PowerShell Management Agent

THIS PAGE IS OBSOLETE - PLEASE VISIT https://github.com/sorengranfeldt/psma for latest version

The Granfeldt PowerShell Management Agent (MA) is a diverse MA for Forefront Identity Manager 2010 (FIM) R2. It can be used for many different purposes. Basically, any task that can be done in PowerShell can be triggered through this MA, making it very flexible and a regular hybrid.
It supports -
  • Full and delta import
  • Export and Full Export
  • Password Management (PCNS)

Ideas for usage

Home Directories - a typical purpose of this MA is the creation and managing of home directories and/or profile drives for users.

Lync - this MA has been used for managing Lync-specific details for users. By importing Lync modules and running appropriate CMDlets, you can use this MA for Lync enabling/disabling.

SQL Delta import - by using a timestamp column in a clever way, you can do delta imports from SQL server tables with this MA. Sample scripts for a small SQL user database with some sample property calculations can be found in the download section.

OpenLDAP - this MA has been used to replace the old OpenLDAP XMA.

Office 365 - this MA is also frequently used for managing users in Office 365 and you can find a link for sample scripts for doing this in the download section.

Dynamics AX 2012 - this MA has been used for managing users and roles in Dynamics AX 2012.

Human Resource (HR) data - this MA has been used to read funny formatted files (and clean up) data coming from various HR systems. Using PowerShell to read the file and maybe enrich it / filter allowing you to pass more clean data to FIM.

TCP/IP (DHCP leases) - this MA has been used for importing DHCP lease information from DHCP servers in order to create computer account for use with WPA authentication.

Password Management - this MA supports password management (PCNS) and will allow for a script to be run for password changes using Password Change Notification Services.

Video introduction to the MA

You can get a technical introduction to the MA through the presentation from the July 2013 FIM Team meeting.

More information

This is a free product, but with the more than 500+ installations of this worldwide, I cannot offer free product. Please post support questions in the FIM2010 forum where I answer questions from time to time and where users of this MA can help.


Per Østergaard said...

Nice work, Søren!

Søren Granfeldt said...

Thank you very much. This MA is very popular with more than 250+ downloads as we speak...

Unknown said...

Søren, this management agent works very nice, 1 question, I only want to execute the script when 'adding' a new CS object. When doing a full deprovisioning I see the CS object marked as delete, and eventually gets deleted. however the object is still in the CS, no longer a connector and the type is changed to placeholder but is is still there.

How to entirely delete the object without, because when provisioning again it fails because the anchor being used is the same, i was hoping this is taken care in ECMA2 without building a confirming 'delete' import

Søren Granfeldt said...

Thank you, Paul.

In the current version, you do need to do a confirming 'delete' import to have the placeholder go away as the MA is confiugered with normal object confirming setting. I'll consider making this optional in next versions.

Unknown said...

Hi Søren,

Ok that explains the reason, it would help if you can configure the behavior in a next version, so you can easily configure a one time only PS command (for whatever reason that is of course :)) without any hassle writing information back to a csv file to confirm this delete.

Unknown said...

Nice done. Very thankful.

Unknown said...


Does anyone create sample script to openldap (import and export) ?
I need to provision users and groups.

Søren Granfeldt said...

Hi, Alex

Kent Nordstrom did some sample scripts for OpenLDAP and this MA - check out http://blog.konab.com/2013/02/replacing-openldap-ma-with-ps-ma/

Unknown said...

Thank you..
I am not familiar with powershell syntax.
I try to personalize the import script but get a "stopped-extensible-extension-error" in FIM synchronization service without details
How can i set a debug mode ?

Søren Granfeldt said...

Hi, Alex

I'm sorry, but I don't offer free support. I suggest that you take your questions to the FIM 2010 Forum, which I visit from time-to-time but others can help as well.


Unknown said...

Hi Soren,

You mention "modifying the schema discovery file" before configuring the MA - can you explain this a little more, I'm prompted for a schema script and do not know how to proceed.


Søren Granfeldt said...

I don't offer free support. Please take your questions to the FIM 2010 forum. http://social.technet.microsoft.com/Forums/en-US/ilm2/threads

Phil B. said...

Have you ever attempted to utilize a constructed anchor for this PS MA?

Søren Granfeldt said...


Could you give a sample of what you're trying to do? The MA does not supported a datasource created anchor in the current version. If enough demand, it may go into next version which is due just after summer.

soma.articles said...

Great post.thanks a lot for your kind sharing.


Yavuz Demir said...

That's what i'm looking for!

Thanks Soren.

Anonymous said...

Nice work!
After months of research it seems that we have a winner ;-)
However can you confirm that current version supports multivalue attributes ?

I mean it seems like multivalue attribute's attribute changes couldn't find they way to PS ?

Søren Granfeldt said...

Thanks, Janne.

It does indeed support multivalues; I use this all the time.

Anonymous said...

In export, we get all attribute values right(no matter if it's multivalue or not) in PS, but couldn't find ModificationType or similar in those attributes ?
I would really appreciate if you could share the name of that method ?

Søren Granfeldt said...

Dear, Janne

Please take any support question to the FIM 2010 forum (http://social.technet.microsoft.com/Forums/en-US/home?category=identitymanagement&filter=unanswered&sort=lastpostdesc)

There is no free support from this blog.

Thank you.

Unknown said...

Great stuff. And i ask myself, what are the pros and cons of running PowerShell Scripts in MA instead of running the same scripts from a PowerShell Activity in the portal/service.

Søren Granfeldt said...


Ongoing discussion; if you want state-based and confirmed actions, go with MA's - else you could be okay with workflows

Unknown said...

Hallo, During testing I discovered I can let the import or export script read and report the password used during the MA setup in clear text. This password is in my case fo the user running the AD MA. I'm sure a lot of security officers will fall on that. If they only knew...

Unknown said...

Great Work Soren.

I posted a Question in the FIM 2010 forum , I would appreciate any help.


in advance

Jay Van Der Zant said...

Thanks Søren! I had trouble getting the MA to configure and realised you have to supply a value for the password script, even if you're not doing password synchronisation. Perhaps this should be optional?

Unknown said...

How can I do delta import for a Lync MA? The import is using get-aduser or get-csaduser as base for the objects population.

Søren Granfeldt said...

Please post any questions to the FIM2010 forum (https://social.technet.microsoft.com/Forums/en-US/home?forum=ilm2)