID on the top of their head. So, it is best to for AD to assign Primary Groups since the name will be there. But I haven't tried reversing the arrows fro primaryGroupID, I will try that and see if it does anything close to what I want it to do. 

That is your business decision, but I thought that was what you wanted.

Now this is more then I usually offer free of charge. If you need a FIM Consultant to help you with this, let me know.

Best,
Nosh

If I reverse the arrows, FIM has authority of assigning Primary Group, now the problem with that is, the person that does the assigning of groups will need to know the primaryGroupID ie: 1234 for Group A or 5678 for Group B. The person assigning the primary groups in FIM wouldn't know the primaryGroupID on the top of their head. So, it is best to for AD to assign Primary Groups since the name will be there. But I haven't tried reversing the arrows fro primaryGroupID, I will try that and see if it does anything close to what I want it to do. 

• Proposed as answer by Nosh Mernacaj 13 hours 20 minutes ago

If I reverse the arrows, FIM has authority of assigning Primary Group, now the problem with that is, the person that does the assigning of groups will need to know the primaryGroupID ie: 1234 for Group A or 5678 for Group B. The person assigning the primary groups in FIM wouldn't know the primaryGroupID on the top of their head. So, it is best to for AD to assign Primary Groups since the name will be there. But I haven't tried reversing the arrows fro primaryGroupID, I will try that and see if it does anything close to what I want it to do. 

• Proposed as answer by Nosh Mernacaj Wednesday, June 03, 2015 6:05 PM