Wednesday, December 18, 2013

Updated the FIM2010 R2 Codeless Provisioning Framework

Lately, I found myself using my old codeless provisioning framework more and more to simplify the different FIM2010 R2 installations that I'm involved in.

The reason seems to always be that I can create some very simple rules that react to basic data generated either in datasource or through simple workflows done in the FIM Service. This keep my FIM setup fairly simple and without a lot of Synchronization Rules (SR's). I typically only have a few approval workflows but a lot of data manipulating workflows which allows me to present very clean data to the Synchronization Engine and make use of my own codeless provisioning framework. Lately, a few of my customers has also taken a like to this framework and find it very simple when adding additional MA's to their setup; and they are using now as a more flexible alternative to Scoped Synchronization Rules.

Anyways, enough ramblings - this blog entry was mostly to inform you that I released a new version of the FIM2010 R2 Codeless Provisioning Framework on CodePlex. I also updated the documentation to match the current release. One of the new features that I really missed in the older version was the ability to do conditional renames, i.e. when a user status changed to 'left' I wanted to move the user to a different OU without caring about provisioning. This is now possible with this release as you can have one or more 'rename' rules that are conditional.

Check out the new release on CodePlex and let me know what you think.

Happy Holidays.

Tuesday, November 19, 2013

MARunScheduler is now on CodePlex

I'm happy to announce that the MARunScheduler can now be found on CodePlex.

The MARunScheduler is a plug-in replacement for the old Microsoft's MASequencer which is used to automate the order in which management agents profiles are run. MARunScheduler uses input from an XML file, which contains information about the management agents to be sequenced.

You can read more about the project and get it at


Wednesday, November 13, 2013

Can you trace the BHOLD Access Management Connector

Today I found myself playing with the BHOLD Access Management Connector for FIM 2010 R2. My earlier implementations have been without this connector so I haven't had much time to work with it.

I did, however, have some trouble getting my exports to go to BHOLD. I had followed the guide and done my provisioning properly (using my provisioning framework). Even so, I kept getting 'cd-error' errors on my exports. There was no information about the error to be found anywhere, so I decided to put on my gloves and accept the challenge.

I eventually found the problem by adding a new diagnostics listener for the BHOLD connector to miiserver.exe.config to be able to gather diagnostics from this Management Agent. I couldn't find any information on how to do this anywhere (probably just me), but after some serious peeking and poking around, I managed to construct a new source that worked -

<source name="Microsoft.AccessManagement.BHOLDConnector" switchValue="Verbose">
     <remove name='Default' />
     <add name="BHOLDAMCEventLogListener" type="System.Diagnostics.TextWriterTraceListener"  initializeData="c:\temp\BHOLD.log" />

After adding this to the <sources> section under <system.diagnostics> and restarting the FIMSynchronizationService, I started getting traces in the BHOLD.LOG file in my C:\Temp folder.

This tracelog led me on track as the log showed a SQL exception for an user INSERT statement. Turned out that I didn't have an export flow to the bholdDescription attribute for the users I was pushing to BHOLD; and the bholdDescription is apparently mandatory for users (can't find any documentation to support this, though).

Behold, success! Once an export flow for displayName ==> bholdDescription was added, all my users adds went through smoothly.

Thursday, October 17, 2013

That was quick - new hotfix for FIM2010 R2

It didn't take long for a new FIM 2010 hotfix to appear. Microsoft just released hotfix rollup package (build 4.1.3479.0) that fixes a few issues. You should check out the release notes to see if you're affected and need these fixes.

I'll leave the decision and reading up to you.

Tuesday, October 8, 2013

A hotfix rollup package (build 4.1.3469.0) is available for Forefront Identity Manager 2010 R2

Today, Microsoft released a new hotfix package for FIM 2010 R2. You can read all about it in KB2877254 (build 4.1.3469.0).

The thing to notice about this update is that most of the fixes is for the Synchronization Engine and the  ECMA2 Connector Framework.

This leads me to conclude that Microsoft is betting on this framework to be the platform for connectors in FIM. I love the fact that the community and FIM customers really get a good chance to integrate tightly with FIM Synchronization Engine and build solution that match exactly their infrastructure and address their business needs for identity management.

Keep it up, Microsoft...

Monday, October 7, 2013

Quick tip on using the Lookup Value activity

In a current project, I'm using FIM 2010 to manage local administrator permissions (see more in this post).

I always turn to my trusted workflow library to speed up deployment and this time I'm making heavy use of the Lookup Value activity. Below you can see a screenshot of a real life workflow that is making use of this activity and running at the FIM installation.

This workflow runs whenever the username (coming in as text from a CMDB) on a computer object is changed. It then does a lookup to find the ObjectID of a user matching the accountname specified on the computer object as the primary username. Finally, it updates the attribute ComputerPrimaryUser (a reference attribute) with the reference ID of the user - effectively linking the computer to the user.

Subsequently, this reference attribute is sync'ed all the way through to Active Directory and ends up in the member attribute of an Active Directory group that is used to give a user local administrator access on a specific computer. Also, I've changed the RCDC for user editing and viewing to list all linked computers.

Hopefully after finishing up this project, I'll update the CodePlex library with a few more generic workflows.

Tuesday, October 1, 2013

FIM MVP again

I guess that I must be doing something right.

Driving home from a FIM customer today, my phone suddenly ping'ed me with a new incoming mail with the title 'Congratulations 2013 Microsoft MVP!' and the body text started of like this -

'Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Forefront Identity Manager technical communities during the past year.'

This is my third year in a row as a Forefront Identity Manager 2010 MVP awardee and needless to say I'm very proud. I'll give my best once again this coming year to honor this award and look forward to continue to support the community around the great product, FIM 2010, that I really enjoy working with every day.

Oh, but next year ... please, Microsoft, don't send me this mail when I'm driving - or you could loose a dedicated MVP :-)

Thank you.

Monday, September 30, 2013

Use FIM and Group Policies to manage Local Administrator permissions

A customer of mine had a requirement to create a domain group for each computer account in their domain. The purpose was very nice. They wanted a domain group to add to the Local Administrators group of each workstation, so that their users could request membership of this group for a period of time, i.e. for installing software that required extra permissions or for managing a laptop that was taken on the road.

It was quite straight forward to import all computer accounts to FIM and use my codeless provisioning framework to create a rule to provision a group to the AD MA for each computer account. Using the codeless framework there was no need to have all computer accounts go to the FIM Service. We provisioned every computer group using the naming convention <computername>-LocalAdmin and afterwards brought the new groups into FIM using another MA - and configured appropriate approval workflows to allow users to request membership of the groups.

The provisioning rule created looked like this (you can read more about the provisioning rules here) -

      <Name>Provision local admin group to ad</Name>
      <TargetManagementAgentName>ad admin</TargetManagementAgentName>
        <ConditionBase xsi:type="ConditionAttributeIsPresent">
          <Description>Only if contact has samaccountname</Description>
        <ConditionBase xsi:type="ConditionConnectedTo">
        <AttributeFlowBase xsi:type="AttributeFlowConstant">
          <Constant>CN=#mv:sAMAccountname#-Administrators,OU=LocalAdminGroups,OU=Managed Groups,DC=contoso,DC=com</Constant>
        <AttributeFlowBase xsi:type="AttributeFlowConstant">
        <AttributeFlowBase xsi:type="AttributeFlowConstant">
        <AttributeFlowBase xsi:type="AttributeFlowConstant">

Now, the question remained; how do we effectively get these new computer groups added to the Local Administrator group of each computer, both existing and new computer accounts? Oh, no, it wasn't using PowerShell this time, although I was tempted.

I had a chat with a good colleague of mine from Inceptio, Risto Petersen. Risto is an Active Directory wizard and he had just the recipe; to add a machine specific group to the local Administrators group of every server and/or workstation, you can deploy a Group Policy (GPO) utilizing Computer Configuration Preferences. The steps are -
  1. Create a naming standard for your groups including the computername in the group name. In this example I will use <computername>-LocalAdmin, so that for the computer PC1 the group is PC1-LocalAdmin
  2. Create the necessary groups, one for each computer object. Use scripting or FIM or some other tool. Remember to keep groups in sync with computer objects; i.e. when a computer is deleted the group should also be deleted.
  3. Create a GPO and link it to where your computer objects live in AD
  4. Edit this new GPO
  5. Go to “Computer Configuration”
  6. Go to “Preferences”
  7. Go to “Control Panel Settings”
  8. Go to “Local Users and Groups”
  9. Create a new “Local Group” object for the “Builtin Administrators” group
  10. Set the action to “Update”
  11. In the Members section add “%COMPUTERNAME%-LocalAdmin” or what your naming standard dictates
  12. You might also want to add another general group like “ALL-COMPUTERS-LocalAdmin” to easily delegate rights to all computers
After the next GPO update, your computers will have populated their local Administrators groups with specific computer specific groups. You can then delegate access to individual computers by adding users to these specific computer groups.

A great thank you goes to Risto for this trick - and combining this setup with FIM's self service features, you have a relative simple solution to allow your users access to local administrator permissions.

Tuesday, September 17, 2013

Use PowerShell to get AD schema information

Sometimes when I engage in FIM 2010 or Active Directory projects, I get the question: "Okay, then which attributes do we actually have in our Active Directory then?". It is a fair question and often knowing the site's actual Active Schema at a given point in time can be useful.

Instead of going to the Active Directory Schema snap-in and manual browsing through the scheam, I've created a small PowerShell script that enables you to dump the schema for a user (or other objectclass) into CSV files (or into the PowerShell pipeline) for further processing.

You may find this information about your Active Directory useful or just fun, so here's there script -

$schema = [directoryservices.activedirectory.activedirectoryschema]::getcurrentschema()
$schema.FindClass("user").mandatoryproperties | select name, commonname, description, syntax | export-csv user-mandatory-attributes.csv -Delimiter ';'
$schema.FindClass("user").optionalproperties | select name, commonname, description, syntax | export-csv user-optional-attributes.csv -Delimiter ';'

There is also a short version of the script if you don't want any fancy selecting and exporting, but just want the attribute information in your pipeline -


Feel free to modify it to your specific needs and of course make sure that you run it as a user that has permission to dive into the Active Directory schema.


Thursday, August 22, 2013

PowerShell 5.0 Management Agent released

I'm very pleased to announce that version 5.0 of my PowerShell Management Agent is released and available for download.

This new version includes these key improvements -

  • Additional control values on your import and export return objects
  • Ability to returned datasource constructed anchors, i.e. from Office 365 and SQL server
  • Option to use paged imports, which gives you even more control in your scripts and better support for stopping runs.
  • Bug fixes and increased robustness.
I'm not going to spend a whole lot of time on these new features but instead than refer you to the updated online manual which also has links to downloads. Also, this version was the one used at my presentation and live demo on the FIM Team User Group meeting. You can view it here on YouTube.

I'd like to hear from you - good or bad news - and I'm of course always open to feature requests. So please do let me know what you think about this MA and I also very much appreciate a "Like" on my blogs page on Facebook.

Happy PowerShell'in...

Thursday, July 18, 2013

My talk on the PowerShell Management Agent

Yesterday, I did a short talk and demonstration of my PowerShell Management Agent for FIM 2010 R2. From the comments made during the presentation and in the question round, there seemed to be a lot of interest for the MA.

As I mentioned during the demonstration, I have a new version coming out very soon which will have all the new features that was discussed on the meeting. Should you be interested in a pre-release version, then let me know and I'll get you a download link for the pre-release version (subject to change of course).

If you missed the presentation on the FIM Team user group meeting yesterday, you can view here on YouTube.

Also, there was some interest for the PowerShell scripts used for the demo; if you would like to study these more closely, you can download them here. There was a few questions on the provisioning used for the demo setup, and for those interested in this, take a look at the Codeless Provisioning Framework that I'm maintaining on Codeplex and which was used for the demo setup.

Again, thanks for all the nice words and comments about the presentation and the PowerShell Management Agent. And also, thanks to the FIM Team for this speaking opportunity.

Friday, June 14, 2013

FIM Team User Group

Just wanted to pitch for a great initiative by Carol Wapshere and Bob Bradley who are members of the FIM Team and fellow FIM MVP's.

They've set up an online user group for FIM folks and if you're reading this blog then I sure that the online user group is for you as well. The first meeting was yesterday and I think it went well. You can watch the presentation from the first meeting on YouTube - oh, and don't forget to join the user group so you don't miss out on the next meetings.

And if you're using my PowerShell MA, then keep an eye out, because they twisted my arm and forced me to do a demonstration / presentation of the capabilities of this popular MA in one of the upcoming meetings.

Drop on to this page to see how to join the group, so you don't miss out...

Wednesday, June 12, 2013

Where have you been?

You may have noticed that I've been kinda 'offline' on my blog lately. This is due to a very heavy workload from several concurrent FIM 2010 projects that I'm heading.

Hopefully, by the end of these projects, I'll be able to be a little more active on my blog here - and also be able to post a few more goodies.

During these FIM 2010 project, I've cooked up several PowerShell scripts for use with FIM, i.e. scripts for managing SharePoint 2010 User Profiles.

I'm also preparing and finalizing a new release of my PowerShell Management Agent for FIM - and I'm very happy to see that the current version has reached 500+ downloads from countries all over the world. Hopefully the new version will reach the same numbers.

So, keep a look out for a little more activity here on my blog over the summer.

Thanks for following me and stay with me on Twitter (@MrGranfeldt) for quick updates and give my Facebook page a thumbs up as well.

Sunday, March 17, 2013

PowerShell MA 4.5 released

I'm very pleased to announce that a new version of my PowerShell Management Agent is released and available for download.

This new version includes these key improvements -
  • Option to send much more simple objects to your export script
  • Option to return error messages to Synchronization Service Manager on both imports and exports
  • Support for PCNS and a password management script
I'm not going to spend a lot of time of these new features other than refer you to the online manual which also has the download link.

As always, I'd very much like to hear from you - good or bad news - and I'm of course always open to feature request. So please do let me know what you think about this MA and I also very much appreciate a "Like" on my blogs page on Facebook.

Happy PowerShell'in...

Monday, February 25, 2013

Update your MARunScheduler

This may just be one of the shortest blog entries that I ever did. But if you are a heavy user of my MARunScheduler, I just wanted to let you know that there is a new version out. You can get the new MARunScheduler here -

Also, if you're on Facebook, I'd be happy to get your "thumbs up" there, so go and get more informal updates and news through Facebook on

Tuesday, February 19, 2013

Hotfix for FIM 2010 R2

A short while ago, Microsoft released a small hotfix for FIM 2010 R2. You can read more on this hotfix in KB2814853.

Also, notice that this hotfix has a known issue that can "break" your ECMA / XMA Management Agents, but also has a description for fixing this if you run into that issue.

New version of the PowerShell Management Agent

It has been around since April 2011 and popularity is still growing.

The number of downloads of version 4 of my PowerShell Management Agent for FIM 2010 has just passed 300. And with that number of downloads from more than 20 different countries, this MA seems more popular than ever. It's being used extensively for all different purposes and is extremely popular for handling Office 365 users/licenses. So the need for this flexible type of MA is very clear.

Also, I get tons of support requests from all over the world asking me for help on writing PowerShell scripts for the MA or even for general help on using and configuring FIM. I usually refer most of these to the FIM 2010 forums where I'm happy to see that different people are very happy to help and give good advice and support for using the MA.

I want to keep expanding on the functionalities of this powerful Management Agent as needs arise and as FIM and the ECMA2 framework evolves. Now, I've already had a some great feature requests but I do want more.

I want your five cents

I'm currently working on the next version which will be out this spring. It will have the following enhancements -
  1. Support for password change/sets (thereby supporting password synchronization / PCNS)
  2. Support for custom error message returned to the Sync Engine
  3. Flexibility on the type of object passed to the Export script (allowing for simpler export objects in the export script)
  4. Generally, utilizing the new features of the ECMA2 framework that is introduced with Service Pack 1 for FIM 2010 R2
  5. A few other hidden gems to be revealed later...
If you are using the PowerShell Management Agent today in your or your customers FIM installation, I would very much like to get your ideas and feature requests for this next version.

I'm open to your ideas and requests, so drop me an email with your ideas or even better yet, share your ideas as comments here on this blogpost, and I'll be sure to pick them up.

Thank you very much for your support.

Tuesday, February 12, 2013

How to return custom error messages in ECMA2 SP1

While updating my Management Agents (or connectors) and building a new one for a customer, I wanted to take advantage of the new possibility in the Service Pack 1 version of the ECMA2 framework where you can return a custom errorname and error detail to the Synchronization Service Manager. It took me sometime to get my head around this, but I finally got it working.

Before Service Pack 1, you could also use the CSEntryChangeResult to return a error on your imports and export actions. In your PutExportEntries interface code, you would put something like this to return a export error -

CSEntryChangeResult cschangeresult = CSEntryChangeResult.Create(csentryChange.Identifier, null, MAExportError.ExportErrorSyntaxViolation);

This line above would show up as a export error with the error code 'syntax-violation' in the Synchronization Service Manager. You can find the additional MAExportError options here (

With Service Pack 1, however, you are now able to return a custom error name and detail, which is awesome because you can give more information to the administrator. The caveat is that you do need to set MAExportError to either ExportErrorCustomContinueRun or ExportErrorCustomStopRun for your custom error information to be returned. These two enumeration options are new for Service Pack 1 and I was struggling for a few hours before I noticed these.

So after changing my MAExportError enumeration value to ExportErrorCustomContinueRun, my custom error message was returned to the Synchronization Service Manager. My line now looks like this -

CSEntryChangeResult cschangeresult = CSEntryChangeResult.Create(csentryChange.Identifier, null, MAExportError.ExportErrorCustomContinueRun, "script-error", scriptResult);

Notice that I keep my error name to the general, well-known syntax of <warning/error>-<message> (second last parameter). I just like this as a best practise but it is not a requirement; you can write any text, you like.

Happy coding.

Wednesday, January 30, 2013

Updated the workflow activity library

I'm pleased to announce that I've just updated the FIM 2010 Granfeldt Workflow Activity Library on CodePlex.

Besides the Lookup Value activity and the awesome Code Run / C# activity (that really could replace the Function Evaluator), this release contains three new workflows -
  1. Create Object
  2. Delete Object
  3. Copy Values
These are three simple but effective workflows that are useful for any FIM 2010 installation. The documentation has completed and you can find more information on the activities here.

I have a few more ideas for some generic workflows and will try to find time to add these to the collection within the nearest future. Also, for this release I really need to thank Kristian Thim who chipped in with a few lines of clever code and juggled my mind to think a little different for some of the activities.

Anyway, you can get to the CodePlex project here.

So download the latest release and let me know if you like it and find it useful?

Monday, January 21, 2013

Handing over the check

This Saturday I brought my family to the H. C. Andersens Childrens hospital to hand over the check of $2.000 USD. The amount was all collected from donations made through my blog in the fall of 2012.

H. C. Andersens Childrens hospital here in my hometown, Odense, is named after the famous danish poet/author Hans Christian Andersen. It is the only real 'hospital' for children here in Denmark as other hospitals only have childrens wards. And children come to this hospital from all parts of Denmark for treatment.

My daugther and I outside the childrens hospital
Handing over the check was at the sculpture called "Magic Mountain' / Tryllebjerget (in Danish)
Meeting with the staff at this hospital was a very nice experience and it really confirmed me in my choice of beneficiary. The staff is very dedicated and they are really doing a fantastic job providing an environment that help the kids feel as if they are not in a typical hospital.

They were very happy to receive the check for $2.000 (DKK 11.380,-) and I'm confident that they will put the money to good use.

Again, I would very much like to thank everyone that made a donation when downloading either MARunScheduler or the very popular PowerShell Management Agent. Thank you very much, you really helped make a difference for a lot of children.

Friday, January 18, 2013

First beta release of FIM 2010 workflow library is out

My latest CodePlex project has its first beta release with two FIM 2010 R2 custom workflows, namely the Code Run activity and the Lookup Value activity. I plan to add more of these generic workflows to the project when time allows it.

The last custom workflow, you'll ever need?
Do yourself a favor and have a look at the Code Run activity that is in there, That activity is one that I'm particularly proud of. It allows you to write almost any C# code directly in the workflow and based on parameters passed, your code can run and calculate a return value of any type. The activty can also update a target object with the returned value from the code.

I think this activity is extremely powerful if you put your creativity to work - and I bet that you're going to use the built-in Function Evaluator a lot less when you get your head around this Code Run activity. And it may even replace a lot of the other custom workflows that you have or need. But don't take my word for it - give it a go...

As always, I'm very eager to learn whether you find these workflows valuable and if you have any ideas for improvements or features - so please do let me know.

You can download a version at


Tuesday, January 15, 2013

What's new in FIM 2010 R2 Service Pack 1?

Last week, Service Pack 1 for FIM 2010 R2 was released somewhat silently. Everyone was looking for "What's new, then?".

Well, the cat is out of the bag. You can have a look here to see what's new in Service Pack 1 for Forefront Identity Manager 2010 R2.

Besides the interesting new feature of 'Deferred Evaluation of Criteria-based Groups', this does look like mainly a version support/performance upgrade. However, I, for one, is happy to see the new features of the ECMA2 framework and I'll have to look into including some of the new features in a new version of my popular PowerShell Management Agent

Also, here is a list with a few links to official announcements regarding Service Pack 1 for FIM 2010 R2 -
Enjoy your reading...

FIM 2010 Granfeldt Workflow Activity Library

UPDATE: The Lookup Value is now part of the project

I'm very pleased to announce that I've released the first version of my ongoing FIM 2010 Workflow Activity Library on CodePlex.

For now, the solution only contains one workflow - a Code Activity workflow that allows you to write C# code that is executed when the workflow is instantiated (for more information, see documentation on CodePlex).

Within the next few months, plans are to add my other generic workflows to this solution, namely Lookup Value and Propercasing and a few other hidden 'gems'

You can find the initial version here ( and please help me extend the documentation - and be sure to let me know of any bugs.

Deprecated features and planning for the future

The good FIM guys in Seattle just released a very much needed list of deprecated features for the FIM 2010 Synchronization Service.

This is a MUST read/study list. All deprecated features of the FIM Synchronization Service that are still available in FIM 2010 R2 are discussed and make no mistake - these features are scheduled to be removed in a future release of FIM. You should not use deprecated features in new applications.

So no doubt, there are definitely some actions for you too take on your current FIM 2010 installation or if you're planning to deploy newer versions of FIM in the near future. Make sure that your roadmap for your installation aligns with the facts in this document from Microsoft.

I'll keep a close watch on this list and I really hope that Microsoft keeps it in a current state moving forward as these decisions affects a lot of installations around the world.

Oh, and you can find the list here.

Sunday, January 13, 2013

FIM 2010 R2 Service Pack 1 / BHOLD released

The news is already out there, but I thought I'd just write a quick note on it as well.

On MSDN, you can download Service Pack 1 for FIM 2010 R2 and BHOLD. Note that there are two versions available - one for new installs and one for upgrades to existing installations.

I've yet to play around with this new Service Pack - and with support for newer versions of Windows Server 2012 and SQL Server 2012, it looks as if I've got my work cut out testing and I also need to upgrade my PowerShell kit for that automates FIM2010 R2 / SharePoint 2010 installation scripts to support the new version.

As far as I know there is no official KB article or document telling us exactly what the news in this release is. So I guess everyone is looking for to that and I will definitely want to read that before I upgrade any production environments.

As I dive into this new service pack, I'll be sure to share my findings - so stay tuned.

UPDATE. Jorge has a little more information to share on this here (

Friday, January 4, 2013

$2.000 donation to childrens hospital

In the autumn of 2012, I decided that all donations made to my FIM projects - the PowerShell MA, MARunScheduler and FIM MRE should go to charity. There hasn't been very many donations, but fortunately there has been some very generous donations, resulting in a total of $1.786,00 in donations.

I've decided to round up to amount to $2.000 to be able to give a nice round amount of money to H. C. Andersens Childrens Hospital here in my hometown of Odense, Denmark. In the near future, I'll make an appointment with the hospital to present them with the check.

Thank you once again to those that have supported my cause. Thank you - and happy New Year.