Password Sync to target domain fails after a couple of hours

June 11, 2019, 6:12 pm

≫ Next: Maximum number of additions to a multi-value attribute in one request

≪ Previous: Use Microsoft Identity Manger without Sharepoint

$

0

0

Hi All,

We're running in to issues attempting to sync passwords between two domains that appears to be related to a kerberos timeout following an FIM 2010 to MIM 2016 upgrade.

We manage the domain in which MIM 2016 is configured (CORP) and have an MA configured for the domain (EXT) we're pushing passwords to and everything works perfectly well for a couple of hours then it begins to fail. Originally the issue was reported as being intermittent but after some investigation I've found the following:

After providing credentials for the service account selecting "Connect to Active Directory Forest" or selecting "Containers" from within the "Configure Directory Partitions" password sync begins to work immediately.
Testing password resets through the day works without issue.
Testing the following morning fails to reset the password on the target domain.
Providing credentials again resolves the issue immediately.

Each time I provide the credentials in the MIM console the following 2 events are logged on the server (CORP):

Security-Kerberos
Error code: 0x20 KRB_AP_ERR_TKT_EXPIRED
Extended Errpr: "0xc0000133 KLIN(0)"
Server Realm: EXT.FQDN

Security-Kerberos
A kerberos error message was received" on logon session CORP.FQDN\SVC_FIMSync
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Server Realm: EXT.FQDN

I'm aware the first error indicates a potential issue with time sync between the two domains but we've had a look at this and results show a difference of +/- 00.000xxxx so don't believe this is the cause.

Has anyone ever come across a similar issue? 

Any help is appreciated.

---

Maximum number of additions to a multi-value attribute in one request

July 12, 2020, 4:00 pm

≫ Next: Oracle MA throwing an error with Schema mismatch for specific tables.

≪ Previous: Password Sync to target domain fails after a couple of hours

$

0

0

Just curious, is there a maximum number of adds to a multivalue attribute in a single request in the MIM Portal? Like for the Add Member for a Security Group, how many users can I add to that box in one request? Is there a max or is unlimited?

Oracle MA throwing an error with Schema mismatch for specific tables.

August 10, 2020, 6:44 am

≫ Next: MIM 2016 SP2 4.6.258.0 and deadlock issues on portal export

≪ Previous: Maximum number of additions to a multi-value attribute in one request

$

0

0

I have configured OOB Oracle MA to connect with a database. MA is working fine for other tables except for one where it throws failed Connection Schema out of date error when importing/exporting.

I have tried doing schema refresh. Didn't work.

I did tried creating new MA altogether . Didn't work.

Had anyone faced this issue?

---

Thanks and Regards, Siva Kumar Balaguru

MIM 2016 SP2 4.6.258.0 and deadlock issues on portal export

August 10, 2020, 9:55 pm

≫ Next: "PWReset activity could not connect to the directory"

≪ Previous: Oracle MA throwing an error with Schema mismatch for specific tables.

$

0

0

I am aware that there is a hotfix 4.5.286.0 that fixes deadlock issues. However, I am already on 4.6.258.0. As a matter of fact, this is a fresh install of MIM 2016 SP2 4.6.34.0 and hotfix 4.6.258.0.

The deadlock error is as follows:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 1205, Level 13, State 51, Procedure fim.CalculateRequestSetTransitionsStatementEvaluation, Line 153, Message: Transaction (Process ID 95) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

As of right now, I have not added any Sets, Workflows or MPRs, other than few MPRs that give permissions. What do I have in the portal, is more than 50 000 users and more than 3000 criteria-based security groups.

I have also tweaked miiserver.exe.config and Microsoft.ResourceManagement.Service.exe.config.

<resourceSynchronizationClient asynchronous="true" aggregate="true" aggregationThreshold="8" delayUpdateAcknowledgements="true" exportRequestsInProcessMaximum="4"/>

<resourceManagementService externalHostName="mimtest.domain.org" maxSimultaneousSynchronizationRequests="2"/>

However, deadlock errors happen unless I disable asynchronous. SQL Server is version 14.0.3335.7, which is the latest available update for SQL Server 2017.

Please, does anybody have any idea why is this happening and how I can solve the problem?

"PWReset activity could not connect to the directory"

August 12, 2020, 3:43 am

≫ Next: Automating Web login in domain/non-domain mixed environment

≪ Previous: MIM 2016 SP2 4.6.258.0 and deadlock issues on portal export

$

0

0

I ran into issue in changing password via SSPR. Everything else works fine

The error in the web portal says:

"Error while attempting to reset password"

On event viewer in the server side, a bunch of error shows up:

Failure to connect to FIM Service
The web portal failed to connect to the FIM Service.

Ensure that (1) the FIM Service is running, (2) the FIM Service server address is correct in the web.config file on the web portal, and (3) that network connectivity is available between the web portal and the FIM Service over the designated port.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.ResetPassword(SecureString newPassword, ChallengeContext& gateChallengeResponse)

and also

PWReset Activity could not connect to the directory.

The only hint I got from searching is to check if:

Run this rules extension in a separate process is not checked --> YES

Enable password management is checked --> YES

My environment:

• Microsoft Forefront Identity Manager 2010 R2
• FIM Service and FIM portal run in the same server
• Database is external server
• All permission has been granted, I even add all the MIM/FIM related accounts to domain admin level
• Everything else running fine except the password reset portal

Not sure what cause it, it used to work in the past and no change has been done except windows update applies to the server OS (windows server 2012 R2)

Please advise...need this to work again

Automating Web login in domain/non-domain mixed environment

August 12, 2020, 3:32 pm

≫ Next: FIMMA Export Failing for ADD Users to MIM

≪ Previous: "PWReset activity could not connect to the directory"

$

0

0

Hello There,

I have a technical issue and want to get your advice.

We have an IIS ASP.net service (home developed) running in a domained(Active Directory) PC.

And there is another web service (commercial program) running in the same machine.

Both web services are running under Default Web Site.

Version is 2019 Win Server Standard (1809 OS build 17763.107) + IIS (10.0.17763.1).

 

The ASP.net pages have an iframe box linking to one of the web pages from commercial program.

Users are coming from standalone or different domain computers.

For the full functionalities, two steps of login process are required.  Commercial web program is operating based on domain users.  Whereas, the first login (ASP.net) is not bound to domain. So users have to key in two different user/password.

We want to automate the 2nd login process. Having the user/password information from the 1st login, we can do mapping to predefined domain user and send the information before the 2nd login window comes up. Is it possible ?

I googled to find some relevant information such as ISAPI, LDAP, request and cookies, POST, PhantomJS .. But I am not sure about how one of these can be utilized to achieve my goal.

Any comment on this issue would be appreciated.

Thank you in advance.

FIMMA Export Failing for ADD Users to MIM

August 13, 2020, 12:34 am

≫ Next: proxyAddresses with MIM and Azure AD Connect

≪ Previous: Automating Web login in domain/non-domain mixed environment

$

0

0

Hi All,

I am getting a strange issue where the users created in AD are getting failed to be created in MIM Portal.

a- User is created in An and gets successfully in the ADMA connector space.

b- The user  also gets created with all the attributes in Metaverse.

c- On FIMMA export it fails with the following exception.
All MPR's are enabled, mandatory attributes have values, read write permissions on all attributes have been given.

On doing a commit preview for a following record i get the following errors.

The object type gets deleted automatically which should be "Person" as is the case for existing users. Its not adding the value "Person" implicitly and this is done automatically.

It deleted the FIMMA connector space automatically in the 3 snapshot. The snapshot shows the sequence of commit preview for one of the records.

a- 

From The FIMMA export error for the record. Generic error

proxyAddresses with MIM and Azure AD Connect

August 13, 2020, 4:38 am

≫ Next: Unable to configure Password Write back in Azure AD Connect server

≪ Previous: FIMMA Export Failing for ADD Users to MIM

$

0

0

Hello all,

I've been mulling over a solution for controlling secondary SMTP addresses for users that go through a name change in MIM. On a name change, I rebuild the proxyAddresses attribute, shuffling the former Primary SMTP address to the secondary, and setting the new Primary.

I'd like to accomplish two things:

• Track users in a temporal set who have been given a secondary SMTP address, and remove it after X days to prevent mail delivery collisions (I am avoiding conflicts by checking proxyAddresses in my LDAP query where i build the unique values)
• "Flow once" the proxyAddresses value out to AD, but not control the attribute moving forward - rather, let Azure AD Connect build the rest of the values based on the values flowed by MIM.

I'd love to hear what people think a graceful solution to this would be!

---

Unable to configure Password Write back in Azure AD Connect server

August 14, 2020, 10:21 pm

≫ Next: unable to create task schedule policy in 2016 server . MMC crashing again and again

≪ Previous: proxyAddresses with MIM and Azure AD Connect

$

0

0

Team,

we followed below article to configure Password write back in our Environment and it is getting failed with Below errors.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Error from Azure ad Logs:

Failed to configure password write-back (True) for connector

Server detected an invalid configuration (Error HRESULT E_FAIL has been returned from a call to a COM component.). AAD Password reset configuration may be in an invalid state. Try removing the configuration.

Additional Info:

Using cloud account account and it has Global admin permssion and has required prerequisites license.

any Help would be appreicated,. 

---

Srinivasa K

unable to create task schedule policy in 2016 server . MMC crashing again and again

August 18, 2020, 8:11 am

≫ Next: Completing-Referential-updateds 0% on Active Directory MA since 2 days...

≪ Previous: Unable to configure Password Write back in Azure AD Connect server

$

0

0

unable to create task schedule policy in 2016 server . MMC crashing again and again

Completing-Referential-updateds 0% on Active Directory MA since 2 days...

August 19, 2020, 1:11 am

≫ Next: MIM Criteria-based Distribution and Security Group Export

≪ Previous: unable to create task schedule policy in 2016 server . MMC crashing again and again

$

0

0

Hi,

I have a FIM installation that seems stuck on "Completing-Referential-updateds 0%" on Active Directory MA since 2 days.

I tried to restart FIM Service and reboot FIMSynchronizationService MSSQL DB. I tried to rebuild all index of all tables on FIMSynchronizationService db before restart FIM but is stuck again since 2 hours.

On FIM Server CPU is 25% on Fim service (miiserver) with 4GB of RAM. On the server I have 16 GB of RAM and 8 GB free...  

The only attributes with references I have are group memberships. And I have a very large group! 10K users (of 100K total user) And I have another big group that have 10K groups as members. These two big group are managed by FIM.

But I don't know if these two groups are the problem.

How could I investigate where FIM is wasting time?

What can I do to get out of this situation?

I had to stop the other synchronization tasks otherwise they overlapped and failed for locks

Any Ideas ?
Thanks in advance 

MIM Criteria-based Distribution and Security Group Export

August 19, 2020, 3:59 am

≫ Next: How to populate Description for MIM Portal requests

≪ Previous: Completing-Referential-updateds 0% on Active Directory MA since 2 days...

$

0

0

Hi... What is the fastest way to export all criteria-based distribution and security groups and their criteria details from MIM portal? I know that I can just export the groups in AD (since they are sync) via powershell but what I need to have is the criteria of each group on MIM. Is that possible? Thanks in advance!

How to populate Description for MIM Portal requests

August 20, 2020, 2:48 pm

≫ Next: FIM - Exchange Online - MA

≪ Previous: MIM Criteria-based Distribution and Security Group Export

$

0

0

Hello ,

I have this request created by a workflow , I want to populate the request description.Please help!

FIM - Exchange Online - MA

August 22, 2020, 11:25 am

≫ Next: Self Service Password Reset portal and Password Reset Registration portal loading indefinitely

≪ Previous: How to populate Description for MIM Portal requests

$

0

0

Hi,

Any advice on available MA's for Exchange Online?

Samples for a custom one via powershell MA or other by the community would be great.

Many thanks,

JD

Self Service Password Reset portal and Password Reset Registration portal loading indefinitely

August 25, 2020, 2:42 am

≫ Next: Accessing MIM Portal - Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

≪ Previous: FIM - Exchange Online - MA

$

0

0

Dear all,
I'm having another issue again
I got stuck in loading screen after entering username on both my SSPR and registration portal

I dont understand what's happening, it was working in the morning then in the afternoon it broke by itself, no one made changes to any FIM / MIM components (sorry if I sound very non-technical but it is literally what's happening)

I dont see any error message, I'm completely blind and dont know what's happening. All I know is that if I enable debugging on the browser, I got this error message in the developer console:

SCRIPT5022: Sys.WebForms.PageRequestManagerTimeoutException: The server request timed out.

Similar error also appears in the FIM log in event viewer:

The error page was displayed to the user.
Details:
Title: 
ErrorMessage: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Source: 
Attributes: 
Details: System.Web.HttpException: Request timed out.
CorrelationId: 
RequestId: 
ErrorCode: 3000
CaughtTime: 08/25/2020 10:00:26
Web Portal: FIM Password Reset Portal
Session Id: pbvjdxxxxxxxxxxx5
IP Address: 10.x.x.x

I did search with that error message and it found nothing that I can relate

I dont want to reinstall the SSPR extension if possible. Kindly advise what can I check.

• Environment:
  
• Windows Server 2012 R2
• FIM service + FIM portal + registration portal + SSPR portal + MIM sync service installed in the same server
• External database SQL 2014

---

Accessing MIM Portal - Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

August 26, 2020, 6:31 am

≫ Next: How to log MA export errors

≪ Previous: Self Service Password Reset portal and Password Reset Registration portal loading indefinitely

$

0

0

Hi,

I have completed MIM Synchronization, Service and Portal installation but when I try to access the Portal I get below error. I have managed to get the detailed error by modifying web.config file. Before modification to Web.config file I used to get "Unable to process your request, please contact Administrator".

I am accessing the Portal with same account with which I performed the installation. The MIM Sync, MIM Service services are up and running.

I have installed as below,

MS-SQL Server, MIM Synchronization Service, MIM Service on one server. 

Sharepoint Server 2019, MIM Portal on another server.

I have created alternate access for the warnings that were coming in Event logs and below screenshot of same.

Appreciate if anyone can help me fix the issue.

Server Error in '/' Application.

---

Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.] Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key) +262 Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.RetrieveFromCache(UserNonSharedKey key) +25 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache() +96 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +86 Microsoft.SharePoint.WebControls.AspMenu.GetEditableSiteMapProvider(SiteMapDataSource dataSource) +43 Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth() +54 Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +46 System.Web.UI.Control.PreRenderRecursiveInternal() +178 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Control.PreRenderRecursiveInternal() +275 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6880

WARNING from Event Viewer, as below

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 8/26/2020 5:38:39 AM 
Event time (UTC): 8/26/2020 10:38:39 AM 
Event ID: 490ecfe86fc049429f7923e7178176c8 
Event sequence: 5 
Event occurrence: 1 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/1695729506/ROOT-1-132429118956661994 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\ 
    Machine name: AZ-WS-DE-MIM001 
 
Process information: 
    Process ID: 7436 
    Process name: w3wp.exe 
    Account name: DEVBGSW\SVC_MIMDEVSP 
 
Exception information: 
    Exception type: NullReferenceException 
    Exception message: Object reference not set to an instance of an object.
   at Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key)
   at Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.RetrieveFromCache(UserNonSharedKey key)
   at Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache()
   at Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap()
   at Microsoft.SharePoint.WebControls.AspMenu.GetEditableSiteMapProvider(SiteMapDataSource dataSource)
   at Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth()
   at Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e)
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 
 
Request information: 
    Request URL: http://localhost/IdentityManagement/default.aspx 
    Request path: /IdentityManagement/default.aspx 
    User host address: ::1 
    User: DEVBGSW\SVC_MIMDEVADM 
    Is authenticated: True 
    Authentication Type: Negotiate 
    Thread account name: DEVBGSW\SVC_MIMDEVSP 
 
Thread information: 
    Thread ID: 16 
    Thread account name: DEVBGSW\SVC_MIMDEVSP 
    Is impersonating: False 
    Stack trace:    at Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key)
   at Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.RetrieveFromCache(UserNonSharedKey key)
   at Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache()
   at Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap()
   at Microsoft.SharePoint.WebControls.AspMenu.GetEditableSiteMapProvider(SiteMapDataSource dataSource)
   at Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth()
   at Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e)
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 
 
Custom event details: 

---

Regards, Chandan

How to log MA export errors

August 27, 2020, 1:05 am

≫ Next: Strange Portal Behavior: " refused to connect" message

≪ Previous: Accessing MIM Portal - Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

$

0

0

I've enabled logging on an AD MA and it logs the adds, updates etc fine but it doesn't log the actual errors from AD such as constraint-violation. They're only visible in the Operations tab. Is there any way to get the MA to log the errors coming back from the connected data source?

Strange Portal Behavior: " refused to connect" message

August 27, 2020, 7:38 pm

≫ Next: Persistent DN flow not respected

≪ Previous: How to log MA export errors

$

0

0

I logged into our MIM portal today and noticed something quite odd. The portal main page loads as expected, and when I click on any of the items in the navigation bar on the left (Sets, Users MPRs, etc), the respective section opens up in the main panel/frame.

However when I try to open any object, a set under sets for example, for viewing or editing, the usual browser window that pops up with the object data shows only an icon. When I hover the mouse over that odd window, it shows a message the"<servername> refused to connect."

I am the primary and most often the only user of MIM the portal, and I don't connect to it very often as there is no need for it. Our system updates are performed by another system admin. It was working 2 weeks ago which was the last time I used it. Has anybody seen anything like this? I am wondering if any of those updates in the past two weeks has caused this issue.

This is MIM 2016 SP2 4.6.34.0 on Windows 2019 and SharePoint 2019.

I changed the logging level for the portal to verbose and set it to log to event viewer. I see an error with the following misspelled message "Query retruns unexpected object type."

FIM Service and Synchronization services which run on the same server are running as expected.

Persistent DN flow not respected

August 28, 2020, 12:16 pm

≫ Next: Group Management Terminated Accounts

≪ Previous: Strange Portal Behavior: " refused to connect" message

$

0

0

Hello all,

I am building a DN with a workflow, and attempting to flow the DN out to the ADMA with an Outbound Attribute Flow in a sync rule defined in the MIM Portal. I do have an initial flow as well as a persistent flow for the built DN value, and the user objects are provisioned successfully, but a change in the CN or the OU (to change between buildings) is not respected.

On export to the ADMA, this results in an 'add' of the value to the 'dn' attribute on the CS object, as opposed to a Provisioning Rename as expected, and on a re-import results in an 'exported-change-not-reimported' on the same attribute on the CS object.

I am at a loss as to what I might be running into, and any ideas would be greatly appreciated.

Thank you!

Group Management Terminated Accounts

August 28, 2020, 1:49 pm

≫ Next: Utils.GetAttributeType throwing a "catastrophic failure" in IMASynchronization.MapAttributesForImport/Export (MIM 2016 SP2).

≪ Previous: Persistent DN flow not respected

$

0

0

Hello, in our environment, MIM generally doesn't manage groups. However, we have need for a workflow to remove AD groups and log these names for possible re-hire where we activate the old account, add their groups back (assuming same position) and re-enable mail, home drives, etc. We're hybrid AD on prem security groups and DLs are in O365. 

I'm thinking about using objectSid, name, groupType , but I'm not sure if or how this might work?  Also, not sure about referenceDNs in regards to groups and how to iterate through those in a workflow? I've done a lot of stuff like this in PowerShell, but MIM is much different. ty