Make a member of the group
Hi,
I am successfully provisioning users in AD via FIM however I need to add user in a specific group. By default all newly provisioned users are member of Domain Users and now I want to add them in another group say "FIMGROUP".
Your help will be appreciated.
Regards
September 9th, 2015 7:19pm
You need to create the group in FIM as dynamic group and under criteria provide the rule. See here for details. https://technet.microsoft.com/en-us/library/Ee534903(v=WS.10).aspx
September 9th, 2015 9:32pm
Thanks Nosh Sorry if I am not correct however I have already groups created in AD and I want that whenever new user provisioned in AD via FIM it will also become a member of the group in AD.
September 9th, 2015 10:16pm
Correct. That is exactly what you are doing if you follow the link i sent. In order doe a user to be added to a group in AD via FIM, you need to implement the group management in FIM then synchronize it with AD. If you have a group in AD, create one in
FIM with the same name and follow my previous link i sent you.
September 9th, 2015 10:27pm
I am only Synchronising the users not group so it means that I need to Sync. group as well ? if yes then is there any other way to that as I really don't want to Sync Groups. Please also advise if I create a group with the same name then it wont conflict
with the existing one
September 9th, 2015 10:49pm
Hello,
one Thing you should decide before implementing Group Management is:
1. do you want to put the user once in that Group on provisioning but the Group will later be managed manually in AD or elsewhere ?
or
2. do you want to let FIM manage the Group the whole time and there will be no Manual Management of that Group.
In the first Option you Need to create your own custom activity or use a generic one like PowerShell to put users once in that Group on provisioning.
When second Option is what you want, implement Group Management with dynamic Groups in FIM.
Threre will be no conflict as you can join the ad Group with the Group in FIM.
After that FIM will manage the groupmembership of users in that Group.
/Peter
September 10th, 2015 2:48am
You can run powershell or write code in AD MA to add user to group.
September 10th, 2015 7:23am
I have the same need. I am synchronizing a specific containers from my "primary" AD to many remote forests where these User accounts will be created, then need to be added to the remote forest "Domain Admins" group.
I am using a OUTBOUND Synchronization rule to provision the User accounts and sync passwords. I am competent with PowerShell but have not found in any documentation how I can add a script to post process the provisioned User account
and pass it to Add-AdGroupMember "Domain Admins" -Members $User
Thanks, Stu
September 10th, 2015 11:44am
I am not sure why anyone would not want to use an out of the box function in FIM, called group management, since you are already paying CALs for it.
But, if you don't want to, you can simply write a powershell and call it from AM MA Import Flow.
September 10th, 2015 12:25pm
Our scenario is not typical. We are a Managed Service Provider and will be using FIM to push individual System Engineering accounts into over 60 Forests. We don't want to pull any information from our customer environments into FIM. Later we may convert
to the new Privileged Account model with Windows Server 2016 and FIM.
Where can I learn how to call Powershell from AM MA Import Flow?
Stu
September 10th, 2015 12:43pm
Sometimes there is a need for putting users only once in a group on inital flow, and after that manage that group memebership manually.
Beside FIM groupmanagement I also implemented such a scenario.
But you should keep some things in mind:
This initial add user to AD group should only be done, if user is "really" created in AD, not just provisioned.
I ended up in starting a Workflow with a PowerShell activity whenever objectSID is modified, which normally occurs only once when obhect is created.
(Ok it can also happen on migrations, but you have other problems too then with your IDM system ;-) )
A better way would may be to use Expected State Detection (DREs):
https://technet.microsoft.com/en-us/library/ff608269%28WS.10%29.aspx
But the first one works for me
/Peter
September 10th, 2015 12:48pm
Pweter,
I'm a newbie to FIM and the documentation certainly make it a challenge. Where can I find more about the approach you mention - "I ended up in starting a Workflow with a PowerShell activity whenever objectSID is modified, which normally
occurs only once when object is created."
I have create the initial workflows (Add AD User & Remove AD User) for the sync, but have not seen how I would call powershell from one. I assume from "Activities" somehow
-Stu
September 10th, 2015 1:00pm
I don't understand this. If users are not in FIM, you cannot manage them. Period.
Where can I learn how to call Powershell from AM MA Import Flow?
1. First you need to learn about Management Agents. Basic FIM Classical Provisioning and Synchronization
Because you are doing this in Classical Rules Extension, it is the same as ILM
https://technet.microsoft.com/en-us/magazine/2009.07.ilm.aspx
To use code, you need and advanced flow rule. You need it to be inbound, to make sure user exists before trying to add it to a group.
2. You need to know how to call powerShell in CSharep, Here is a good example from Carol.
http://www.wapshere.com/missmiis/provisioning-bpos-powershell-commands-as-cs-objects
September 10th, 2015 1:03pm
I'm doing Declarative Provisioning, not classic. I have Rules, workflows and sets.
-Stu
September 10th, 2015 1:08pm
That means you have users in FIM, don't you? You can still do classical for the group portion.
September 10th, 2015 1:31pm
The only way to accomplish this task is to require a real Windows developer?
Looks like a big product weakness to me.
-Stu
September 10th, 2015 1:42pm
Not really, it is very little development.
In any case, How is it a product weakness when you have an out of the box module? Because you don't want to use it?
September 10th, 2015 1:44pm
We're trying to keep this solution as simple as possible while ensuring the security of our customers. We don't accumulating customer PII in our systems.
If I do some type of sync filter Inbound on only the "Domain Admins" group from each forest, will I be able to add \ remove the user objects FIM owns and not remove the local accounts members in the Domain Admin group that FIM is unaware
of?
September 10th, 2015 1:54pm
You sure can.
As Peter mentioned, there are 2 ways to add a user.
1. Add one, and never look at it again. If all you care is to add the user once, you do this in the Provisioning rule. FIM does not care who is there and who is not. Simply add this user as well.
2. Synchronize always. This is in the synchronization rule, where it constantly maintains the relationship between FIM and AD.
Of course there are other ways as well.
September 10th, 2015 1:59pm
Thanks. I will try the approach of syncing inbound the Domain Admins group and adding the new User to it.
September 10th, 2015 2:03pm
Nosh,
I have created 2 synchronization rules for Inbound \ Outbound for the "Domain Admins" group. I can see the Domain Admins group in the connector and the MV.
How do I add putting users into the Domain Admins group when my user is provisioned?
-Stu
September 10th, 2015 3:44pm
Make sure there is a relationship criteria sAMAccountName -> sAMAccountName
Create the group in FIM portal called "Domain Admins" as criteria based, if you want users added automatically or as manual if you want to manually add them. here is a guide
https://technet.microsoft.com/en-us/library/Ee534903(v=WS.10).aspx
In this setup, though you are managing all users in FIM, so if a user is not in FIM, it will be removed.
September 10th, 2015 4:38pm
Guys,
Peter and I have explained this multiple times in this thread. Group management is basic FIM Stuff. You really need to do some reading. The forum is not to provide FIM training. The fact that you still don't get it is because you
don't have the fundamentals of this product.
September 10th, 2015 7:45pm
Hello,
I have done it through FIM Group management however I am not agreed with Nosh as I have got error "SYNC-RULE-FLOW-PROVISIONING-FAILED" if group is already exists in AD. When I go to the detail of the error I found "already exists in management
agent "ADMA".
Well its cool if you create group in FIM and set the criteria.
JB
September 11th, 2015 2:54am
JB - Because you have not specified a proper Relationship criteria to ensure the groups are joined in the Metaverse. You can always join this group manually in MV, since it is one group only - one time deal.
I would suggest you all to not take the FIM Salespeople comments at face value when they say "FIM is easy". Is is not.
September 11th, 2015 10:49am