Piyush Khandelwal

Composite write back to FIMService via Powershell

So if you have a large number of objects to update in FIMService it could be complicated..

Lithnet FIM/MIM Powershell Module makes it so much simpler..

Below is a script I used to say update all accounts which have “accountType” = oldaccounts and set “accountBlocked” to true (my custom schema).

Some explanations

I have set PageSize = 100 which means if you are returning more than that number process only 100 at a time..
I have set “-AttributesToGet” which gives me only the attribute what I want

$objs = Search-ResourcesPaged -XPath "/Person[(accountType = 'oldaccounts')]" -AttributesToGet accountBlocked
$objs.PageSize = 100

$i = 0

while ($objs.HasMoreItems)
    {
        $results = $objs.GetNextPage();

        foreach ($user in $results)
            {
                $user.accountBlocked = $true
                $i++
            }
        Save-Resource $results
        Write-Host "Saved $i of " $objs.TotalCount      
    }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

$objs = Search-ResourcesPaged -XPath "/Person[(accountType = 'oldaccounts')]" -AttributesToGet accountBlocked

$objs.PageSize = 100

$i = 0

while ($objs.HasMoreItems)

{

$results = $objs.GetNextPage();

foreach ($user in $results)

{

$user.accountBlocked = $true

$i++

}

Save-Resource $results

Write-Host "Saved $i of " $objs.TotalCount

}

See how easy is that? You can do multiple operations before save-resource and thus do a bunch of changes to say 1000 users and in 10 saves it will be done!!!

PS: As you can see its simple for demonstration and not doing any error handling etc..

By Piyush Khandelwal, 8 years03/22/2017 ago

ADConnect

Scheduling Syncs for ADConnect Maintenance

We have loads of objects in our AD / Azure AD.. we believe doing regular Full Imports and Full Syncs for all the MA’s is a good way to make sure Sync engine is healthy.

Had recently visited #MSAUIGNITE 2017 in Gold Coast, Australia and SME’s there suggested Full Sync is not needed in environments unless there has been a connector change.. But I disagree and consider ADConnect as Microsoft Identity Manager (MIM / FIM) and by experience we have seen a good healthy sync engine we should do FI / FS for maintenance.

After doing some initial sync timings, found our FI from Azure took 9 hrs and FS took about 2 hrs. Likewise from AD FI took 1 hr and FS took 2 hrs.

Decided we wanted to schedule each FI and FS to make sure sync engine is all caught up out of business hours.

Assumptions

The MA is called “AzureAD”
Run Profile Name is called “Full Import”

Do the following on our ADConnect Sync Box

Create a powershell script with the following code and save it as “AzureFI.ps1” at a location say D:\SyncScript

Import-Module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $False
Stop-ADSyncSyncCycle
Invoke-ADSyncRunProfile -ConnectorName "AzureAD" -RunProfileName "Full Import"
Set-ADSyncScheduler -SyncCycleEnabled $true

1

2

3

4

5

Import-Module ADSync

Set-ADSyncScheduler -SyncCycleEnabled $False

Stop-ADSyncSyncCycle

Invoke-ADSyncRunProfile -ConnectorName "AzureAD" -RunProfileName "Full Import"

Set-ADSyncScheduler -SyncCycleEnabled $true

Create a task scheduler and run as the same user which runs the sync engine.
Schedule it once a week / month as per your requirement. As per your initial tests, you can schedule it out of business hours say 10pm and by morning it is finished.
For action
- Action: Start a Program
- Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Argument: -ExecutionPolicy Bypass -File “D:\SyncScript\AzureFI.ps1”

That’s it!!! You can create similar scripts and change ConnectorName / RunProfileName and create tasks for each at particular times.

You will have a healthy sync engine for ADConnect.