Thursday, February 16, 2012

adminCount is a killer

Once again, I bumped into the problem described here ( when scheduling export runs for the Active Directory Management Agent.

I decided once and for all to create a one-liner PowerShell command to help me with this problem with missing inherited permissions, adminCount and protected groups (read more about it in blog article referenced above). The right solution would of course be to create administrative account for the user that have this problem, but often times I'm unable to implement this organizational change as part of the project because it occurs extra task, such as new delegations in Active Directory and such.

So often the remedy is to reset the adminCount (through ADSI) and re-enable the inherited permissions using DSACLS for the objects (users) in question. So here is the PowerShell command to do just that -

([ADSISearcher] "adminCount=*").FindAll() | foreach {$User = [ADSI] $_.Path; $User.adminCount.Clear(); $User.SetInfo(); dsacls $User.distinguishedName /p:n}

At one customer, I've put this in the Run Profiles (or MARunScheduler pre-processing job) scheduled task to make sure that necessary permission are present before export from FIM is run against the Active Directory.

Hope this solves some frustration for some FIM admins out there.