Thursday, April 24, 2014

PowerShell MA and the FIM Service

I was working on a FIM2010 R2 project where the customer wanted to manage a bunch of DFS groups in the FIM Service / Portal.

However, all the groups (1.600+) would continue to start their life in Active Directory based on some scripts. Therefore we wanted to bring all groups from Active Directory and in to the FIM Service just once and from there on manage all attributes including membership filters from the FIM Service.

Due to precedence, we could not use the FIM MA to create the groups in the FIM Service, so we had to come up with another solution. Again, my PowerShell MA came to the rescue.

Here is how we did it -

  1. We created another standard Active Directory MA scoped to the few OU's that contained the groups in question. We set that MA to only import and project a new metaverse type (dfsGroup) and import a few attributes, such as sAMAccountName, displayName, description and such.
  2. We then created a PowerShell MA (PSMA) for use with the FIM Service. For this we used my PowerShell MA.
  3. We wrote provisioning code to provision all dfsGroup metaverse objects to the FIMService PSMA.
  4. We wrote fairly simple scripts to read / write the new dfsGroups to the FIM Service as normal FIM Service Group objects
    1. The creation was merely to create a simple security group in the FIM Service. We utilized Craig's Martin's great PowerShell modules for this.
Now we just set the schedules and watched the Synchronization Engine bring in the groups from AD, project them to the metaverse and have them be provisioned to our FIMService PS MA - where the export script elegantly created them in the FIM Service.

On the next import from the standard FIM MA, the new groups would be projected to the metaverse as normal group objects and the groups imported in the normal AD MA could now join - and bum, membership was now maintained using the filters applied when creating the groups using our FIMService PowerShell MA.

Sounds interesting? Get the PowerShell MA here and the scripts here - oh, and don't forget to get the latest cersion of Craig's FIM PowerShell module (although I included the version we used in the download bundle). You may have to change a few lines in the PSMA scripts for logging and such, but beyond that they should be pretty much functional out-of-the-box.

As always, I'm interested to know if you find this useful.

Wednesday, April 23, 2014

Thoughts: FIM is now MIM

Today, Microsoft announced the new name for FIM2010 or Forefront Identity Manager vNext. Future versions of FIM2010 R2 will be known under the Microsoft brand, and so the next release will be known as Microsoft Identity Manager.

I can not help giving this announcement some thoughts.

A published roadmap like this ( is reassuring for customers running FIM2010 today - and also for customers considering utilizing FIM2010 for their identity management needs. Their technology choice now proofs sound as Microsoft is continuing investments in the product.

Also, the major investment areas mentioned in the article above gives me confidence that Microsoft is gonna take the product to a new level where it makes sense to really put this tool into play in your infrastructure.

With the current version, I've already built some great solutions that really supported organizations needs. If I read correctly between the lines, I have no doubt that I will be able to leverage all the new features in the next version with existing FIM2010 installations - and make these even better. And I'll have a lot of new stuff to help build great identity management solutions.

I'm really looking forward to more information on timelines for preview programs and the release schedule which is  to be released later in this year.

Let's stay tuned...

Tuesday, March 18, 2014

New version of PowerShell Management Agent

I'm pleased to announce that I've released a new version of my PowerShell MA.

This new version now supports two sets of credentials (both optional); the one set of credentials is passed to all the scripts (no change from earlier versions), however, the other set of credentials is used as the security context under which all scripts are run. This present you with some nice options for mixing and matching credentials to build scripts that work under the correct credentials.

Go and check out the new version here and download it here.

Also worth mentioning is that Microsoft released their version of a PowerShell Management Agent this week, so now you have the option to choose which one better suits your needs. You can check out Microsoft's PowerShell MA here.

I use my PowerShell MA a lot for all my engagements and I know a lot of installations are running my PowerShell MA, so I'm dedicated to keeping it alive. As always, I'm very open to suggestions for improving my PowerShell MA - and if you want to make a donation to help me help others, I would appreciate that very much.

I'm looking forward to hearing reactions and feedback from your experience with both versions.

Thank you.

Tuesday, March 11, 2014

The PowerShell MA generates another donation

It has been a while since I blogged due to a lot of FIM 2010 engagements and a lot going on in my personal life, such as selling my house, buying a new house and moving cross country. But I'm back.

As you may know, every year around Christmas, I like to make a donation to an organisation that helps people less fortunate. The amount donated varies from year to year, because it depends on the donations made to my software projects.

In 2013, I moved most of my software projects to CodePlex and therefore these projects have not generated donations. However, my PowerShell Management Agent for FIM2010 is still hosted here on my blog and it is still hugely popular. In 2013, it generated approximately USD $250 in donation (perhaps, you are one of the kind donators?) and I opted to double that amount in my company, Goverco.

This resulted in a donation of USD $500 to Dansk Folkehjælp ( and that check, I hope, made Christmas just a little more enjoyable for some people less fortunate.

It is always a pleasure to help and I'm very greatful for any donations made through my blog. Every penny goes directly to helping others and I usually double the amount donated. My software is free, but I'd very much appreciate a donation big or small (every penny counts), if you download and use my software.

Thank you.

Wednesday, December 18, 2013

Updated the FIM2010 R2 Codeless Provisioning Framework

Lately, I found myself using my old codeless provisioning framework more and more to simplify the different FIM2010 R2 installations that I'm involved in.

The reason seems to always be that I can create some very simple rules that react to basic data generated either in datasource or through simple workflows done in the FIM Service. This keep my FIM setup fairly simple and without a lot of Synchronization Rules (SR's). I typically only have a few approval workflows but a lot of data manipulating workflows which allows me to present very clean data to the Synchronization Engine and make use of my own codeless provisioning framework. Lately, a few of my customers has also taken a like to this framework and find it very simple when adding additional MA's to their setup; and they are using now as a more flexible alternative to Scoped Synchronization Rules.

Anyways, enough ramblings - this blog entry was mostly to inform you that I released a new version of the FIM2010 R2 Codeless Provisioning Framework on CodePlex. I also updated the documentation to match the current release. One of the new features that I really missed in the older version was the ability to do conditional renames, i.e. when a user status changed to 'left' I wanted to move the user to a different OU without caring about provisioning. This is now possible with this release as you can have one or more 'rename' rules that are conditional.

Check out the new release on CodePlex and let me know what you think.

Happy Holidays.