Google API Bug: orgUnitPath not returning after modification via patch / update

Another day.. Another bug!!!

We use Google API to provision and manage users in GoogleApps via Google MA FIM/MIM.

I have recently found that when you make changes to a user’s orgUnitPath and send it as a patch / update to Google, the API does not confirm it by returning the value in the return. But the change is actually made and if you do a GET for the user you can see the modified orgUnitPath

It fails to do the same with Google API Explorer and OAUTH Playground


Response (no orgUnitPath is returned although change has been made)

Google has confirmed this as a high priority bug (b/65534998) but its been a week since reported.. Their current workaround suggested is to use GET after doing a PUT or a PATCH and not rely on the current return values of them. Doesn’t really solve the issue for us in an extremely large environment and also means changing the code etc..

Keep calm and wait!!!

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+Share on RedditPrint this page

KISS for MIM – Autosync

This one has been long overdue and about time that the community realizes how easy it can make your daily life with FIM/MIM.

A wonderful tool which keeps our engine purring like a kitten and all the cogs moving – Autosync written by @RyanLNewington

Since the past two year or so, it has evolved and now it is becoming mainstream with him making it more user friendly, GUI enabled and with KISS strategy (Love the strategy – Keep It Simple Stupid!!!).. It has now culminated as AutoSync.

We’ve worked together and I’ve done a lot of testing (somehow I have the notorious name of bug finder – I find them or say they find me in every product I’ve touched – FIM / MIM / Google / Lithnet / Oracle MA / Generic LDAP MA <– don’t even get me started with that one)

It’s extremely simple to use and self explanatory. It installs as a service, and has a easy to read XML config (no need to dive into as GUI makes it easy) and an “Execution Monitor” to show you the status of all  your runs.

Some of the features to list

  • Auto detect all MA in the environment and list them for configuration.
  • Automatically detect and prepopulate run profiles tab with best matching one.
  • Advance trigger capability to detect changes in the MA source and run only when needed
  • Ability to make changes to individual MA and restart only that component.
  • Ability to mention a list of MA’s not to run if a particular MA is running (to give priority or avoid deadlock situations)
  • One-Click button to create MPR / Set and service account in FIMService which helps in change detection in FIM/MIM Service.
  • Easy to configure and send mail notification of errors and customize it according to the errors you want to see / or ignore
  • Clear run history and store it as a maintenance task.
  • Different execution modes according to your choice (Supported / Exclusive / Unsupported)

The above is definitely not an exhaustive list and there are many more hidden and advance features which I can cover if it makes it to the final cut.

Let’s take an example on how we can utilize it in real world very easily. No coding experience needed.

We have an environment with 9 Management Agents (not the biggest in the world out there by far). We have some business rules which bind us to set provisioning times and deprovisioning times. Which means we need to keep the wheel moving – always and in sync.

Lithnet Autosync has a very easy to understand GUI interface. We can set which profiles to run to confirm an export (Confirming Import) or say which profile to run if the MA hasn’t run for X amount of time – scheduled import (which you can set as well).

For AD / LDS / LDAP MA we have change detection capabilities which basically runs the delta import / Full Import (whatever you configure) only when it detects a change for the system.

In the above example you can see I have also configured a “scheduled interval” which runs a full import for the MA every day at 2am. We do this to make sure the system is clean and up-to-date with the source. I have configured it for all the MA to run daily at different time intervals during non business hours so that the system is “clean” when we come back the next day. You can also configure them run exclusively to each other so that no clash occur (if that is a concern in your system).

You can also do change detection by writing power shell scripts and then running import run profile. We use an SQL based MA (ACMA) where we use such and example where the script looks at the Object Delta table and makes runs the DI (Delta Import) profile only if a change is detected. It can be as little as every second check but I run it every 5 second.

There are more such examples in “C:\Program Files\Lithnet\AutoSync\Examples” folder once you install it. We also have scripts to detect changes in a PostGres DB.

There is so much more we do with it. There are some MA which we use just for versioning purpose. So we simply have them as “unconfigured” so they are not used in the run.

Two most useful features I would like to show you are

Execution Mode

The text below are self explanatory but in a nutshell

  • Supported (Recommended): What Microsoft dictates – Never run sync profiles while any other profile is running. Import and export profiles of different MA can still run in parallel. When a sync profile runs its take precedence lock and doesn’t allow other profiles to run (they queue up)
  • Exclusive Mode (I call it the SloMo Mode): Every run profile in every MA are run exclusively. Slowest mode and possibly the safest mode if you are not concerned with timings and speed.
  • Unsupported Mode (Against the Bible): I use this quite often as I am confident of our environment and what we need in terms of SLA to provision / deprovision users. The difference in this mode v/s supported is that in this mode a sync profile can run while other MA are running their import / export profile.

Execution Monitor

This is where you can keep an eye on things like what is MA is running, what profile is running, what has the lock and what others are waiting to run next.

You can see a lot of live and useful information there.

  • You can see two MA are executing Full Import (FI) – A Play button indicates that
  • You can see that an MA has a lock and its preparing to start a Delta Sync (DS) and then after that it has Delta Import (DI) and EALL (Export All) queued up.
  • Another MA wants to run a delta sync (DS) and is waiting to take lock from the previous MA.
  • You can click on the MA and see the run history and logs of what it has done (depicted in the windows below)
  • As you would have guessed – my system is running in unsupported mode currently.
  • You can stop all execution and/or stop and cancel all runs from the button on top.
  • You can also uncheck the “Automatically start executors when service starts” so that when Autosync service starts it will not start any executions – handy when you want to check all config before you kick off the syncs.

There is so much you can do with the package that I haven’t even begin to list them here.

Hope this small post has given you some insight on the capabilities of Autosync and the potential it has to radicalize and make your environment more friendly and easy to use.

Let me know if you need a solution with AutoSync and I can probably help you with that….

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+Share on RedditPrint this page

AzureAD: Get List of all users with a particular license

You might have to do reporting and want a list of all users in Azure AD which have a particular license..

Following is an easy way to do so

Get-MsolAccountSku will give you a table of all the License Types you have and count

AccountSkuId ActiveUnits WarningUnits ConsumedUnits

You can then choose the AccountSkuId you want to report on and pass that in the “TENANTNAME:AAD_PREMIUM” of the Get-MSOLUser command

It took me about 20 min to run this report for about 155000 users

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+Share on RedditPrint this page

Fixing MIM Error: The dimage indicates an update or replace operation, but the image doesn’t exist.

So there was a delete operation sent to an AD MA. It was deleted successfully but on import (Full / Delta) MIM was still seeing the object with a staging error

Error: The dimage indicates an update or replace operation, but the image doesn’t exist.

Cause: Unknown – The Object Information was corrupted in connector space.

Resolution: Did some digging with Microsoft and came up with the solution

  • Open SQL Server management studio and logon. Backup FIMSynchronizationService database.
  • In a new query script, input the below command



  • You can get the RDN from the object corrupted.
  • After that, record the object_id from the query result, which we will use in the later statements.
  • Run the below statements to turn it into a phantom


  • Stop the FIM service.
  • Delete the record via the below commands


  • Restarted the FIM Services
  • Run the FIM Sync to see if the issue fixed.
It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+Share on RedditPrint this page

Quick Tip: Get local time for next AzureAD Sync

When you run the command

You get an output similar to

AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 01:00:00
CustomizedSyncCycleInterval : 01:00:00
NextSyncCyclePolicyType : Delta
NextSyncCycleStartTimeInUTC : 18/05/2017 10:55:42 PM
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : True
MaintenanceEnabled : True
StagingModeEnabled : False
SchedulerSuspended : False
SyncCycleInProgress : False

You will notice that the time is in UTC..

Quick one-liner can show you local time

Output is more sane

Friday, 19 May 2017 8:55:42 AM

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+Share on RedditPrint this page