THIS PAGE IS OBSOLETE - PLEASE VISIT https://github.com/sorengranfeldt/psma for latest version
The Granfeldt PowerShell Management Agent (MA) is a diverse MA for Forefront Identity Manager 2010 (FIM) R2. It can be used for many different purposes. Basically, any task that can be done in PowerShell can be triggered through this MA, making it very flexible and a regular hybrid.
It supports -
- Full and delta import
- Export and Full Export
- Password Management (PCNS)
Ideas for usage
Home Directories - a typical purpose of this MA is the creation and managing of home directories and/or profile drives for users.
SQL Delta import - by using a timestamp column in a clever way, you can do delta imports from SQL server tables with this MA. Sample scripts for a small SQL user database with some sample property calculations can be found in the download section.
OpenLDAP - this MA has been used to replace the old OpenLDAP XMA.
Office 365 - this MA is also frequently used for managing users in Office 365 and you can find a link for sample scripts for doing this in the download section.
Dynamics AX 2012 - this MA has been used for managing users and roles in Dynamics AX 2012.
Human Resource (HR) data - this MA has been used to read funny formatted files (and clean up) data coming from various HR systems. Using PowerShell to read the file and maybe enrich it / filter allowing you to pass more clean data to FIM.
TCP/IP (DHCP leases) - this MA has been used for importing DHCP lease information from DHCP servers in order to create computer account for use with WPA authentication.
Password Management - this MA supports password management (PCNS) and will allow for a script to be run for password changes using Password Change Notification Services.
27 comments:
Nice work, Søren!
Thank you very much. This MA is very popular with more than 250+ downloads as we speak...
Søren, this management agent works very nice, 1 question, I only want to execute the script when 'adding' a new CS object. When doing a full deprovisioning I see the CS object marked as delete, and eventually gets deleted. however the object is still in the CS, no longer a connector and the type is changed to placeholder but is is still there.
How to entirely delete the object without, because when provisioning again it fails because the anchor being used is the same, i was hoping this is taken care in ECMA2 without building a confirming 'delete' import
Thank you, Paul.
In the current version, you do need to do a confirming 'delete' import to have the placeholder go away as the MA is confiugered with normal object confirming setting. I'll consider making this optional in next versions.
Hi Søren,
Ok that explains the reason, it would help if you can configure the behavior in a next version, so you can easily configure a one time only PS command (for whatever reason that is of course :)) without any hassle writing information back to a csv file to confirm this delete.
Nice done. Very thankful.
Hi,
Does anyone create sample script to openldap (import and export) ?
I need to provision users and groups.
Thanks
Hi, Alex
Kent Nordstrom did some sample scripts for OpenLDAP and this MA - check out http://blog.konab.com/2013/02/replacing-openldap-ma-with-ps-ma/
Thank you..
I am not familiar with powershell syntax.
I try to personalize the import script but get a "stopped-extensible-extension-error" in FIM synchronization service without details
How can i set a debug mode ?
Hi, Alex
I'm sorry, but I don't offer free support. I suggest that you take your questions to the FIM 2010 Forum, which I visit from time-to-time but others can help as well.
http://social.technet.microsoft.com/Forums/en-US/ilm2/threads
Hi Soren,
You mention "modifying the schema discovery file" before configuring the MA - can you explain this a little more, I'm prompted for a schema script and do not know how to proceed.
Thanks
Mark,
I don't offer free support. Please take your questions to the FIM 2010 forum. http://social.technet.microsoft.com/Forums/en-US/ilm2/threads
Have you ever attempted to utilize a constructed anchor for this PS MA?
Phil,
Could you give a sample of what you're trying to do? The MA does not supported a datasource created anchor in the current version. If enough demand, it may go into next version which is due just after summer.
Great post.thanks a lot for your kind sharing.
Larry3766
That's what i'm looking for!
Thanks Soren.
Nice work!
After months of research it seems that we have a winner ;-)
However can you confirm that current version supports multivalue attributes ?
I mean it seems like multivalue attribute's attribute changes couldn't find they way to PS ?
Thanks, Janne.
It does indeed support multivalues; I use this all the time.
Excellent!
In export, we get all attribute values right(no matter if it's multivalue or not) in PS, but couldn't find ModificationType or similar in those attributes ?
I would really appreciate if you could share the name of that method ?
Dear, Janne
Please take any support question to the FIM 2010 forum (http://social.technet.microsoft.com/Forums/en-US/home?category=identitymanagement&filter=unanswered&sort=lastpostdesc)
There is no free support from this blog.
Thank you.
Great stuff. And i ask myself, what are the pros and cons of running PowerShell Scripts in MA instead of running the same scripts from a PowerShell Activity in the portal/service.
Guy,
Ongoing discussion; if you want state-based and confirmed actions, go with MA's - else you could be okay with workflows
Hallo, During testing I discovered I can let the import or export script read and report the password used during the MA setup in clear text. This password is in my case fo the user running the AD MA. I'm sure a lot of security officers will fall on that. If they only knew...
Great Work Soren.
I posted a Question in the FIM 2010 forum , I would appreciate any help.
http://social.technet.microsoft.com/Forums/en-US/3bf23eb9-fc1f-4f56-85aa-0c730c019a6c/missinganchorvalue-error-using-powershell-ma-soren-granfeldt?forum=ilm2
Thanks
in advance
Thanks Søren! I had trouble getting the MA to configure and realised you have to supply a value for the password script, even if you're not doing password synchronisation. Perhaps this should be optional?
Hi,
How can I do delta import for a Lync MA? The import is using get-aduser or get-csaduser as base for the objects population.
Please post any questions to the FIM2010 forum (https://social.technet.microsoft.com/Forums/en-US/home?forum=ilm2)
Post a Comment