Thursday, December 22, 2011

Tuesday, December 20, 2011

Loading pictures to Active Directory via FIM

I've recently noticed a few discussions (one thread is in the FIM 2010 forum) on how to get pictures loaded into FIM and maybe into Active Directory (AD); for a recent customer project I did a VERY quick Extensible Management Agent (ECMA) with an extension to load pictures from a file share and into to FIM.

I want to strees that this ECMA has not been extensively tested for production and is missing some error handling and good logging. But it is currently running a burn-in at customer site and seems to be working properly, so if it will help you go in the right direction - well, then it is all yours for inspiration.

The current version basically loads JPG files from a file share specified as a Config Parameter and turns the pictures into a Base64 string. The Extension then actually converts the string back to a byte array which can be directly exported to Active Directory thumbnailPhoto.

Remember that the general recommendation is to store pictures in Active Directory at a size of 96x96 pixels and a size of less than 10Kb; however, I have heard from Microsoft that the attribute thumbnailPhoto actually supports up to 100Kb size pictures, so you'd would have to check with the different applications for size and dimensions expectations, i.e. Outlook enjoys a 96x96 picture but other application may have other preferences and SharePoint generates three different size, 144x144, 96x96 and 32x32 pixels for use in different situations.

Get the compiled version and source code for both the XMA and the Extension here.


Tuesday, December 6, 2011


I, sometimes, miss the old MASequencer from the Microsoft Identity Integration Server 2003 Resource Tool Kit 2.0.

Recently, I missed it so much that I decided to rewrite it for use with FIM. It is actually able to load and work using the old MASequencer XML files (nice!?). It is currently in released for free as a limited version which is already running a some of my customers as well.

There is a commercial full-version of this available that has more features, including clearing of old run histories and customizable log filenames and more. Write me an email if you want more information on the commercial version which also comes with support and free feature requests.

You can find the manual and download here.

Friday, October 28, 2011

SharePoint Services 3.0 stops working after patch

A few of my customers have experienced problems with SharePoint Services 3.0 failing to connect to database after applying SharePoint security update in KB2493987 and KB2553018. Failing to load SharePoint results of course in loss of the ability to use the FIM 2010 portal.

Following this good guide helped them get back on their wings and they are soring happily again.

Thanks for the great guide.

Thursday, October 27, 2011

Hotfix rollup package (build 4.0.3594.2) for FIM 2010

Even though it has been out for a little week now, I thought I'd mention it - just in case you missed it. There are some very interesting fixes in this rollup hotfix, that you would want to take advantage of.

Read all about it and get it here.

Tuesday, October 4, 2011

Now a FIM 2010 MVP

I received a fantastic mail on a boring Saturday. Excerpts from mail read: "Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others."

I’m truly very humbled, honored and very happy to be awarded the 2011 MVP Award and proud to be part of this exclusive group of people. Thank you very much.

I'll do my best to keep contributing to my best effort.

Tuesday, September 27, 2011

Home Directory Management Agent

UPDATE: This MA is written in the now deprecated XMA framework. If you're using it, you may have to replace it with an update in the near future. Let me know if you're using it and if there is enough demand, I'll have a look into building a newer version in ECMA2.

I'm very pleased to announce that my (Home) Directory Management Agent has been released in initial version.

The Directory Management Agent is extensible management agent used to physically manage user’s home directories or other (create / move / remove) by calling customizable scripts for each operation and it will update home directory information on the Active Directory user object accordingly when scripts have executed succesfully. You'll be able to write the scripts in the scripting language of your desire (I prefer PowerShell).

This version is currently in final production testing at a few of my customers. You can find the downloadable here.

Please read through the documentation enclosed in the kit for guidance on how to install and configure. Also, there are sample scripts included. I would very much like to get some feedback if you test this out in your environment - and please help spread the word to those "in need".

Happy hunting... oh, and scripting...

Please let me know if you use it and what your experience is; any news, good or bad are very welcome.

The released version is as-is, however, you can contact me for details on support options if this is required for your setup.

Monday, September 26, 2011

FIM 2010 SQL Agents Jobs

Recently I've run into a few FIM 2010 installations where unfortunately there was paid no attention to the SQL Agent jobs that are created when FIM 2010 is installed.

Microsoft has put out a few good pointers with regards to these and it is well-worth while to read through these. You can find them here

The parts about temporal sets and group are very interesting and leads me my biggest wish for future versions on FIM. We do need customizable triggers that can be defined in the portal. These are needed for different tasks and it would be very nice to be able to move these away from SQL Stored Procedures and into the FIM Service instead. Especially, so that you don't have to convience your (or your customers) SQL DBA to have and maintain different schedules for these speciel FIM jobs.

Just some food for thought.

Monday, September 5, 2011

Formatting phone numbers

I just love regular expressions.

I'm currently doing a FIM 2010 project where I'm required to format phone numbers; stumbled on this great post by Steve Levithan on capturing and formatting phone numbers of various origin.

Thanks, Steve, for helping me on the way...

Wednesday, August 31, 2011

Annoying little feature got me...

As I was building some new customer FIM 2010 workflows for a customer, I ran into that little annoying feature called Blocked File Protection Control.

I had created my initial Workflow Activity Library for FIM and references the FIM binaries to get access to the FIM activities. As I build my project I received a compiler error saying "Compilation failed. Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information."; this had me for several hours.

It turned out that since I had copied the FIM binaries from the FIM server to the Windows 7 developer computer, the OS had detected these files as potential "harmful" (FIM 2010 harmful :-) ?) and blocked these files. The error message that I got from the compiler was very helpful, so it actually took me a few hours to realize what was going on. After unblocking the DLL's I was able to compile.

If you run into this problem, check if the DLL's are blocked; in Explorer, goto Properties on the file and check the general tab for the text "This file came from another computer and might be blocked to help protect this computer".

Monday, August 22, 2011

I love LINQ (even being a FIM guy)

Doing a FIM 2010 project for a customer, I had to crunch an LDIF file and convert some of the data in that file to a valid attribute-value pair file for use FIM 2010. I considered a lot of possibilities but ended up utilizing LINQ a lot throughout the code.

As an example I had to extract the parent department for a distinguished name coming from an X500 directory LDIF file. The distinguished name would be something like this -

cn=Willis Bruce, ou=TSX, ou=TS, ou=T, ou=MOX, l=Denmark, c=DK, o=customername, o=customer holding, cn=Main company

The parent department name is the second ou= element (in this case ou=TS) and to extract that I ended up using - what I think - is simple LINQ statement in a method on my user class -

        public void GetParentDepartment()
            string temp = this.dn.Split(',').Where(key => key.StartsWith("ou=")).Skip(1).FirstOrDefault();
            this.parentDepartment = (temp != null) ? temp.Replace("ou=", "").ToUpper() : null;

Hope this will help someelse crunching data. I know that I will definitely try to use LINQ whereever possible as its is pretty nice and very elegant for many tasks.

Monday, August 15, 2011

Refreshing the FIM portal

Carol Wapshere did a nice post on refreshing the FIM portal when you make changes to RCDC and such. I've taken this to heart and put together a small Powershell script to do the job.

You can use the script like this -

"AppPool name" | .\Recycle-IisAppPool.ps1

i.e. "Sharepoint - 80" | .\Recycle-IisAppPool.ps1

You could even send several AppPool names through the pipeline, i.e.

"SomeAppPool", "Another AppPool", "Sharepoint - 80" | .\Recycle-IisAppPool.ps1

Ooh, and the script; here it is (remember to save it with a .ps1 extension)

 $_ | % { Invoke-WMIMethod -Name Recycle -Namespace "root\MicrosoftIISv2" -Path "IIsApplicationPool.Name='W3SVC/AppPools/$_'" }

Thursday, August 11, 2011

The death of hierarchical IdM systems?

Here is an interesting article with non-technical (directly anyway) stuff; looking at how you traditionally approach Identity Management in organizations, there may just be a point in the statement that hierarchical systems for identities might work for an organization but cannot be translated to "The Cloud".

Think about it - I know I will...

Wednesday, August 10, 2011

Kerberos and FIM working together

Configuring Kerberos with FIM 2010 can be kind of tricky; however, a good guide and description (better than the installation guide or a good supplement) by Thomas Vuylsteke can be found here.

Tuesday, August 9, 2011

Granting the Replicating Directory Changes Permission

At a lot of my customers I run into the job of granting and documenting having granted the access right "Replicating Directory Changes" for the Active Directory Management Agent service account.

The necessary permissions are documented nicely by Microsoft in; however, I like scripting because it's repeatable and you're sure that its gets done the right way each time - and also, you can delegate the task of granting the permission to someone else, i.e. the customers directory administrator.

I know that most of this stuff is old news, but I just wanted to share the script that I use at my customers to grant the permission; hopefully this can be useful to others as well.

The syntax for running the script (from a PowerShell prompt as an account holding he appropriate permissions) is something like this if you wanted to grant the permission to the user called SVC-FIM-ADMA -
.\Grant-ReplicatingDirectoryChanges.ps1 -Account SVC-FIM-ADMA

Usually, though, I tend to recommend my customers to create a new domain security group and grant the permission to that group instead. And then just add the MA account that needs the permission to that group. Seems like a more sustainable approach, allowing you to delegating the permissions to another account without having to run the script again. If you want to use this approach, the script will work as well - just give the group name as a parameter instead of a username.
Enjoy and here’s the script (remember to save it as a .ps1 file)

# Grants necessary permissions for AD MA Service Account for
# FIM 2010 or ILM 2007 according to directions in
# article
# Please note that this script has only been tested on Windows Server 2008 R2
param (
# get domain environment information
$RootDse = [ADSI] "
$DefaultNamingContext = $RootDse.defaultNamingContext
$Domain = [ADSI] "
$DomainNetBIOSName = $Domain.Name.ToString().ToUpper()
$DomainFQDN = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# translate to SID (I like this due to it's uniqueness characterictics
$UserPrincipal = New-Object Security.Principal.NTAccount("$DomainNetBIOSName", "$Account")
$SID = $UserPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value
DSACLS "$DefaultNamingContext" /G "$($SID):CA;Replicating Directory Changes";

Friday, August 5, 2011

Got a Twitter account

Join me on Twitter as well for smaller and quicker updates. You can catch me at @mrgranfeldt.

Hope to see you there.

Thursday, June 23, 2011

Powershell Management Agent for FIM 2010 released to public

UPDATED: September 11, 2012 - Old version has been replaced by the ECMA2 version. That can be found here

I've decided to release my Powershell Management Agent to the general public. You'll find all the binaries and documentation (see update).

For more information on the project, see my previous blog.

This project has been created in my sparetime, and I do not except to get paided for this kind of work; however if you find this Management Agent valuable and you use it commercially, please donate appropriate amount (suggested amount if used commercially is $250) to encourage further development and bugfixes.

Happy scripting and please let me know good and bad findings with this Management Agent.

Wednesday, June 8, 2011

FIM 2010 R2

If you're interested in FIM 2010 R2, Brjann Brekkan and Mark Wahl did a great overview presentation on it at TechEd in May 2011.

You can find it here.

Tuesday, May 31, 2011


Inceptio has teamed with Microsoft to offer a unique concept called 'FIM-in-a-Box. With the launch of Forefront Identity Manager 2010 last year, Microsoft became a serious suitor on the Identity Management market.

The concept of FIM-in-a-Box provides your business with the opportunity to get started with an Identity Management solution based on Microsoft Forefront Identity Manager 2010; you'll get a well-defined fundamental setup of the product at a very low fixed price and the setup is delivered within a fixed timeframe.

The solution provides you with automatic creation of users and groups and the possibility for Self Service Password Reset to all the users in your organization - an option that often proves to justify a purchase of the solution.

 Drop me a line at for more details and prices.

Thursday, May 12, 2011

Want to be on the "forefront"?

The product group released a RSS feed to alert you when new hotfixes has been released for Forefront Identity Manager 2010.

You can find the feed here - Forefront Identity Manager 2010 (FIM 2010) Hotfixes

This already went into my feed list.

Tuesday, April 12, 2011

The Granfeldt PowerShell Management Agent

UPDATE: September 11, 2012 - Find new version here

I'm pleased to announce that my PowerShell Management Agent has been released and is available upon request.

The Granfeldt PowerShell Management Agent is a diverse Management Agent (MA) that can be used for many different purposes. Basically, any task that can be done in PowerShell can be triggered through this MA, making it very flexible and a regular hybrid MA.

The MA is built using the Extensible Management Agent (ExMA) framework provided as part of the Forefront Identity Manager 2010 (FIM 2010) product. Upon request, a version can be made available Microsoft Identity Lifecycle Manager 2007 (ILM 2007).

The Management runs as an export-only Management Agent that allows for a PowerShell script to be run for each object that is provisioned to the Connector Space (CS) of the Management Agent. The name of the PowerShell script to be run must follow each object when it is provisioned in the attribute named ScriptFullPath. The script will run on add, modify and delete of objects in the CS.

By using traditional provisioning code or Synchronization Rules in FIM, you can provision new instances of objects for which to run scripts.

The following shows an example of a CS object being passed to the script –

Id: 464286ED-5F81-4A82-8172-EA1549AC0901
ScriptFullPath: C:\Scripts\Manage-HomeDirs.ps1
uid: User1
displayName: Test User1

When this object is exported to the script, the actual PowerShell script command line will be –

C:\Scripts\Manage-HomeDirs.ps1 –DN 464286ED-5F81-4A82-8172-EA1549AC0901 –Id 464286ED-5F81-4A82-8172-EA1549AC0901 –ObjectClass person –ModificationType Add –ChangedAttributes uid, displayName, homeFolderRoot –uid User1 –displayName “Test User1” –homeFolderRoot \\fs001\HomeFolder

If you'd like to receive a version of the code for testing purposes, please drop me an mail on; please let me know if you are using ILM 2007 or FIM 2010, so that I can get the correct version to you.

The MA is also available for purchase; please contact me for price and details.

Monday, February 28, 2011

Debug information in Management Agents and Workflows

When I write custom workflows or XMA's for ILM 2007 and FIM 2010, I like to include a lot of logging to enable customers to debug if something happens - and of course for debugging when I'm testing the code.

I usually use System.Diagnostics.Debug.WriteLine to write to the attached debugger, i.e. Mark Russinovich's DbgView or similar. The nice thing about System.Diagnostics.Debug.WriteLine is that the code will be ignored once you compile a Release build. However, recently a customer of mine would like to have this debug information stay in and be processed even in the Release build.

So how do you go about this without rewriting the logging code entirely?

Tadada, System.Diagnostics.Trace.WriteLine to the rescue. Using Trace.WriteLine instead of Debug.WriteLine make sure that the code is processed no matter the build type.

Friday, February 4, 2011

Lookup value in FIM 2010

This workflow is now part of the FIM 2010 Granfeldt Workflow Activity Library

UPDATE: Just updated this to support other target attribute types than strings. Get the latest version. Also, you can use my PowerShell script instead of GACUTIL to put assemblies in the cache.

I'm pleased to announce that my custom workflow for looking value in the FIM portal has now been tested and released for public use.

I find this workflow interesting because you often have to populate values on users based on some other attribute. This workflow has many interesting features, i.e. you could lookup a OU for the user based on the department and have the list of OU's be maintained in the FIM Portal it self - or as the example shows below, you could have a list of "pretty names" for your cost centers and populate the CostCenter attribute based on a CostCenterId flowed from i.e. the HR system.

Parameters are -

XPathFilter: The Lookup filter for getting the value, i.e. /Person[starts-with(AccountName, 'D')]; if your query returns more than one result, the value from the first result will be used
Attribute Name: The name of the attribute that you want to get the value from (for now only single-value attributes is supported (and tested); go ahead and try with multi values if you dare...
Destination: This is where you want to put the found/extracted value (workflow has been tested with target attributes of string and numbers).

You should note that the look up is done as the Built-in Synchronization Account (so make sure that that guy can read the objects in question (in the XPath filter) and the update of the target attribute is done as the requester, so again make sure that the correct permissions are present there. Future version may include options to specify context.

To add the workflow to the portal, you'll need this information about the Activity information configuration

Display name: Lookup Attribute Value
Activity Name: Inceptio.FIM.Activities.LookupAttributeValueActivity
Description: Using XPath query looks up value in FIM
Assembly Name: Inceptio.FIM.Activities, Version=, Culture=neutral, PublicKeyToken=fbba0d5fa1bd8867
Authentication, Action, Authorization: <anyone>
Type Name: Inceptio.FIM.Activities.WebUIs.LookupAttributeValueActivitySettingsPart

So how do I get the software? There are two .DLL's to put in your GAC and they can be downloaded here. Please let me know, if you have any problems with the workflow or any feature request.

Wednesday, February 2, 2011

FIM 2010 Rollup Hotfix package (build 4.0.3573.2).

The Forefront Identity Manager team has released a new rollup hotfix package (build 4.0.3573.2). The Knowledge Base article ( describes the changes.
Long awaited is the fix for the casing problem, which is included and most interesting is the asynchronous export option for the FIM MA to enable performance boost.

Looking forward to testing this rollup hotfix.

Also remember to check up these hotfixes, if you haven't done so already -

Monday, January 10, 2011

New hotfix from Microsoft (should also fix casing problem)

Last night a hotfix rollup package (build 4.0.3561.2)  for FIM 2010 was released. You'll need to go through PSS for now to get it, however, it should available in about a month from now to the general public.

This hotfix rollup package includes all the previous hotfixes that are described in the following Microsoft Knowledge Base (KB) article: 2272389  ( ) A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 2010

The great news is that this hotfix should include a fix for the casing problem, that I've blogged about earlier.

Find more information on the hotfix here.

Update: Sorry, if I've mislead anyone; word has it that the update will be published under this KB when it is released to public. But you should be able to get it now, if you contact Microsoft PSS.

Update: This rollup package does not include the fix for the casing problem. I've just tested this.
However, if you contact Microsoft PSS, you can get the fix from them. I waiting for my "fix" right now and will update as soon as I get to test it.

Tuesday, January 4, 2011

Casing problem in FIM

For a while (since RTM) there has been a casing issue in the FIM Portal, where changes only related to casing didn't get committed correctly. For more information about the problems, see this thread.

Now, word has it that a hotfix is in testing and will be released by the end of January 2011. Hopefully this time frame is correct - and looking forward to getting the fix.