Configuring the PowerShell Management Agent


The Management Agent (MA) is built on the Extensible Connectivity 2.0 Management Agent Framework (ECMA 2.0) provided as part of the Forefront Identity Manager 2010/R2.

It runs as an import/export MA that allows for PowerShell scripts to be run to collect objects for import and an export script for each Connector Space (CS) object of the MA. The names of the PowerShell scripts are defined in the global parameter section of the configuration of the MA (see below).

The MA is state-based meaning that you should do imports to confirm exports.
It uses three different PowerShell scripts (besides a schema script) which all must be located in a directory on the FIM Synchronization Service server. All scripts must be located in a directory on the FIM Synchronization Service server and should be placed in paths without spaces.

Security context and credentials

The MA supports two sets of credentials (both optional); the one set of credentials is passed to all the scripts (no change from earlier versions), however, the other set of credentials is used as the security context under which all scripts are run. This present you with some nice options for mixing and matching credentials to build scripts that work under the correct credentials.

All scripts are executed in the security context of the FIM Synchronization Service account if you do not specify impersonation credentials. Otherwise, scripts are run under the context of user specified under the Impersonation credentials. The account that runs the script must be entitled to read the script file location and to execute PowerShell scripts.

Also, it is recommended to specify a full path to each of the scripts. If you don't specify a path, then C:\%SystemRoot%\System32 will be assumed (not desirable).

You should have a fair amount of experience with PowerShell to write solid scripts that will work with this MA. In the download section, you'll find sample scripts to help you on your way.


Provisioning to the MA can be done through traditional provisioning code or through Synchronization Rules. It’s up to the user of the MA to specify the anchor attribute value. Also, the MA support datasource constructed anchors. You can find more on specifying anchor values in import and schema documentation.

Initial attribute flow

There are no requirements for initial flow attributes other than populating the DN or anchor attribute (specified in the schema). However, you should of course consider requirements for initial values for the system that you are managing through the scripts.

Normal attribute flow

You can flow any available attribute from the metaverse to the connector space (even multi-valued attributes) and they are all discoverable through the objects passed in the pipeline to the export script.

No comments: