FIM 2010 R2: Security group management by non-administrators

Hi All,
We have a small set of users (belonging to a particular department) who should be able to login to the portal and manage a select set of groups - the users should be able to add and remove members from these said groups. In most of the cases, the groups
already exist in Active Directory and we bring them into FIM Portal.
I have done the following so far:
a) Created a set of users based on their departments - works fine
b) Created a set of groups that the users in (a) should be managing - works fine
c) Created 3 MPRs (resembling the MPRs that already exist for Group Management by administrators). 1 of these MPRs allows the set of users to read the attributes of the groups in the set in (b). The second allows the set of users to create and delete groups
in the set. The third allows the set of users to "add a value to a multi-valued attribute", "remove a value from a multi-valued attribute", and "modify a single-valued attribute". In the list of attributes, I have included most
of the attributes including "Manually-managed membership". All these 3 MPRs have the grant permission box checked.
I (as a member of the set of users in (a)), can login to the portal, view the groups in set (b), modify the description, add an owner, remove an owner etc. When I try to add or remove a member from a group where I am one of the owners, everything is fine.
BUT, when I try to add or remove a member from a group where I am not listed as an owner, it gives me an "Access denied" error with these details: "The request included members which the requestor is not authorized to add and/or remove from
this group"
I am a member of the set in (a) and can remove/add members from the groups that I am the owner of. My questions are:
A) What else do I need to do to add/remove members from a group that I am not the owner of but this group still belongs to the set (b).
B) Why does the Portal force me to add an owner to every group that of set (b) that I click to view/edit. Isn't there a way around that i.e. not having to put any owner and still be able to add/remove members. For all the groups in set (b), the Join Instruction
is set to "None" (i.e. any user can become a member of the group).
I hope someone can shed some light on this. I have seen similar questions on the forum from a few years ago but they hadn't been answered (completely).
Thanks

Hello,
this is because there are to MPRs which Trigger a Group Validation Workflow (Requestor Validation).
These 2 MPRs are responsible:
- Group management workflow: Validate requestor on add member to open group
- Group management workflow: Validate requestor on remove member
The MPR Triggers this workflow for "All Non-Administrators".
So you should edit the All Non-Administrators" Set and add the following to it:
ResourceID not in (your set in a).
So the Requestor Validation workflow will no longer be triggerd for your users in Set (A)
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com

Similar Messages

Grant access to help desk users to add members to distribution and security groups

Hello,
I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members
in the FIM Portal and flow it down to ADS.
This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as
well as MPR "Security group management: Users can read selected attributes of group resources".
The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
Any help is greatly appreciated.
Thanks!

I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
which was added a minute ago) he gets Access Denied:
The
request included members which the requestor is not authorized
to add and/or remove from this group."
It is caused by default MPR:
Group management workflow: Validate requestor on remove member
Question is how this activity validates this request - any insight?

How to export "Managed by" field of Distribution and Security groups and import with new values? (Exchange 2010, AD 2003)

My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones. In some cases we have multiple users as the owners.
Appreciate any advice on how this can be best achieved. Thank you.

Hi,
We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
C:\export.csv
After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
Hope it works.
Thanks,
Winnie Liang
TechNet Community Support

Security groups naming convention in FIM 2010 R2

Hi,
I am using five security groups for Installing FIM Synchronization Service Manager the automatically pick these groups when installed the FIM Synchronization Service Manager
FIMSyncAdmins,
FIMSyncJoiners,
FIMSynchOperators,
FIMSyncBrowse,
FIMSyncPasswordSet
Everything is working fine bot now for naming Convention clients wants to change these securities groups name.
So I want know that five security groups name should be same as above name or can we change these security groups name for naming convention.
For this what steps should be follow in running Environment.
Regards
Anil Kumar

Anil,
I believe you should not think of renaming any of these mentioned groups. If you make any change to any of these groups, there is a possibility that you end up with doing installation of FIM again.
For details of these groups please refer to the link :
http://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
Regards,
Manuj Khurana

FIM 2010 R2: Creating Security Groups in portal : OU

Hi,
We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
Or perhaps someone has tried some other ideas for this scenario ?
Thanks

Hi,
Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
You can then use this ouStringAttr in your outbound symc rule.
Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com

Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?

I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile

How to export "Managed by" field of Distribution and Security groups and import with new values?

My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD envronment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones.
Appreciate any advice on how this can be best achieved. Thank you.

Hi Barkley,
You can also refer to Official Scripting Guys forum to get a script solution:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Best Regards,
Amy Wang

AD security groups listed in user groups in Config Manager however not listed when selecting values for the "System Resource - System Group Name" query

Morning All,
We are in the process of setting up our SCCM 2012 infrastructure and are experiencing issues with our device collection querys based on AD security groups.
I can see the security groups are being updated per adsgdis.log - i can see the computers that are members of the groups in AD are being recorded in the same log. Issue is when we build the device collection query - click the value button for the string,
only 2 of the 18 AD security groups are displayed. These are 2 AD groups we setup initially to test.
We have since added several additional yet they only appear to populate as user groups in config manager.
The same goes for additional OUs that we have created with AD.
When i click the value button only the initial 10 OUs that were created are populating in the list of applicable OUs.
We have the discovery methods Group Discovery & System Discovery enabled and set to search the parent OU recursively
I'm wondering if there might be an SQL issue with this as it initially worked but stopped...
Additionally we added an OU recently that now appears in in the Values options in the query but the ones added previously and additionally after are not showing up....
Any help is appreciated.
Thanks,
Jeff

Given the adsgdis.log lists the new pc and the group it's assigned to it appears the AD group discovery is working.
Have the following excert from the adsgdis.log
INFO: Processing discovered group object with ADsPath = 'LDAP://************.****.COM/CN=Software - Microsoft Project Professional 2010 x64,OU=Software,OU=US-West,DC=*****,DC=com' SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180
(0x1FF4)
INFO: DDR was written for group '*****\Software - Microsoft Project Professional 2010 x64' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg8ud94.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012
7:08:13 AM 8180 (0x1FF4)
INFO: DDR was written for system 'THURMANWIN7VM' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adhh8419.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180 (0x1FF4)
Here you can see it processes the new members in the Software - Microsoft Project Professional 2010 x64 group and captures Thurmanwin7vm as a member.
I did find some log entries that reference permission issues with objects in the SQL database and have opened a case with MS to get that looked into. Hopefully that will be where the issue lies.

AD security group as FIM Portal administrator

Hi Gurus
i have a question. I want to add an AD Security group in FIM for the users of the group to be the FIM portal administrator. I believe to do that I need to sync the group using a management agent, and then add that group to the Sharepoint administrator group.
Is this correct? If it's not then where can I find a procedure to make the members of the security group which is in an OU to be the administrators of the FIM portal? I don't want to sync the whole OU but only one group within the OU as there are other groups
within the OU which I do not want to have admin rights to the portal.
Is there a way I can achieve what I am trying to do? I haven't found any documentation to do it. As I am very new to this I apologize if the question sounds silly.
Any help will be greatly appreciated. Thanks in advance.
Regards,

Hi Paul, Dave and Steve
Thank you all for all your valuable inputs. I have successfully resolved the issue. This is what I did.
I observed from the metaverse search in the Synchronization tool that after running the full synchronization on the ADMA following the synchronization order specified by Microsoft, the amount of objects was doubling. There were about 180 objects to begin
with and it doubled. I checked a number of solutions online which asked me to delete the object from the connector. However considering the number of objects that would have been a lot of work. So I decided to delete the users from the FIM portal and manually
run the sync again. I got this script from Carol Wapshere:
http://social.technet.microsoft.com/Forums/en-US/58796732-a605-4f22-8c27-17ea4f0968fe/using-powershell-to-delete-all-users-from-the-portal?forum=ilm2
The good thing about the script is that a few users can be added to the Administrator set in the portal and the script will not delete it. That way selective objects can be protected and not all access to the portal is lost. After that I ran the syncs in
order, added the users to the Admin set and it all worked fine. I know it is a bit of a sledgehammer approach but I believed that might be the best under current circumstances.
Thank you all again for taking your time out and answering my question. You have been great help!!
Regards,

AD Security Group name change not showing in Sharepoint 2010

Hi!
We have a Sharepoint 2010 Standard enviroment and are heading for a role-based identity-managment in our company. That's why we find it better to use AD Groups instead of Sharepoint Groups.
So we have over 1000 AD Security Groups groups that have been added to our Sharepoint Sites and our goal is to control every permission in Sharepoint from AD.
I have done all this with the combination of Excel and Powershell and it have worked great.
The problem i see in the long run is the name change of AD Security Groups. Sharepoint 2010 isn't showing the new name of the group.
Does anyone know of any workaround that can solve this problem. It's a bit of a disappointment that Microsoft haven't fixed this. The only information i think they should store in Sharepoint is the SID of the groups.
I was thinking of designing a powershell script that runs every night and updates the display name of the groups that do not match the AD display name.
Is there any other way?

As far as I know, and I'm not sure where to go from here without testing on my own...and I'm not sure when I'll be able to do that. Perhaps a configuration issue.
Have you tried removing the incorrectly named group and adding in the correctly named one?
Read through this related post:
http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/49dc833f-4127-45ac-bd21-98b04d3632ef
Looks like that can help you. Let us know how things go.
Colorless Green Ideas Sleep Furiously http://www.sharepointnerd.com

Provisioning Groups into FIM 2010 from oracle database

Greetings,
I am trying to provision security groups from an oracle database where i have a view that contains:
Department_Code
Department_Name
DepParent_Code
The view has a recursive relation between Department_Code and DepParent_Code (1 to many).
The view will lead to a Tree that has departments and sub-departments, i want to provision this data into FIM then to AD as security groups reserving the same hierarchy.
Any help would be appreciated.
Mohamad Chahla

I have done something like this myself. Using my approach I would do the following:
Extend the Group and group resource type schema in FIM and the FIM Metaverse respectively, adding a new REFERENCE attribute binding ParentGroup/parentGroup respectively;
Create an Oracle MA for importing DEPARTMENT objects with the anchor attribute Department_Code and with DepParent_Code declared as type REFERENCE;
Create an inbound sync rule to import department objects as GROUP objects, with IAFs as follows:
'DEPT-' + Department_Code => group.displayName
Department_Name => group.description
DepParent_Code => group.parentGroup
... and other IAFs according to the instructions you will find
here;
Either create your FIM groups as static (easy), or dynamic/query based (harder - i.e. you would do this if each Person object had a string binding of Department with values which exactly match the DEPT data you are importing) by using an appropriate MPR/workflow;
Define an outbound sync rule to
synchronise your FIM group objects to AD.
If creating dynamic groups, your new workflow "Set Department Group Filter' can be created by using the Function Evaluator to construct the necessary XML filter value (create a group manually first to determine what this must look like) such that each
group has a matching filter, e.g. the filter for DEPT-ABC would be /Person[Department='ABC']
Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

Allocating and delegating permissions in Exchange Server 2010 between two AD security group.

People,
Can anyone please assist me in where and how to assign the following two AD security group in Exchange Server 2010?
IT Admin group (Full access and permission for all AD and Exchange related).
IT Helpdesk group (can only create mailbox and modify the mailbox properties including AD distribution group and contacts).
Because in Exchange Server 2007, everything can be managed easily through the AD security group that is created during the installation such as
Exchange Organization Administrators group for full access for IT Admin team and Exchange Recipient Administrators group for managing the mailbox user for Help Desk team.
/* Server Support Specialist */

Hi,
Based on my knowledge, Exchange 2010 has an Organization Management group instead of the Exchange Organization Administrators group. Use the Recipient Management group instead of the Exchange Recipient Administrators group. In your case, you can add the
IT Admin group to the Organization Management group, add the IT Helpdesk group to the Recipient Management group.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support
Thanks, Amy,
But for some reason I cannot see those built in AD security group in my ADUC?
So should I recreate it manually by right clicking on the AD user and Console ?
/* Server Support Specialist */

SharePoint Foundation 2013 SP1 for Microsoft Forefront Identity Manager (FIM) 2010 R2 SP1

For subsequent installation FIM 2010
R2 SP1, I must create a Web application
with the classical method of authentication. According to
Microsoft (http://technet.microsoft.com/en-us/library/jj863242(v=ws.10).aspx),
it is created using PowerShell the following commands:
$ AdminCredentials = Get-user domain
\ contosoAdmin
• $ adminManagedAccount = New-SPManagedAccount -Credential $ adminCredentials
• New-SPWebApplication -Name "FIM SharePoint Web Application" -ApplicationPool "FIMAppPool" -AuthenticationMethod "Kerberos" -ApplicationPoolAccount $ adminManagedAccount -Port
80 -URL http://www.contoso.com
But these commands do not specify an account for
Web services applications,
and services of that applications will run under the account
under which installed Sharepoint. As a result,
the Administration Console Sharepoint error occurs:
the application service account has
local administrator rights. But it should not
be.
I ask for advice on how to solve this problem.

Where I can found ULS Log and configuration details as well?
I have errors:
Accounts used by application pools or service identities are in the local machine Administrators group.
One or more web applications are configured to use Windows Classic authentication.
When I create a Web application through the
web interface, and select
the account for the application pool and application services
(see. Screenshot). So I decided
that the account application services
become account under which installed
Sharepoint, which has local administrator rights.
And the application pool account to the
administrators group is not included. Therefore,
the question arises: what kind of account
reports error ::
there is only one Web application (but
before I create and delete the same):
New-SpWebApplication
DisplayName Url
Sharepoint-FIM
http://www.contoso.com
help to solve the error, please.

Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project

I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
groups on the project site upon publishing/syncing:
<Project Name> Members
<Project Name> Owners
<Project Name> Visitors
<Project Name> Project Managers (Project Web App Synchronized)
<Project Name> Team Members (Project Web App Synchronized)
Web Administrators (Project Web App Synchronized)
Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
and add a whole list of users in the Site Permissions list without groups.
Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
or publishing.
How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
Thanks in advance.

Paul,
Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies.

SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

Hi, can anyone help me troubleshoot the following please:
Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
critical properties.
Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
some properties of this object. The container specified might not have the properties available.
Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
Thanks,
Dale

You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
Jason | http://blog.configmgrftw.com

FIM 2010 R2: Security group management by non-administrators

Similar Messages

Maybe you are looking for