Monday, December 31, 2012

FIM MRE is now on CodePlex

I've decided to release my FIM Metaverse Rule Extension (http://blog.goverco.com/p/fim-provisioning-framework-fim-mre.html) on CodePlex.

Basically, this framework allows FIM administrators to do declarative provision without using Synchronization Rules. I often find this useful if you need to synchronizing information on objects that don't go into the FIM Service/FIM Portal.

I'll be happy to hear more about your experience with this project and hope that you'll support it moving forward.

You can find the CodePlex site here.

Friday, December 21, 2012

Predica FIM Explorer

The guys over at Predica has made a nice tool for diving in to the FIM Service and meet all your XPath cravings.

It looks like a tool that is nice to have in your repository.

Check it out here (http://blog.predica.pl/fimexplorer/) - oh, and merry Christmas...

Tuesday, December 18, 2012

Dump your Active Directory schema

Now and then I need to dump the current Active Directory schema or just do a little research in the schema.

Being a PowerShell junky, I won't go to ADSIEDIT even though that might seem easier at first. I'd much rather have the entire list of attributes as objects for filtering and sorting. So, PowerShell to the rescue.

(New-Object adsisearcher ([adsi] "LDAP://CN=Schema,CN=Configuration,DC=fabrikam,DC=com", "(objectclass=attributeSchema)")).FindAll()

Give it a go the next time you near a domain controller and have just enough permissions.

Tuesday, November 27, 2012

Hoping for your help...

Christmas is approaching and this year I'm trying out something new...

All donation received at this blog will go uncut to the H.C. Andersen Childrens hospital in my hometown of Odense, Denmark. They do a really wonderful job with the children there and I'd like to support that work.

Therefore, if you're using either the MARunScheduler or the PowerShell Management Agent, please donate anything you can - even very small donations (a few dollars) will help the cause - and I'll make sure to include your name in the letter that will accompany the check for the hospital - no matter the amount.

Hoping for your support before Christmas / December 21st, 2012 - and thanks to all of you who have already donated.

Thank you so much...

Thursday, November 15, 2012

PowerShell Management Agent 4 released

I'm very happy to announce that version 4 of the Granfeldt PowerShell Management Agent is available for download.

This new version has support for deltas and can scale very nicely.

This Management Agent has proved to be a regular switch army nice for getting FIM to talk to systems that have no Management Agent. There have been reports from around the globe of people using this Management Agent for managing anything from Office 365 users, Lync users, Exchange mailboxes to DHCP scopes.

I'm very happy to see the 500+ downloads of the previous version here in 2012 and trust that this new version will also reach that number.

Support?
The popularity of this Management Agent also mean that I do get a lot of support questions and kind requests for help in constructing the PowerShell scripts for use with this MA. I cannot accommodate everyone, so please do not be surprised if I don't answer your mail with support questions.

As a lot of people around the world are using this MA, I recommend that you direct your questions to the general FIM 2010 forum where a lot of skilled FIM guys and girls are ready to help. I'm also monitoring that forum and will try to answer questions from time to time.


Get the MA and help a good cause/charity in 2012
I'm currently trying to gather a small amount of donations for a good cause/charity here in 2012. So if you're using the PowerShell MA and download the new version, then please do consider making an appropriate donation. By the end of the year, I'll donate the amount collected to a childrens hospital here in my hometown, Odense, Denmark - with appropriate credit to donators.

Finally, I want to thank Kent Nordström and Jason Taylor for their assistance in rooting out any obvious bugs for this release.

So now, go read all about it and get it here. And please help spread the word on Twitter and other appropriate medias.

Wednesday, November 7, 2012

Hotfix rollup package (build 4.1.2548.0) available

A few days back Microsoft released another rollup hotfix for FIM 2010 R2. It includes some important fixes and particular it should be able to fix the error introduced in 4.1.2515.2 where the Microsoft.MetadirectoryServicesEx.dll assembly was changed but the version number didn't.

Read more about it here (http://support.microsoft.com/?id=2750671)

Are you actually using Kerberos in your FIM setup?

When installing FIM 2010 R1/R2 it is recommended to use Kerberos throughout the installing; in fact some parts of FIM just won't work without it. But how to you actually verify that you're accessing and getting validated on your websites using Kerberos and not 'just' NTLM?

I want to point you in the direction of a nifty little tool that I always use to verify that I'm using Kerberos on, let's say, the FIM 2010 R2 Password Reset and Registration Portals.

Have a look at it on Michel Barnevelds blog for his Kerberos Authentication Tester and go check those websites/services of yours.

Monday, November 5, 2012

MARunScheduler 1.3.2.1 released

I've just released a new version of the MARunScheduler. This product is normally free and will be free again at the start of 2013.

However, for the rest of 2012 this new version can only be purchased. All revenue generated from purchases of the MARunScheduler will be donated to charities.

Hopefully, I'll be able to announce that the MARunScheduler has helped a charity by the end of the year.

You can read more about MARunScheduler here (http://blog.goverco.com/p/marunscheduler.html)

Please help spread the word...

Tuesday, October 23, 2012

Travelling a bit

I'm looking forward to a little bit of travelling these next days. I'm heading off to Reading, UK to visit Oxford Computer Group and attend their European Identity and Access Summit 2012 (http://www.oxfordcomputergroup.com/iasuk/iasuk-home).

It will be good to meet up with some peers and hopefully taste a wee bit of English beer.

Maybe I'll see you there?

Monday, October 15, 2012

Plans for the Home Directory Management Agent?

From download statistics (more than 150 downloads currently), I gather that my Home Directory Management Agent (MA) is very popular and I am very happy about that fact.

However, last week Microsoft announced that the XMA framework is deprecated.

The Home Directory MA is written in this now deprecated XMA framework. Unfortunately very few people write to me of their usage of the MA, so I'm unable to contact them directory about this fact. If you're using it, you will eventually have to replace it with an updated version and probably sometime in the near future.

Leave a comment on this blog entry to let me know, if you're using it - and if there is enough demand out there, I will definitely have a look into building a newer version in ECMA2.

Hope to hear from you.

Sunday, October 14, 2012

PS MA 4.0 testers

Release of the new version 4.0 of my PowerShell Management Agent (MA) is near. I would like to do some final testing and I'm looking for anyone, who like to try it out and give some feedback (and help eliminate any bugs) before I release it.

If you're interested, then leave a comment on this page or send me an email on soren@granfeldt.dk - and I'll get a pre-release version of the MA to you for testing purposes.

Thursday, October 11, 2012

XMA/ECMA1 is deprecated


Microsoft just announced on MSDN/TechNet ( http://msdn.microsoft.com/en-us/library/ms698807(v=vs.100).aspx) that the FIM 2010 Connected Data Source Extensions or XMA/ECMA1 is marked a deprecated feature. This effectively means that any Extensible Management Agents build on this old framework in a near future is not supported and would have to be replaced by a version build on the 'new' ECMA2 framework (http://msdn.microsoft.com/en-us/library/windows/desktop/hh859557(v=vs.100).aspx).

So if you have build a Management Agent on the old framework, you should rewrite it for ECMA2 and if it is one supplied to you by a vendor then you should contact the vendor to see whether or not a newer, supported version is available. And if your vendor does not have a version ready, you maybe need to push them for one.

So, in my opinion, you should actually start this work right now as it probably could take a while to plan, test/build and introduce a new MA (maybe with missing or different features) into your FIM production environment to replace the deprecated XMA's. So there is absolutely no need to wait, take action today.

So far there are no indications of whether the possibility to run ECMA/XMA MA will be removed completely from the product, so we'll have to see what Microsoft decides on in that regard.

Hey, I'm using your Home Directory MA - what should I do?
If you happen to be running my Home Directory Management Agent, you'll notice that this is written in the now deprecated XMA framework. If enough people report that they would like to see an ECMA2 version, I will definitely consider this. Otherwise, it is recommend using my PowerShell MA as a replacement (more on this later)

So again, if you're running XMA's today, take action to get an ECMA2 version in production as soon as possible.

Wednesday, October 3, 2012

FIM2010 Lotus Domino Connector

If you're connecting to Lotus Domino with FIM 2010, you may want to take a look at the hotfix rollup (build 5.0.520.0) is available for Forefront Identity Manager 2010 Lotus Domino Connector.

Haven't had a chance to try it yet, but an important fix seems to being able to set the _MMS_CertDaysToExpire property to a value that is larger than 99 days. But go check it out for yourself.

Tuesday, October 2, 2012

KB2688078 gives ECMA's headaches

Let me make this clear from the start. This 'fix' is NOT supported by Microsoft.

I've seen a few people in the forum have this problem and have also run into this issue at a few of my customers. People are having trouble running ECMA2 Management Agents after applying this hotfix for FIM 2010 RTM. One of the threads dealing with this problem can be found here. There are numerous very good suggestions on how to fix this problem and all of them should be checked for sure as they may be the cause as well.

The first time, I ran into this problem was late at night and there was no time to do extensive troubleshooting. However, today I ran into the same problem and with good help of the customer representative, we found a remedy and a possible cause for the problem. Now, I'm pretty sure that this is NOT supported by Microsoft, but if you're in a tight spot and pressed for time (we needed to get a production system up and running) - well, then this may just help you.

The problem seem to appear because the file Microsoft.MetadirectoryServicesEx.dll is NOT updated when applying this patch (it sits under Bin\Assemblies). The reason for the lack of updating is properly that the new version has exactly the same version number as the existing file (if you're on patch level 4.0.3606.2). And then - even though it is a newer file - Windows Installer/MSI won't update it, because it has the same version number and MSI then assumes that it doesn't need updating.

The previous file has version number 4.0.1.0 and is dated Jan 28, 2012 whereas the new file also has version 4.0.1.0 but is dated Aug 3, 2012 -and they are different. As far as I know MSI will only use version numbers and not time stamps (like in the old days) when comparing (but do correct me if I'm wrong) and thus it will not update the file. 



Effective result - no update takes place effectively leaving version differences between Microsoft.MetadirectoryServicesEx.dll and Microsoft.MetadirectoryServices.dll. And your XMA/ECMA's break due to this mismatch.
4.0.3606.2 version

4.0.3617.2 version


Now for the remedy. And I state again that this is NOT supported by Microsoft, but helped me get back up and running with the production environment - and we're moving to FIM 2010 R2 shortly, so we're gonna just let the existing system sit for now and not fiddle around with it anymore.
  1. We stopped the FIM Synchronization Service
  2. We "unzipped" the file FIMSyncService_x64_KB2688078.msp and extract the Microsoft.MetadirectoryServicesEx.dll file from one of the CAB files
  3. We copied the extracted file to the 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\Assemblies' folder
 And luckily, after restarting the FIM Synchronization Service, we were able to get our ECMA's running again.

Hope this helps anyone in a tight spot...

Monday, October 1, 2012

A FIM 2010 MVP again..!

Woaw, I'm truly honored...

I just received the long awaited mail with the great subject 'Congratulations 2012 Microsoft MVP!'

An except from the mail states: 'Dear Soren Granfeldt, Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Forefront Identity Manager technical communities during the past year.'

This is the second year in a row, and trust me - I'll do my best to continue to honor the award.

Thank you, Microsoft ... and those that supported me for this award.

Sunday, September 30, 2012

Easily save FIM Synchronization Service configuration

I like to save the configuration of the FIM Synchronization Service from time to time; whether it is before patching, to move the configuration to a test/production environment or for any other reason.

For that purpose, I've created a script that will help get the configuration exported quickly and easily. I do love Powershell, so the script is of course written in Powershell and makes use of some out-of-the-box CLI tools like srvexport.exe and maexport.exe (the path for these utilities are hardcoded in the script, so you may want to change these if your installation doesn't use the default installation path for FIM Synchronization Service).

You can download the script here

The script does not export the encryption key, so remember to do that as needed.

Monday, September 24, 2012

Codeless provisioning with FIM?

So you want to do codeless provisioning with FIM? No problem you just go ahead and use the built-in features of Synchronization Rules. However, if you don't want to use Synchronization Rules for whatever reason, you may want to take a look at  FIM Metaverse Rules Extension (FIM.MRE).

It's basically a framework that's I've been evolving over time (since MIIS/ILM) and now decided to release for public use with FIM. Basically, it allows you to do provisioning in the FIM Synchronization Service without using Synchronization Rules (SR's). You could, of course, combine this framework with SR's and built a great synchronization solution with the two playing together side-by-side.

There is an initial version 1.0 of FIM.MRE out with documentation (you can find it here http://blog.goverco.com/p/fim-provisioning-framework-fim-mre.html). Documentation and code will evolve as I expand it for my upcoming FIM projects and I'll try to release in regular cycles. It is already being used at some of my customers and more will probably adopt it in the near future.



So, give it a go and let me know what you think. And please feel free to leave suggestions and comments on the page to encourage further development.

Sunday, September 23, 2012

Small update for MARunScheduler

It clearly does make a difference if you, like Jorge, support and comment.

He left a few suggestions for future versions of the MARunScheduler on the official page and that triggered me into to adding one of his suggestions.

So now there is a small update to the MARunScheduler. The update (version 1.2.0.0) includes options to specify which weekdays a thread or an item should be active. Also, a little bug on Clear Run History was fixed.

And please, consider following Jorge' example and share your thoughts on the product. You can see more on how to support this product on the official page and get your copy of latest version of MARunScheduler.

Sunday, September 16, 2012

The 'Microsoft Forefront Identity Manager 2010 R2 Handbook'


I was given the chance to read through the "Microsoft Forefront Identity Manager 2010 R2 Handbook" only when it was fresh out of the press.

And after many years of doing ILM/FIM projects, I must say that this book is a great reference for system administrators seeking a deep and highly technical knowledge of Forefront Identity Manager 2010 R2 and all its many facets.

Forefront Identity Manager 2010 R2 (or FIM) is a very big product. Too truly master it, you have to have a solid amount of experience with infrastructure (not only Microsoft) and also understand processes around the life cycle of users, groups and other objects in complex infrastructures and organizations.

When doing FIM implementations is nice to "have something to hold on too" - a reference and maybe starting point. And this book is just that. The title of the book 'Microsoft Forefront Identity Manager R2 Handbook" is spot on. Kent has written a book that you truly can use for the many different aspects of a FIM implementation - ranging from the installation process itself all the way to administering and maintaining the system in production. And its a book that you can come back to for thoughts on "how to".

Reading through the book, you really get the feeling that it is thought through and it is based on many years of real life experience and the troubleshooting section of the book proves just that. The book is comprehensive and covers all the features of the product, including Certificate Management, which you don't see covered in writing very often. This book does a really good job of showing good, practical examples on how to actually  configure FIM with different systems, i.e.Exchange and Lync and gives you an idea on how to crunch "strange" input data, a thing, that you are very likely to run into in real FIM deployments.

All this is done in a way that you potentially (with a few modification, of course) could apply in a production environment.

The book feels well-structured and has a good flow. But you can also use it as a "goto"-guide for the different aspects of FIM. It is a must-have for those wanting to engage with FIM.

Don't get it only for the technical stuff but also for the vast real life knowledge that Kent has surely put into it.

This book can really support those that wants "to get FIM".

Enjoy it!

FYI: You can get the book here.

Wednesday, September 12, 2012

Nifty little logging function for .NET code

This is not directly related to FIM 2010, but thought I'd share it anyway.

Whenever I write some code (workflows, Management Agents or such), I like to add a little logging. Usually I make sure that it can be switched on and off through a registry key.

In the log, it's nice if you can see just where in the code processing is taking place. Instead of hard coding function names, I use the little function below to get me a string of the current function names.


        public static string GetEntryPointName()
        {
            StackTrace trace = new StackTrace();
            int index = 0;
            string str = null;
            for (index = trace.FrameCount - 2; index >= 2; index += -1)
            {
                if (str != null)
                {
                    str = str + "->";
                }
                str = str + trace.GetFrame(index).GetMethod().Name;
            }
            trace = null;
            return str;
        }

You'll need to include System.Diagnostics to use the StackTrace method.

Throughout my code, I now just put something similar to this -

Log(string.Format("{0}: {1}", GetEntryPointName(), logMessage);

The output in the logging is similar to this (this is a snippet from a log file for my PowerShell Management Agent) -


InvokeBeginImportWorker->OpenImportConnection->Log InvokeBeginImportWorker->OpenImportConnection: Enter
InvokeBeginImportWorker->OpenImportConnection Getting schema
InvokeBeginImportWorker->OpenImportConnection Type: user
InvokeBeginImportWorker->OpenImportConnection Anchor attribute: objectGuid
InvokeBeginImportWorker->OpenImportConnection Attribute: objectSid
InvokeBeginImportWorker->OpenImportConnection Attribute: homeDirectory
InvokeBeginImportWorker->OpenImportConnection Attribute: sAMAccountName
InvokeBeginImportWorker->OpenImportConnection Attribute: sn
InvokeBeginImportWorker->OpenImportConnection Attribute: givenName
InvokeBeginImportWorker->OpenImportConnection Attribute: objectGuid
InvokeBeginImportWorker->OpenImportConnection Attribute: displayName
InvokeBeginImportWorker->OpenImportConnection Got schema
InvokeBeginImportWorker->OpenImportConnection->InitializeConfigParameters->Log InvokeBeginImportWorker->OpenImportConnection->InitializeConfigParameters: Enter


Now, go log your pants off...

Thursday, September 6, 2012

New version of MARunScheduler

Along with the online version of the manual for MARunScheduler, I've also released a new version of the product.

The version includes new options for more granular scheduling. You can find the download in the last part of the manual, which can be found here.

Monday, September 3, 2012

Password Registration URL in FIM Portal

Recently, I've had a customer ask the question and I've also seen a few similar questions in the FIM 2010 forum.

How do I change the URL for the 'Register for password reset' link in the portal?


If you look at the default link in the FIM portal, it just says 'javascript:PwdRegister()', so changing it through the administrative settings in the portal does seem to do the trick - although I have seen some clever javascript typed into the "Home Page Resources" under the "Administration" menu and selected "Register for password reset" where the default setting was changed to javascript:void(window.open('http://servername:port/default.aspx'));

Though this might work, I'm not sure if this is actually supported; so I dug a little deeper to figure out exactly where the default 'javascript:PwdRegister()' gets it's URL from.

It seems that it actually reads from the registry under the hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal and there it reads the value of the key 'RegistrationPortalUrl'. The proper way to change this would certainly be to go through the Setup program for FIM, but if you need to change this without going through the setup again, you could change this value in the registry. And you won't have to fiddle around with javascripting.

Please note that you need to do an IIS Reset after changing the value.

Thursday, August 30, 2012

The perfect username


In almost any FIM project, the discussion on username generation and format comes up. This is a discussion which of course has a lot of technical issues but also a lot of political issues. Often times, a process or algorithm for generating usernames is already in place and when we implement FIM, we need to stick to this.

I know that it’s a huge task to change usernames in big organizations and probably this won’t be a part of a FIM project; however, when the decision to implement a product like FIM has been made, I think it’s only fair to bring up the subject of usernames and maybe spend a little time reevaluating the current algorithm for generating username – and evaluate whether or not, it is still the right one for the organization?

Sometimes though, I’ve even been asked to come up with a suggestion or a new standard as part of the FIM project. This has actually happened throughout my latest projects and that made me think about my former colleague, Per Østergaard. He compiled some good points and thoughts on the subject – and he and I have had some good discussions on this on different occasions.

So, I thought, I’d share the thoughts and a suggestion for “the perfect username”.

Thoughts on the “problem”
Visiting lots of companies, I’ve seen a lot of different ways of naming users. Conventions for usernames could be things like –
  • Initials
  • Initials + “.” + Department
  • Department + Initials
  • First name + first character of last name
  • Numeric employee id
  • 3 letters (originating from user name) +  3 digits

All the above conventions have their specific advantages and disadvantages. Now, from a pure Windows perspective, it doesn’t really matter, since a user can simply be renamed as long as the name is unique. But Windows is not the only system in the world (or most infrastructures) and this fact presents some challenges, i.e.  –
  • You cannot rename a user in SAP. You have to delete the old user, loosing auditing information and create a new one
  • Other systems requires a unique id for ever
  • Renaming a user is a complex process, where home directories paths, profile directories, email addresses, mailboxes, Lotus Notes id files and such might or should be renaming as well
  • Some systems are limited in the number of characters you can use
  • Some systems are limited in the character set you can use.

The problem with renames can be solved by simply saying ‘no’ to such demands, but if your current username is based on a person’s name, there is likely to be some demands anyway that cannot be ignored or perhaps legal stuff will prevent the ‘no’; sex change operations, transsexual, dissolved marriage/divorces with bad consequences, conversion to another belief, witness protection program and such.
Using pure digits and usernames, i.e. an employee number, could also prove problematic. It’s not easy to manage; hard to remember for occasional users, a number can easily be mistyped and employees might feel just like a number.

The ground rules for “the perfect username”
So, thinking about it, the ideal username convention should meet these demands –
  • Must not relate to the person’s name
  • Must not be a pure number
  • Parts of the id must be easy to remember
  • Must prevent unfortunate character sequences
  • Must never be subject to change
  • Must ‘never’ be reused (at least for several years depending on legal demands/policies)
  • Must be less than eight (8) characters
  • Must have sufficient value spread. For a user to pick/type in the wrong number can be minimized by randomizing some part of the name. If users are named U0001, U0002 etc., a mistake is much easier to make than if you are using U1782, U8232. 
  • Naturally, the convention must have far more values than current users to avoid reuse.
  • Only the letters 0-9 and the letters A-Z are used, but the letters ‘I’ and ‘O’ are not used, avoiding conflict with the digits 0 and 1. The combinations below doesn’t exclude the letters ‘I’ and ‘O’, though.
None of the current standards I’ve met so far honors these demands. 

Here’s the “perfect” username algorithm
The following suggested standard is probably not going to be widely accepted. So, you should regard this as a good starting point for a discussion and feel free to use it when the discussion on usernames emerges (and it will now and again).

The basic idea is to use a person’s birthday. The year is excluded to avoid problems with person not wanting to reveal their age. Using the birthday makes remembering that part of the user name simple (for most people). We always use the 2-digit month representation (01 for January etc.) and also a 2-digit day representation (09 for the 9th). All letters must never follow each other to avoid problematic combinations.

These “rules” presents some base combinations depending on the size of the organization –
  • Combination 1 – for smaller organizations
    • Random letter + month + day + random letter
    • Total combinations will be 8.784 (366 dates)
    • Maximum of 24 combinations per date
    • For good spread, expect only 10 users per date
    • Will give 3.660 potential usernames
    • A user will only have to remember one letter to remember their username
    • Examples: R1002, T1225
  • Combination 2 – for medium organizations
    • Random letter + month + day + random letter
    • Total combinations will be 210.816 (366 dates)
    • Maximum of 576 combinations per date
    • For good spread, expect only 200 users per date
    • Will give 73.200 potential usernames
    • A user will only have to remember two letters to remember their username
    • Examples: R1002T, T1225X
  • Combination 3 – large organizations
    • Random letter + month + random letter + day + random letter
    • Total combinations will be 5.059.584(366 dates)
    • Maximum of 13.824 combinations per date
    • For good spread, expect only 4000 users per date
    • Will give 1.464.000 potential usernames
    • A user will only have to remember three letters to remember their username
    • Examples: R10Q02T, T12A25X
So, in effect, a user will have a username that is partly random, partly well-known. It never needs to change or be reused – and it’s relatively short. The chance of mistyping a single character in R1002T and ‘hitting’ the wrong username is reduced a fair amount compared to an algorithm based on sequential ID’s or initials.

What do you think? Will it work? Thoughts, ideas and suggestions are most welcome. And let me know if you've implemented the suggestion above or a variation of it.

(some of the text above is directly copied from a former colleague of mine, Per Østergaard’s “thoughts” and writing. I took the liberty of adjusting a little bit for this blog)


Tuesday, August 28, 2012

A hotfix rollup package (build 4.1.2515.0) is available for Forefront Identity Manager 2010 R2

A hotfix rollup package (build 4.1.2515.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2.

I've yet to test it and gather experience on updating. You can find more information here - http://support.microsoft.com/?id=2734159 

Monday, August 27, 2012

Only the bare minimum, please..!

Once again, I find myself in a discussion of setting up the FIM Active Directory service accounts to only have the minimum permissions needed for the job.

I won this time (again) - and I'm now finding my self creating PowerShell scripts to make sure that the service account used for the FIM Active Directory MA only has exactly the permissions needed for it to be able do it's work.

I'm using DSACLS and PowerShell for the script/job. If you're not to familiar with either above, you can find very good inspiration in this blog by Paul Williams.

And remember "To script or NOT to script, that is a stupid question"; now go and restrict your service accounts in FIM..!

Monday, August 13, 2012

Is the Best Practice Analyzer for Forefront Identity Manager 2010 R2 enough? No.

You know it's been a good vacation when you miss out on some of the good news. I missed the fact the Best Practice Analyzer for Forefront Identity Manager 2010 R2 was released.

A lot of Microsoft's product has these kind of tools these days and a lot of installations will benefit from it. However, having a tool like this does not mean that you can just lean back and trust the mechanics - you still have to apply common sense and take into account special environmental and infrastructure specifics.

So, if you had a good vacation like me and missed out too - then take a good look at it and check out whether it could do your installation good. Read more about here.

Monday, July 2, 2012

Managing Office 365 users through FIM 2010

A customer of mine needed a Management Agent for handling their Office 365 users through FIM 2010 R2.

I decided to use my PowerShell Management Agent for the task. This seemed like the straight-forward solution since managing users in the Office 365 setup is basically just a bunch of PowerShell CMDlets. You can get Office 365 CMDLets here.

The solution very simply just operates on one boolean attribute (IsLicensed) and provisions / deprovisions based on this flag. I've used the FIM Portal to model the business rules through Set's and MPR's to set this flag on the users that should and shouldn't have an Office 365 account.

I have removed customer specific code from the scripts, but have decided to share the scripts with the community. Hopefully, you can use these combined with my PowerShell Management that is also available. For more information on how to use the scripts with the PowerShell Management Agent, please refer to the documentation for the Management Agent.

Any feedback is appreciated and please share findings, tips and tricks through comments on this blog entry, so that other may benefit from these as well.

You can get the scripts in the download section for the PowerShell MA and they are pretty much ready to use out-of-the-box, but please review and test them properly before putting into production.

See you in the cloud..!

Sunday, June 10, 2012

ECMA 2 PowerShell Management Agent 1.0 released

I'm pleased to announce that my PowerShell Management Agent (MA) has been released. This version is a completely rewritten Management Agent and is now built on the ECMA 2.0 Framework that is included in the FIM 2010 Rollup 2 and of course in FIM 2010 R2.

The PowerShell Management Agent is very flexible allowing you to define your own schema (using a PowerShell script) and run scripts for Full Imports and Exports. The download includes complete documentation, so I won't write more information in this blog entry.

You can get the bits here.

Please note that I'm not able to offer free support for this, however, you can sign up for official support for this Management Agent if you do so wish. Please contact me for more details on a support agreement.

Friday, May 11, 2012

PowerShell Management Agent updated

A small bug was discovered in the PowerShell Management Agent (MA). The bug was about type casting different attribute types than strings. If you're only flowing attribute values of type string to the MA, you wouldn't have noticed this issue.

However, the issue have been fixed and you could consider updating to the newest version.

You can read more about the PowerShell Management Agent here

Monday, April 30, 2012

Updated workflow for looking up values in FIM

Today, I again utilized my 'old' lookup-workflow. But I had to make a minor adjustment (or improvement as it may be) to make it support other target attributes than strings.

If you didn't know about the little helper workflow, then have a look at my old post on this which has a good explanation of it (and where you can find the bits for download as well).

I'm pretty sure that you'll find it a helpful tool.

Friday, April 20, 2012

Use Powershell to put your assemblies in the GAC

To use your own custom build workflows for FIM 2010, you need to put the hosting assemblies in the Global Assembly Cache (GAC) in the server hosting the FIM Service.

Normally, you'd want to download the .NET Framework SDK and get a hold of the Global Assembly Cache Tool (Gacutil.exe) which you certainly can use for the job of putting a DLL in the GAC. However, often times the SDK is not installed on the FIM Server and you may not even want to install this on your FIM Server.

PowerShell to the rescue. Since Gacutil.exe probably use .NET functions to get the job done, why not use the same functions from PowerShell and save the huge download and install?

Just get this short script which you can use instead of Gacutil.exe to put one or more assemblies in the cache without needing the .NET Framework SDK.

To learn how to use the script, just read the embedded help which also contains examples. Type this command in a PowerShell prompt -

Get-Help .\Add-AssemblyToGlobalAssemblyCache.ps1 -Detailed

Happy scripting...

Tuesday, March 6, 2012

Be careful about FIM Update Rollup 2

Microsoft has discovered an issue with turning on the "hiding" feature of "tabular functions" to improve query performance. This is the statement from the product team (from the forum) -

"FIM 2010 Update Rollup 2 (build 4.0.3606.2) contains a feature that is intended to improve Query performance in the case of certain complex queries. This “tabular functions” feature is turned off by default. The product team wanted to get experience among a controlled group of customers before announcing the feature for general use. However, we inadvertently included information about this feature in the original KB for Update Rollup 2 and have since removed it. However, we understand that information about how to turn on the feature is circulating among the FIM community. Once the feature is turned on it cannot be turned off.
The product team has discovered an issue in this feature that could return incorrect query results when the query includes at least two statements and the same attribute is referenced in the statements. For example:


/Person[(AccountName=’A’ and JobTitle=’Developer’) or (AccountName’=’B’ and JobTitle=’Accountant’)]


Since it is likely that typical installations will use this query pattern we strongly advise customers NOT to turn on the Set Partition feature. We will update the community as we understand the issue more completely and have developed a recommendation for addressing it."

As you can see, it is strongly recommended NOT to turn on the Set Partition feature - and that it cannot be disabled once activated.

You can and should follow the thread in the FIM Forum (including the excerpt) here.

Thursday, February 16, 2012

adminCount is a killer


Once again, I bumped into the problem described here (http://enterpriseadminanon.blogspot.com/2009/05/that-admincount-adminsdholder-and.html) when scheduling export runs for the Active Directory Management Agent.

I decided once and for all to create a one-liner PowerShell command to help me with this problem with missing inherited permissions, adminCount and protected groups (read more about it in blog article referenced above). The right solution would of course be to create administrative account for the user that have this problem, but often times I'm unable to implement this organizational change as part of the project because it occurs extra task, such as new delegations in Active Directory and such.

So often the remedy is to reset the adminCount (through ADSI) and re-enable the inherited permissions using DSACLS for the objects (users) in question. So here is the PowerShell command to do just that -

([ADSISearcher] "adminCount=*").FindAll() | foreach {$User = [ADSI] $_.Path; $User.adminCount.Clear(); $User.SetInfo(); dsacls $User.distinguishedName /p:n}

At one customer, I've put this in the Run Profiles (or MARunScheduler pre-processing job) scheduled task to make sure that necessary permission are present before export from FIM is run against the Active Directory.

Hope this solves some frustration for some FIM admins out there.

Tuesday, January 17, 2012

PowerShell Management Agent 2.0

I'm pleased to annouce that a version 2.0 of my (apparently popular) PowerShell Management Agent is released.

The old version only supported exports, but this new version also supports imports (only Full Imports) giving you the option to do a lot of data source interaction in pure PowerShell. You can read much more about the inner workings of the Management Agent in the documentation included in the downloadable.

You can find the binaries and documentation here.

If you have feature requests or find bugs, please let me know.

The released version is as-is, however, you can contact me for details on support options if this is required for your setup.

Tuesday, January 3, 2012

Report of pending exports

A customer of mine recently requested a report of pending exports before they wanted to put FIM into actual production.

Now, it's pretty easy to just generate a log. On your Run Profile under Set Log File Options, just select 'Create a log file and stop run. Do not export to data source (test only)' as shown below.


However, the output log file is in XML format. In my opinion, you can't present this to a customer but it's a great format for further processing using Powershell or similar. I chose to create a simple XSLT for formatting the output.


This is not the HTML report to rule them all, but it's a start and you can edit and change the HTML as you like.

For simple transition, use an internet browser. Just edit the FIM export file using Notepad and put this line in as the second line ot make a referral in the XML file to the XSLT file. Remember to change the filename in the HREF tag if you have renamed the XSLT file.

<?xml:stylesheet type="text/xsl" href="ExportLog.xslt" ?>

A little note, if you're using IE9, it will not by default render XSLT's, but you can use the F12 Developer Tools i IE9 to switch to IE9 Compatible Mode or maybe even to IE8 mode - and then maybe - as I did for my customer - just print a XPS to give to the customer.