Wednesday, November 26, 2014

FIM Rollup hotfix 4.1.3613

Very short post, just to let you guys know that there is a new hotfix for FIM 2010 R2 SP1. 

It includes updates for sync, service, portal, BHOLD and CM. The KB article can be found here The version numbers are FIM 4.1.3613.0 and for BHOLD 5.0.2836.0.

As always, make sure to backup your systems before applying and test before putting into production.

Tuesday, November 4, 2014

Securing your Active Directory data before FIM exports

When implementing FIM 2010 at customers, I like to do my own simple backup of the Active Directory objects that FIM is about to touch or change. Of course, you should have your normal Active Directory backup is place as well, but having my copy of  the attribute values allow me to do restore or "roll back" of selected attributes if so needed.

Also, I have a few customers that use these scripts on a scheduled basis to just keep track of changes in Active Directory or even backup before another implementor is allowed to add or change data in their directory.

I have two scripts - a backup script and a restore script.

Backing up

The backup script basically reads the objects that I want to backup from Active Directory and saves these objects in XML files - one file for each object, typically users and groups. The script takes two parameters, the LDAP filter and the backup directory where you want to save the XML files. So to backup all users with accountname starting with A, use the script like this -

.\backup-object.ps1 -filter '&(objectclass=user)(samaccountname=a*))' -backupdir 'c:\adbackup'


If at sometime, you would want to restore any attributes on any of the backed up Active Directory objects, you can use the restore script. The restore script takes two parameters as well, a list of attributes that you want restore and a path to the backup directory containing the XML files that you previously backuped up.

The restore script expects you to feed it the usernames of the users to restore through the pipeline. So to restore the 'givenName' and 'sn' attributes on Bill Gates and Steve Ballmer, use the restore script like this -

"billg", "steveb" | .\restore-object.ps1 -attributes 'givenName', 'sn' -backupdir 'c:\adbackup'

If you want the scripts, you can get them here.

Wednesday, October 1, 2014

4th time MVP'ed

Sitting today watching my daughter taking swimming lesson, my phone suddenly ping'ed me with a new incoming mail with the title 'Congratulations 2014 Microsoft MVP!' and the body text started of like this -

'Congratulations! We are pleased to present you with the 2014 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Forefront Identity Manager technical communities during the past year.'

This is my fourth year in a row as a Forefront Identity Manager 2010 MVP awardee. Four times in a row makes me very proud. Trust that I'll give my best once again this coming year to honor this award and look forward to continue to support the community around the great product, FIM 2010 (and hopefully MIM soon), that I really enjoy working with every day.

Thank you so much for all that believe in me.

Saturday, August 30, 2014

Workflow Library presentation at The FIM Team User Group

On August 20th, I did a presentation of my Workflow Library for FIM 2010 R2.

The session was an introduction and a walkthrough of the activities included in the open source kit - and with a lot of demonstrations. The session was recorded and if you missed it, you can watch it here (

And if you would like to download a copy of the library, go to CodePlex ( As mentioned during the presentation, I'll be adding a few more activities to the library in the near future.


Thursday, April 24, 2014

PowerShell MA and the FIM Service

I was working on a FIM2010 R2 project where the customer wanted to manage a bunch of DFS groups in the FIM Service / Portal.

However, all the groups (1.600+) would continue to start their life in Active Directory based on some scripts. Therefore we wanted to bring all groups from Active Directory and in to the FIM Service just once and from there on manage all attributes including membership filters from the FIM Service.

Due to precedence, we could not use the FIM MA to create the groups in the FIM Service, so we had to come up with another solution. Again, my PowerShell MA came to the rescue.

Here is how we did it -

  1. We created another standard Active Directory MA scoped to the few OU's that contained the groups in question. We set that MA to only import and project a new metaverse type (dfsGroup) and import a few attributes, such as sAMAccountName, displayName, description and such.
  2. We then created a PowerShell MA (PSMA) for use with the FIM Service. For this we used my PowerShell MA.
  3. We wrote provisioning code to provision all dfsGroup metaverse objects to the FIMService PSMA.
  4. We wrote fairly simple scripts to read / write the new dfsGroups to the FIM Service as normal FIM Service Group objects
    1. The creation was merely to create a simple security group in the FIM Service. We utilized Craig's Martin's great PowerShell modules for this.
Now we just set the schedules and watched the Synchronization Engine bring in the groups from AD, project them to the metaverse and have them be provisioned to our FIMService PS MA - where the export script elegantly created them in the FIM Service.

On the next import from the standard FIM MA, the new groups would be projected to the metaverse as normal group objects and the groups imported in the normal AD MA could now join - and bum, membership was now maintained using the filters applied when creating the groups using our FIMService PowerShell MA.

Sounds interesting? Get the PowerShell MA here and the scripts here - oh, and don't forget to get the latest cersion of Craig's FIM PowerShell module (although I included the version we used in the download bundle). You may have to change a few lines in the PSMA scripts for logging and such, but beyond that they should be pretty much functional out-of-the-box.

As always, I'm interested to know if you find this useful.

Wednesday, April 23, 2014

Thoughts: FIM is now MIM

Today, Microsoft announced the new name for FIM2010 or Forefront Identity Manager vNext. Future versions of FIM2010 R2 will be known under the Microsoft brand, and so the next release will be known as Microsoft Identity Manager.

I can not help giving this announcement some thoughts.

A published roadmap like this ( is reassuring for customers running FIM2010 today - and also for customers considering utilizing FIM2010 for their identity management needs. Their technology choice now proofs sound as Microsoft is continuing investments in the product.

Also, the major investment areas mentioned in the article above gives me confidence that Microsoft is gonna take the product to a new level where it makes sense to really put this tool into play in your infrastructure.

With the current version, I've already built some great solutions that really supported organizations needs. If I read correctly between the lines, I have no doubt that I will be able to leverage all the new features in the next version with existing FIM2010 installations - and make these even better. And I'll have a lot of new stuff to help build great identity management solutions.

I'm really looking forward to more information on timelines for preview programs and the release schedule which is  to be released later in this year.

Let's stay tuned...

Tuesday, March 18, 2014

New version of PowerShell Management Agent

I'm pleased to announce that I've released a new version of my PowerShell MA.

This new version now supports two sets of credentials (both optional); the one set of credentials is passed to all the scripts (no change from earlier versions), however, the other set of credentials is used as the security context under which all scripts are run. This present you with some nice options for mixing and matching credentials to build scripts that work under the correct credentials.

Go and check out the new version here and download it here.

Also worth mentioning is that Microsoft released their version of a PowerShell Management Agent this week, so now you have the option to choose which one better suits your needs. You can check out Microsoft's PowerShell MA here.

I use my PowerShell MA a lot for all my engagements and I know a lot of installations are running my PowerShell MA, so I'm dedicated to keeping it alive. As always, I'm very open to suggestions for improving my PowerShell MA - and if you want to make a donation to help me help others, I would appreciate that very much.

I'm looking forward to hearing reactions and feedback from your experience with both versions.

Thank you.

Tuesday, March 11, 2014

The PowerShell MA generates another donation

It has been a while since I blogged due to a lot of FIM 2010 engagements and a lot going on in my personal life, such as selling my house, buying a new house and moving cross country. But I'm back.

As you may know, every year around Christmas, I like to make a donation to an organisation that helps people less fortunate. The amount donated varies from year to year, because it depends on the donations made to my software projects.

In 2013, I moved most of my software projects to CodePlex and therefore these projects have not generated donations. However, my PowerShell Management Agent for FIM2010 is still hosted here on my blog and it is still hugely popular. In 2013, it generated approximately USD $250 in donation (perhaps, you are one of the kind donators?) and I opted to double that amount in my company, Goverco.

This resulted in a donation of USD $500 to Dansk Folkehjælp ( and that check, I hope, made Christmas just a little more enjoyable for some people less fortunate.

It is always a pleasure to help and I'm very greatful for any donations made through my blog. Every penny goes directly to helping others and I usually double the amount donated. My software is free, but I'd very much appreciate a donation big or small (every penny counts), if you download and use my software.

Thank you.