I have implemented PAM 2016 in our test & development environment. My PRIV forest is a 2016 domain Level, and my "CORP" forest is a 2012 domain level. The "CORP" forest has Win 2016 based domain controllers (but as stated, is at a 2012 domain level).

According to KB3155495 I should be able to add the "PRIV" base security group in the CORP domain to the Domain Admins group. This is not happening. The forest trust still disables nesting external security groups in "special groups" (i.e.: Domain admins, etc...).

The "trustAttributes" on the TRUST indicates 0x448, which should be TAPT, TATE, PIM-TRUST. Reading the description on these attributes in 6.1.6.7.9 trustAttributes, seems to say that Sid Filtering is used, but even if I enable SID filtering on the Trust, it's a no go. In fact with SID filtering enabled the shadow group obtains even less group membership.

Is there any other setting that needs to be made to accomplish having PAM place shadow groups in the CORP domain admin group?

I seem to be unable to utilize servicemanager.exe from the PAM runas and obtain the "pass through" permissions.

Example- I Activate my PRIV access. The PAM role activated has "local admin" privileges to a set of servers. On my PAW server I start servermanager.exe from a powershell window that was opened via runas using the PRIV credentials, Server Manager starts fine. I attempt to use the Event Viewer from the Server Manager tools, and connect to a server that I should have local admin rights I get read access failures.

Contrast- If I start MMC from the same powershell (via runas PRIV credentials), I'm able to add the Event viewer snap-in and successfully connect to the server in question.

Hello!

I'm looking how I can track changes history in MIM. We decided to send email notifications andout what was changed.

Yes, I know about SCSM, but looking for more simple solution.

So, which notifications are needed:

1.Change in HR DB attribute from 1 to 0 -> generate email to user or user's manager about this change. I think that I can use set and workflow for this, but can't buid a logics fot it.

2. Change in users name/surname  -> generate email to user or user's manager about this change. How it can be done?

3. Information letter to administrator about changes, what happened in AD to user account (change of all attributes, like displayName, first name and so on).

Thanks!

1

Hello,

has anyone tried to modify the Request RCDC to display the changes of the aggregated msidmCompositeType values ?

I've tried some things, but currently I am not an expert in xslt.

I think of some extra tab using the uocHtmlSummary control with an xslt to display the following columns:
(like the original RequestDetails with one extra columns)

TargetObject , ChangedAttribute , Operation , Type , Value

Is that possible, as this would be nice to have when checking what was changes in this batch operations ?

Regards
Peter

Peter Stapf - Doeres AG - My blog:JustIDM.wordpress.com

Hi,

 We want to deploy MIM 2016 into an existing AD environment just for SSPR to begin with. I'm thinking of a simple AD MA and FIM MA with sync rules configured in the classic style. 

 Further down the line, we need to deploy starters, movers and leavers. I can't see this being an issue, but thought I'd ask if I only use SSPR to begin with, is there anything that I need to be aware of? In other words, if I roll out SSPR, will implementing a full functioning account provisioning and deprovisioning scenario cause an issue?

Thanks

Hi

Any one who now where i can find who approved a PAM request.

i can find the request but not the approval.

Anders

Time for a fresh start!

[The Guru is the means of realisation. "There is no knowledge without a teacher."]

We're looking for the first Gurus of 2017!!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN 

Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).

Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community. 

Feel free to ask any questions below.

More about TechNet Guru Awards.

Thanks,

If my reply is helpful please mark as Answer or vote asHelpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Hello,

I want to customize RCDC to set the length of an attribute in the range of 6-30. I could set the MaxLength as following:

<my:Control my:Name="Alias" my:TypeName="UocTextBox" my:Caption="{Binding Source=schema, Path=MailNickname.DisplayName}" my:RightsLevel="{Binding Source=rights, Path=MailNickname}">
        <my:Properties>
          <my:Property my:Name="Required" my:Value="true"/>
          <my:Property my:Name="HintPath" my:Value="Hint"/>
          <my:Property my:Name="Text" my:Value="{Binding Source=object, Path=MailNickname, Mode=TwoWay}"/>
          <my:Property my:Name="MaxLength" my:Value="30"/>
          <my:Property my:Name="RegularExpression" my:Value="{Binding Source=schema, Path=MailNickname.StringRegex}"/>
        </my:Properties>
      </my:Control>

How do I set the minimum length and show error when less than 6 characters are entered?

Hello Everyone,

I am experiencing an issue with the MIM Reporting failing on the Initial Sync. Both times I have experienced the issue has been with the MIM 2016 SP1 install media. SCSM Service manager is on a separate server with SQL and SCSM DW is on a separate server with SQL. I first complete the SCSM 2012 Service Manager and Data Warehouse installation, register the Data Warehouse and confirm the initial MPSync job finishes with all Management Packs imported/associated. Then I run the MIM 2016 SP1 Reporting installation and confirm the MIM Management Packs are all imported/associated and showing up in Reports in the SCSM console. Then I run the FIMPostInstallScriptsForDataWarehouse.ps1 script which completes successfully. When I run theStart-FIMReportingInitialSync.ps1 script and check the Reporting Job in the MIM Portal, it fails immediately and produces the below errors.

Firewall is off between the servers as well. Has anyone seen this issue before and have a solution?

Reporting Job Details: 

ObjectTypeName: Person,

AttributeName: ObjectType,

RequestIdentifier: 00000000-0000-0000-0000-000000000000,

ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4,

Value: Person,

DataType: String,

MultiValue: False,

Added: True,

SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>,

EventTime: 12/05/2016 19:38:27

Event Viewer:(Three errors connected to the issue)

Error
12/5/2016 11:38:17 AM
Microsoft.ResourceManagement.ServiceHealthSource
68 None

"The FIM Reporting ETL job failed while making a call to the System Center Service Manager Management Server SDK service.  This could be caused by a network or service interruption which is preventing communication between the FIM Service and the System Center Service Manager SDK Service, or by an internal error within System Center.

To fix this issue, ensure that there are no firewalls or network connectivity issues which may be preventing communication between these two services. Also ensure that the System Center Management and System Center Data Access services are running on the System Center Service Manager Management Server.

If you encounter this error after running your first ETL job, ensure that you have installed the FIM Reporting support scripts on your Data Warehouse machine.  You can find these scripts in the Service and Portal folder of your FIM media.

For more information about this error, view the most recent reporting job in the FIM Portal and look for any exceptions which may have occurred.
"

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

Reporting Job Manager: Reporting job halted due to error.

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

ObjectTypeName: Person, AttributeName: ObjectType, RequestIdentifier: 00000000-0000-0000-0000-000000000000, ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4, Value: Person, DataType: String,

MultiValue: False, Added: True, SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>, EventTime: 12/05/2016 19:38:27 ---> System.InvalidOperationException: Cannot find management pack with identity Microsoft.Forefront.IdentityManager.Datawarehouse.Base
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseManagementPackManager.GetManagementPack(String managementPackKey)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(Guid objectIdentifier, String classType, String managementPackIdentity)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(DataWarehouseClassMapping mapping)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseProvider.ProcessBatch(List`1 batch)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExecuteBatchOfExtractTransformLoad(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExportData(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.RefreshSchema()
   at Microsoft.ResourceManagement.Reporting.JobManager.Run()

Hello,

I'm trialling the use of Exchange Online for MIM SP1's 'FIM Service' to send/receive email to a mailbox located in Exchange Online.  A few questions as there doesn't appear to be any documentation on this yet.

1. Can you use a Exchange Online Shared Mailbox instead of an individual mailbox to avoid an Office 365 license?

2. If it's an 'individual' mailbox (ie. attached to an AD user account) and not a shared mailbox, does this incur an O365 license charge from Microsoft?

3. If it's an individual mailbox, does this mailbox have to be 'attached' to the MIM Service ('FIM Service') service account?  Or can it be any AD user sync'd to O365 with a mailbox?

4. Is the only way to change the password to this O365 account is to do a 'change' installation on the MIM Portal and Service MSI installation?

Thanks

Michael

Kloud Solutions

I'm looking to implement the MIM 2016 Synchronization Service to Sync GAL's.  I pre-created the accounts listed in the official setup documentation as well as groups, but is there any info out there that details what each of these do?

Along those lines, I'm going to be using a remote SQL server, but my Database Team wants to know what account needs permissions to create the database.  My guess would be the SQLServer account I created, but I'm installing with my Domain Admin account on the actual server.  Any insight would be greatly appreciated.

Hi,

 We're about to deploy MIM 2016. My DBA wants a single SQL cluster to host the MIM sync, MIM service and SharePoint DB all within the same instance using different DB names. I'm not a big fan of this as I suspect the sync and service account permissions will get more privileges than needed, in addition I suspect there'll be issues with SQL agent jobs needing to renamed and other issues.

Has anyone installed all the MIM DBs into a single instance and is it supported?

In addition, we're looking at using the MIM SSPR plugin, if I use a DNS alias, is there any configuration in the client addin which communicates directly with the SQL DBs? I believe not as the client (I think) talks directly to the MIM service.

Thanks in advance

I have a couple of Microsoft Powershell MAs in a customers FIM solution using a SQL source. I needed to add an extra data attribute to the SQL data which I did in the SQL script and then added the attribute to the schema script area of the MA

$SchemaType | Add-FIMSchemaAttribute -Name 'NewAttribute1' -DataType 'Int' -SupportedOperation -ImportOnly

After saving the change I did a Refresh Schema on the MA and then check the Select Attributes (Show All) but no new attribute is shown

Any suggestions as to why

I know not traditional that using on-premise active directory (Local AD) for public services, but I don't have alternative that has AD's features. For example many software that integrated with AD.

I want know active directory is good choice for using as authentication/authorization/account solution in a website? (For public services)

Note: I don't give permission to public users that they can access directly to AD. It is possible use the ADFS between AD and public users.

Hi everyone, 

I have a MIM 2016 SP1 environment,

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="46acecb9-2169-466f-98bf-9522b330b556" id="c43d898f-e6bc-4a90-946d-1da7d33bb8d2">i</gs> am able to login only when <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="46acecb9-2169-466f-98bf-9522b330b556" id="cd249052-e688-4594-998f-b0c233ddcc5c">i</gs> hit the<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="46acecb9-2169-466f-98bf-9522b330b556" id="c6dc59fa-3bc4-4c83-a0bf-52b22a68ba06">fqdn</gs>  of the MIM portal machine

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="df631503-c6b3-426b-8ad5-e6eabf455ba8" id="aae998a7-8222-4646-a1fc-a391c3e341e8">if</gs> <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="df631503-c6b3-426b-8ad5-e6eabf455ba8" id="340cd99e-a991-4672-a414-2d2d5449e5ee">i</gs> try to login with another <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="df631503-c6b3-426b-8ad5-e6eabf455ba8" id="9176a0d3-c36b-4ba5-a9f0-0447633b5512"><gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="df631503-c6b3-426b-8ad5-e6eabf455ba8" id="8c06c3eb-fb68-419d-9f46-6a304e557594">dns</gs></gs>  name it pops for authentication in <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="df631503-c6b3-426b-8ad5-e6eabf455ba8" id="b546d853-8663-4303-a568-9ba774c034b6">loop</gs>

How do I tackle the problem? 

#2 

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="60cf695f-3c70-4e7d-8acb-05334954472b" id="f8270842-d08d-428e-bac4-bd89d7ffd23e">how</gs> do <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="60cf695f-3c70-4e7d-8acb-05334954472b" id="fa01e0bd-2c57-48a0-9da9-cb87a661a1d4">i</gs> configure the "my security group membership" 

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="3d9e6478-96a4-407d-b32c-1b2c315fda7f" id="37817733-d7ac-4d86-9ecc-713690d9efce">its</gs> empty if <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="3d9e6478-96a4-407d-b32c-1b2c315fda7f" id="8174e6a3-113c-474e-b4a1-c7b1d8f38081">i</gs> click on it.

Thanks

Igor

Hi,

In our development environment, password resets have stopped working.

The log file says that the "Password Reset Activity could not find Mv record for user."

Searching based on that error, I checked all the WMI configurations and ran WBEMTEST wit the FIM Service account.

The query returns no results with I search with this:

"SELECT * FROM MIIS_CSObject WHERE (Domain='Dev' and Account='JonesD')"

But I get three results when I search with this:

"SELECT * FROM MIIS_CSObject WHERE mvguid='{1DA04649-18AA-BD1B-005056A30072}'"

The account his the account name and domain populated in the metaverse.

If anyone has any guidance on this, I'd appreciate any help.

Many thanks,

Sami

EDIT: I should mention that I also checked for the following:

- the ADMA account name is not more than 16 characters

- I've refreshed the schema on the ADMA

- when I do a query with the mvguid, the ADMA connector has the domain and account attributes

I have run into a very strange issue that I am uncertain how to fix.

I have one 2008 R2 server running SQL 2008 R2/FIM Service/FIM Sync Service.  One 2008 R2 server running the pwdreg/pwdreset portals.

I have 19 MAs, one for the FIMMA and one for each domain in the forest for the static 'domain' attribute.  Everything works as expected.  The users are imported into the MV and then into FIM from the ADMAs.  All users can register with the registration portal.  Only two domains are immediately able to use the reset portal.  All of the other users in the other 16 domains receive an error for which the event logs states 'Password Reset Activity could not find Mv record for user'.  I have verified the users with this issue are in the MV, all attributes flowed correctly. 

Here comes the strange part.  Once I log into the FIM portal as that user, they are then able to reset their password.  We have thousands of users with new student accounts added almost daily.  It is not possible to each morning log in using their default passwords into the portal just so they can then register/reset their own passwords later.  Again, this does not happen for two of the domains.  All delegated permissions are the same across the board as noted by the successful pwd reset after the account has logged into the FIM portal. 

What could possibly be causing this?