Rename of FIM Security Groups
Hi,
While installing the FIM, 5 security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents
FIMSyncAdmins
FIMSyncOperators
FIMSyncJoiners
FIMSyncBrowse
FIMSyncPasswordSet
Can we add prefix or suffix any word in the above groups to follow the naming convention.
Like FIMGroup-FIMSyncAdmins-abc. Will it impact if rename the 5 security groups name before installation of FIM?
Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?
Thanks
Harry
Hello Harry,
Of course you can rename this group before installing FIM, with no impacts.
And yes you can rename it after installation: you MUST run the install again.Ensure that you will backup the FIM encryption key before doing any actions!
Regards,
Sylvain
Similar Messages
-
Security groups naming convention in FIM 2010 R2
Hi,
I am using five security groups for Installing FIM Synchronization Service Manager the automatically pick these groups when installed the FIM Synchronization Service Manager
FIMSyncAdmins,
FIMSyncJoiners,
FIMSynchOperators,
FIMSyncBrowse,
FIMSyncPasswordSet
Everything is working fine bot now for naming Convention clients wants to change these securities groups name.
So I want know that five security groups name should be same as above name or can we change these security groups name for naming convention.
For this what steps should be follow in running Environment.
Regards
Anil KumarAnil,
I believe you should not think of renaming any of these mentioned groups. If you make any change to any of these groups, there is a possibility that you end up with doing installation of FIM again.
For details of these groups please refer to the link :
http://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
Regards,
Manuj Khurana -
FIM 2010 R2: Creating Security Groups in portal : OU
Hi,
We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
Or perhaps someone has tried some other ideas for this scenario ?
ThanksHi,
Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
You can then use this ouStringAttr in your outbound symc rule.
Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
AD security group as FIM Portal administrator
Hi Gurus
i have a question. I want to add an AD Security group in FIM for the users of the group to be the FIM portal administrator. I believe to do that I need to sync the group using a management agent, and then add that group to the Sharepoint administrator group.
Is this correct? If it's not then where can I find a procedure to make the members of the security group which is in an OU to be the administrators of the FIM portal? I don't want to sync the whole OU but only one group within the OU as there are other groups
within the OU which I do not want to have admin rights to the portal.
Is there a way I can achieve what I am trying to do? I haven't found any documentation to do it. As I am very new to this I apologize if the question sounds silly.
Any help will be greatly appreciated. Thanks in advance.
Regards,Hi Paul, Dave and Steve
Thank you all for all your valuable inputs. I have successfully resolved the issue. This is what I did.
I observed from the metaverse search in the Synchronization tool that after running the full synchronization on the ADMA following the synchronization order specified by Microsoft, the amount of objects was doubling. There were about 180 objects to begin
with and it doubled. I checked a number of solutions online which asked me to delete the object from the connector. However considering the number of objects that would have been a lot of work. So I decided to delete the users from the FIM portal and manually
run the sync again. I got this script from Carol Wapshere:
http://social.technet.microsoft.com/Forums/en-US/58796732-a605-4f22-8c27-17ea4f0968fe/using-powershell-to-delete-all-users-from-the-portal?forum=ilm2
The good thing about the script is that a few users can be added to the Administrator set in the portal and the script will not delete it. That way selective objects can be protected and not all access to the portal is lost. After that I ran the syncs in
order, added the users to the Admin set and it all worked fine. I know it is a bit of a sledgehammer approach but I believed that might be the best under current circumstances.
Thank you all again for taking your time out and answering my question. You have been great help!!
Regards, -
hi,
I need to rename a security group from abc to xyz (just for info: DCs 2008 FL2003).
I am sure that it will not have any impact on GPO processing or currently logged in users and new log in but want to ask...
Am I correct?
thanks.
--- When you hit a wrong note its the next note that makes it good or bad. --- Miles DavisI am sure that it will not have any impact on GPO processing or currently logged in users and new log in but want to ask...
Am I correct?
thanks.
Yes you are correct sir! :)
Names are not important because they are translated to SIDs. So basically you will not experience any issue unless you have some sort of applications which uses"Hard Names" instead of SIDs.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Grant access to help desk users to add members to distribution and security groups
Hello,
I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members
in the FIM Portal and flow it down to ADS.
This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as
well as MPR "Security group management: Users can read selected attributes of group resources".
The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
Any help is greatly appreciated.
Thanks!I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
which was added a minute ago) he gets Access Denied:
The
request included members which the requestor is not authorized
to add and/or remove from this group."
It is caused by default MPR:
Group management workflow: Validate requestor on remove member
Question is how this activity validates this request - any insight? -
DBMS_LDAP adding user to security group on Active Directory
Hi forum members,
I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
ATTIBUTE_NAME: objectClass = top
ATTIBUTE_NAME: objectClass = group
ATTIBUTE_NAME: cn = Researcher
ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: distinguishedName =
CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
ATTIBUTE_NAME: instanceType = 4
ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
ATTIBUTE_NAME: uSNCreated = 97190
ATTIBUTE_NAME: uSNChanged = 102960
ATTIBUTE_NAME: name = Researcher
ATTIBUTE_NAME: objectGUID = ?P??|F?
?Q?'
ATTIBUTE_NAME: objectSid =
ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
ATTIBUTE_NAME: sAMAccountType = 268435456
ATTIBUTE_NAME: groupType = -2147483646
ATTIBUTE_NAME: objectCategory =
CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
My add_in_group function is : (I am hardcoding certain values for simplicity)
FUNCTION add_in_group
(ldap_session dbms_ldap.SESSION
RETURN PLS_INTEGER
IS
lv_vals dbms_ldap.string_collection;
lv_array dbms_ldap.mod_array;
ln_retval PLS_INTEGER;
l_group VARCHAR2(256);
BEGIN
-- Initialize the varray for the modify command
lv_array := dbms_ldap.create_mod_array(10);
IF lv_array = NULL THEN
dbms_output.put_line('Error add_in_group: lv_array not initialized.');
NULL;
END IF;
dbms_output.put_line ('lv_array successfully initialized');
-- Populate the varray
lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
--Populate the object class variables
lv_vals(1) := 'group';
BEGIN
DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
END;
--BEGIN
-- Group Modification
l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
BEGIN
ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
--EXCEPTION
--WHEN OTHERS THEN
--dbms_output.put_line ('Error in modify_s ');
END;
-- Free the varray
dbms_ldap.free_mod_array(lv_array);
RETURN ln_retval;
EXCEPTION
WHEN OTHERS THEN
dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
RETURN -1 ;
END add_in_group;
My error is :
ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
The error descriptions reads like this :
Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
Hence I am not trying to rename any entry to the name of an entry that already exists.
Any help on this would be appreciated.Hi,
I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
remove the section that contains the following commands, then it will work
h5. lv_vals(1) := 'group';
h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
Thanks & Best Regards,
Indika -
...the search scope is used to subset the SGs and DGs. The search scope itself shows expected results. The search scope filter used is: /Group[Type='Security' or Type='MailEnabledSecurity'][(Domain = 'DomainX') or (Domain = 'DomainY')]
Tried the following, with the GUID being the resource ID from the search scope for security groups:
~/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
~/IdentityManagement/aspx/groups/Groups.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
Thanksare you talking about redirect URL in search scope ? FIM will automatically add the searchtype querystring
for custom groups search scope you can use :
~/IdentityManagement/aspx/groups/AllGroups.aspx
and configure you search scope to use the same UsageKeywords as for the security groups
and restart your IIS server using the command "IISRESET"
in your case if you want to create navigation bar link to your group-type search scope use may use this format:
http://{your fim server}/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype={your searchscope guid}&content=%2a
ex : http://fimserver/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype=47e0a973-0ab4-46f5-815f-f5028c1af58e&content=%2a -
Creating a security group for S/Mime cert auto-enrolment
We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?On Thu, 6 Feb 2014 19:20:37 +0000, Alen Williams wrote:
We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?
Although this group is going to be used for certificate enrollment this
really isn't the right forum for your question. You should repost to either
an Active Directory forum or to one dedicated to scripting or Powershell.
Paul Adare - FIM CM MVP
urbi et IP -- axelm in <mode=pope> -
Unable to resolve name in add user to security group screen
Hello Everybody,
Today I come to ask for advice from the FIM experts, it was just brought to my attention that when somebody tries to add a user to a security group by using the browse option they are able to search for the member and select them but when they
click on "Ok" the account isnt shown in the Members to add box. However if the person types in the full display name into the "members to add box" the user is successfully resolved.After some intense research this issue is caused by an recent Microsoft update KB3008923. I have opened an microsoft support case after being informed of this issue. This is caused not by an FIM patch but by and internet explorer update. Please uninstall KB3008923
and your issue will be resolved. Or you can suggest to your users to use chrome with IE tab addon enabled as a walk around solution
I am awaiting microsoft to provide an hotfix for this issue but until then I have just instructed my users to do one of the listed tempory solutions above -
Migrate security group in SharePoint
Hi,
There are some security groups which are renamed. So now we want to do the migrate group to replace the permission of the old groups with the new groups. Is it possible ? can we run the stsadm command for migrating any security group also as
we do the same for the users.Hi,
I recommend to use the PowerShell command below to update the group name:
$sites = get-spsite -limit all
foreach ($site in $sites)
#change the identity value to the identity of your group in SharePoint site
$user = get-spuser -identity "c:0+.w|s-1-5-21-327186598-2419249556-1286632975-1156" -web $site.url -ErrorAction SilentlyContinue
If($user)
set-spuser -identity $user -displayname "contoso\ADGPkk"
Write-host –foregroundcolor green “Changed the name for $($site.url)”
Else
Write-host –foregroundcolor red “The specified group does not exist in $($site.url)”
More reference(same for SharePoint 2010):
http://www.sharepointfire.com/MyBlog/2013/11/renaming-an-ad-group-in-sharepoint-2013/
Best regards.
Thanks
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Is there a way for an end user to see who has membership in a security group
Windows Server 2008 R2
Active Directory Domain
Windows 7 workstations
I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
Is that possible? Any drawbacks or concerns?Hi Tod,
Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
More information for you:
Viewing the Direct Members of a Group
http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
Net group
http://technet.microsoft.com/en-us/library/cc754051.aspx
Best Regards,
Amy -
not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
Any idea?after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
hope this helps who stuck like me!! :-) -
I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
groups on the project site upon publishing/syncing:
<Project Name> Members
<Project Name> Owners
<Project Name> Visitors
<Project Name> Project Managers (Project Web App Synchronized)
<Project Name> Team Members (Project Web App Synchronized)
Web Administrators (Project Web App Synchronized)
Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
and add a whole list of users in the Site Permissions list without groups.
Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
or publishing.
How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
Thanks in advance.Paul,
Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. -
Security Group for SharePoint 2013 Online Enterprise 3
I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
I can not figure out how to do this.
Thanks.
DawnCall your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
Account Manager for SMB (small to medium businesses) in the
education sector.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs
Maybe you are looking for
-
How to remove values formatting in export to excel from ALV grid
Hi all, I have small issue, I have ALV Grid with some data, but the problem is with columns containing e.g. gross amounts, because it is displayed in the grid as e.g. 1.764,81, and after export to excel it is still in this format (with dot and comma)
-
Music Sync Issues with Windows 7 PC
I am having issues where iTunes freezes when syncing music to my iPad. iTunes completely freezes, the sync doesn't complete, and the music is not seen as visible to the PC until a reboot. There are other posts in the forum for Mac users that talk abo
-
Custom field in 'Notes and Attachment" tab of shopping cart
Hi All, I am working in SRM 7.0 classic scenario and i have requirement in which i need to add custom field in 'Notes and Attachment" tab of the shopping cart portal. I have added those fields in structure --- INCL_EEW_PD_ITEM_CSF and INCL_EEW_PD_ITE
-
Mail queue filling with errors, is something broken?
Back in SL, I was able to just look at the queue in server app and if it ever had anything in it, I knew it was a problem and I usually could deal with it. But in ML, you have to issue "mailq" in terminal to see it. So I did that a lot when first set
-
Share os10 wifi connection (not the mobile data)
Hello Gentlemen, Quick question: how to share the wifi connection of my bbz10 with tethering or mobile hotspot or whatever. I am connected to a wifi netwrok with the phone and I want to share this wifi with my laptop (unfortunately I cant connect ti