Rename of FIM Security Groups

Similar Messages

• Security groups naming convention in FIM 2010 R2

  Hi,
  I am using five security groups for Installing FIM Synchronization Service Manager the automatically pick these groups when installed the FIM Synchronization Service Manager
  FIMSyncAdmins,
  FIMSyncJoiners,
  FIMSynchOperators,
  FIMSyncBrowse,
  FIMSyncPasswordSet
  Everything is  working  fine bot now for naming Convention clients wants to change these securities groups name.
  So I want know that five security groups name should be same as above name or can we change  these security groups name for naming convention.
  For this what steps should be follow in running Environment.
  Regards
  Anil Kumar

  Anil,
  I believe you should not think of renaming any of these mentioned groups. If you make any change to any of these groups, there is a possibility that you end up with doing installation of FIM again.
  For details of these groups please refer to the link :
  http://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
  Regards,
  Manuj Khurana

• FIM 2010 R2: Creating Security Groups in portal : OU

  Hi,
  We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
  Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
  Or perhaps someone has tried some other ideas for this scenario ?
  Thanks

  Hi,
  Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
  Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
  After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
  The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
  You can then use this ouStringAttr in your outbound symc rule.
  Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
  Regards
  Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• AD security group as FIM Portal administrator

  Hi Gurus
  i have a question. I want to add an AD Security group in FIM for the users of the group to be the FIM portal administrator. I believe to do that I need to sync the group using a management agent, and then add that group to the Sharepoint administrator group.
  Is this correct? If it's not then where can I find a procedure to make the members of the security group which is in an OU to be the administrators of the FIM portal? I don't want to sync the whole OU but only one group within the OU as there are other groups
  within the OU which I do not want to have admin rights to the portal.
  Is there a way I can achieve what I am trying to do? I haven't found any documentation to do it. As I am very new to this I apologize if the question sounds silly.
  Any help will be greatly appreciated. Thanks in advance.
  Regards,

  Hi Paul, Dave and Steve
  Thank you all for all your valuable inputs. I have successfully resolved the issue. This is what I did. 
  I observed from the metaverse search in the Synchronization tool that after running the full synchronization on the ADMA following the synchronization order specified by Microsoft, the amount of objects was doubling. There were about 180 objects to begin
  with and it doubled. I checked a number of solutions online which asked me to delete the object from the connector. However considering the number of objects that would have been a lot of work. So I decided to delete the users from the FIM portal and manually
  run the sync again. I got this script from Carol Wapshere:
  http://social.technet.microsoft.com/Forums/en-US/58796732-a605-4f22-8c27-17ea4f0968fe/using-powershell-to-delete-all-users-from-the-portal?forum=ilm2
  The good thing about the script is that a few users can be added to the Administrator set in the portal and the script will not delete it. That way selective objects can be protected and not all access to the portal is lost. After that I ran the syncs in
  order, added the users to the Admin set and it all worked fine. I know it is a bit of a sledgehammer approach but I believed that might be the best under current circumstances. 
  Thank you all again for taking your time out and answering my question. You have been great help!!
  Regards,

• Rename security group effect

  hi,
  I need to rename a security group from abc to xyz (just for info: DCs 2008 FL2003).
  I am sure that it will not have any impact on GPO processing or currently logged in users and new log in but want to ask...
  Am I correct?
  thanks.
  --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

  I am sure that it will not have any impact on GPO processing or currently logged in users and new log in but want to ask...
  Am I correct?
  thanks.
  Yes you are correct sir! :)
  Names are not important because they are translated to SIDs. So basically you will not experience any issue unless you have some sort of applications which uses"Hard Names" instead of SIDs.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Grant access to help desk users to add members to distribution and security groups

  Hello,
  I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users.  We want it to bypass owner approval and essentially allow this group to add or remove members
  in the FIM Portal and flow it down to ADS.
  This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins.  We have added the help desk team to the  Security Group Users and Group Users set as
  well as MPR "Security group management: Users can read selected attributes of group resources".
  The help desk users can update users in the Portal with no issue.  The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
  Any help is greatly appreciated.
  Thanks!

  I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
  which was added a minute ago) he gets Access Denied:
  The
  request included members which the requestor is not authorized
  to add and/or remove from this group."
  It is caused by default MPR:
  Group management workflow: Validate requestor on remove member
  Question is how this activity validates this request - any insight?

• DBMS_LDAP adding user to security group on Active Directory

  Hi forum members,
  I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
  My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
  My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
  When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
  ATTIBUTE_NAME: objectClass = top
  ATTIBUTE_NAME: objectClass = group
  ATTIBUTE_NAME: cn = Researcher
  ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: distinguishedName =
  CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
  ATTIBUTE_NAME: instanceType = 4
  ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
  ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
  ATTIBUTE_NAME: uSNCreated = 97190
  ATTIBUTE_NAME: uSNChanged = 102960
  ATTIBUTE_NAME: name = Researcher
  ATTIBUTE_NAME: objectGUID = ?P??|F?
  ?Q?'
  ATTIBUTE_NAME: objectSid =
  ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
  ATTIBUTE_NAME: sAMAccountType = 268435456
  ATTIBUTE_NAME: groupType = -2147483646
  ATTIBUTE_NAME: objectCategory =
  CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
  My add_in_group function is : (I am hardcoding certain values for simplicity)
  FUNCTION add_in_group
  (ldap_session dbms_ldap.SESSION
  RETURN PLS_INTEGER
  IS
  lv_vals dbms_ldap.string_collection;
  lv_array dbms_ldap.mod_array;
  ln_retval PLS_INTEGER;
  l_group VARCHAR2(256);
  BEGIN
  -- Initialize the varray for the modify command
  lv_array := dbms_ldap.create_mod_array(10);
  IF lv_array = NULL THEN
  dbms_output.put_line('Error add_in_group: lv_array not initialized.');
  NULL;
  END IF;
  dbms_output.put_line ('lv_array successfully initialized');
  -- Populate the varray
  lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
  dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
  --Populate the object class variables
  lv_vals(1) := 'group';
  BEGIN
  DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
  END;
  --BEGIN
  -- Group Modification
  l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
  BEGIN
  ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
  --EXCEPTION
  --WHEN OTHERS THEN
  --dbms_output.put_line ('Error in modify_s ');
  END;
  -- Free the varray
  dbms_ldap.free_mod_array(lv_array);
  RETURN ln_retval;
  EXCEPTION
  WHEN OTHERS THEN
  dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
  RETURN -1 ;
  END add_in_group;
  My error is :
  ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
  UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
  The error descriptions reads like this :
  Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
  In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
  The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
  Hence I am not trying to rename any entry to the name of an entry that already exists.
  Any help on this would be appreciated.

  Hi,
  I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
  remove the section that contains the following commands, then it will work
  h5. lv_vals(1) := 'group';
  h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  Thanks & Best Regards,
  Indika

• What is the Behavior.Navigation URL for creating navigation bar links for search scopes for security group and distribution groups?

  ...the search scope is used to subset the SGs and DGs. The search scope itself shows expected results. The search scope filter used is: /Group[Type='Security' or Type='MailEnabledSecurity'][(Domain = 'DomainX') or (Domain = 'DomainY')]
  Tried the following, with the GUID being the resource ID from the search scope for security groups:
  ~/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
  ~/IdentityManagement/aspx/groups/Groups.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
  Thanks

  are you talking about redirect URL in search scope ? FIM will automatically add the searchtype querystring
  for custom groups search scope you can use :
  ~/IdentityManagement/aspx/groups/AllGroups.aspx
  and configure you search scope to use the same UsageKeywords as for the security groups
  and restart your IIS server using the command "IISRESET"
  in your case if you want to create navigation bar link to your group-type search scope use may use this format:
  http://{your fim server}/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype={your searchscope guid}&content=%2a
  ex : http://fimserver/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype=47e0a973-0ab4-46f5-815f-f5028c1af58e&content=%2a

• Creating a security group for S/Mime cert auto-enrolment

  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?

  On Thu, 6 Feb 2014 19:20:37 +0000, Alen Williams wrote:
  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?
  Although this group is going to be used for certificate enrollment this
  really isn't the right forum for your question. You should repost to either
  an Active Directory forum or to one dedicated to scripting or Powershell.
  Paul Adare - FIM CM MVP
  urbi et IP -- axelm in <mode=pope>

• Unable to resolve name in add user to security group screen

  Hello Everybody,
      Today I come to ask for advice from the FIM experts, it was just brought to my attention that when somebody tries to add a user to a security group by using the browse option they are able to search for the member and select them but when they
  click on "Ok" the account isnt shown in the Members to add box. However if the person types in the full display name into the "members to add box" the user is successfully resolved. 

  After some intense research this issue is caused by an recent Microsoft update KB3008923. I have opened an microsoft support case after being informed of this issue. This is caused not by an FIM patch but by and internet explorer update. Please uninstall KB3008923
  and your issue will be resolved. Or you can suggest to your users to use chrome with IE tab addon enabled as a walk around solution
  I am awaiting microsoft to provide an hotfix for this issue but until then I have just instructed my users to do one of the listed tempory solutions above

• Migrate security group in SharePoint

  Hi,
      There are some security groups which are renamed. So now we want to do the migrate group to replace the permission of the old groups with the new groups. Is it possible ? can we run the stsadm command for migrating any security group also as
  we do the same for the users.

  Hi,
  I recommend to use the PowerShell command below to update the group name:
  $sites = get-spsite -limit all
  foreach ($site in $sites)
  #change the identity value to the identity of your group in SharePoint site
  $user = get-spuser -identity "c:0+.w|s-1-5-21-327186598-2419249556-1286632975-1156" -web $site.url -ErrorAction SilentlyContinue
  If($user)
  set-spuser -identity $user -displayname "contoso\ADGPkk"
  Write-host –foregroundcolor green “Changed the name for $($site.url)”
  Else
  Write-host –foregroundcolor red “The specified group does not exist in $($site.url)”
  More reference(same for SharePoint 2010):
  http://www.sharepointfire.com/MyBlog/2013/11/renaming-an-ad-group-in-sharepoint-2013/
  Best regards.
  Thanks
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Is there a way for an end user to see who has membership in a security group

  Windows Server 2008 R2
  Active Directory Domain
  Windows 7 workstations
  I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
  Is that possible? Any drawbacks or concerns?

  Hi Tod,
  Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
  Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
  However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
  More information for you:
  Viewing the Direct Members of a Group
  http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
  Net group
  http://technet.microsoft.com/en-us/library/cc754051.aspx
  Best Regards,
  Amy

• Not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365

  not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
  Any idea?

  after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
  hope this helps who stuck like me!! :-)

• Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project

  I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
  We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
  groups on the project site upon publishing/syncing:
  <Project Name> Members
  <Project Name> Owners
  <Project Name> Visitors
  <Project Name> Project Managers (Project Web App Synchronized)
  <Project Name> Team Members (Project Web App Synchronized)
  Web Administrators (Project Web App Synchronized)
  Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
  and add a whole list of users in the Site Permissions list without groups. 
  Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
  or publishing. 
  How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
  Thanks in advance.

  Paul,
  Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
  the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. 

• Security Group for SharePoint 2013 Online Enterprise 3

  I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
  I can not figure out how to do this.
  Thanks.
  Dawn

  Call your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
  Account Manager for SMB (small to medium businesses) in the
  education sector.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs