A long time ago I wrote a post showing how you can do Composite write-back to FIMService via Powershell. That used “Search-ResourcePaged” command from the Lithnet Module. But it’s not helpful in the scenario where you already have a list of users (say an exported CSV or a text file) you want to perform some action on. In that scenario, XPath is not needed (and might not help if there is no pattern to search) as you already have your objects to work on.
So say, for example, I have a list of 10000 objectID from FIM and want to delete them.
Simple way will be
delete objects - simple
write-host"Done $i of"$objects.count
Pretty simple but will take about 1/sec and take 10000 seconds to do it.
Yeah I am not going to wait that long…
Did some RnD (and Google) and found some different ways of going about it..
One way was doing ForEach -Parallels flag. I tried it but actually had a reverse affect for me… I did it wrong obviously.. It worked but took long/er for some reason (Even with -throttlelimit set)… Moved on… Went above my head for the limited time I had to do the job.
Then found a pretty simple way to do it online and made some modification to suit my scenario
Powershell Batch Process an Array
for($i=0;$i-lt$objects.Count;$i+=1000)#Change 1000 to the number you want to process in a single batch
$num=$i+999#Change this number to 1 less that the batch number
Remove-Resource$newarray#Delete the Resource from FIMService or you can do any other action like foreach for the $newarray and do a Get-Resource and modify and then save after the loop is over
Write-Host"No of Objects in the batch:"$newarray.Count
Voila!!! it’s done in seconds. It will send batch of 1000 objects at a time to FIMService as a composite request and do them quickly. I did like 10000 in 10-15 seconds or so. You can also import a csv/txt file and create an array as well.
I am not a powershell expert and it may not be perfect or most elegant way of doing it but gets the job done quickly.
You can use the logic for virtually anything and not just to write back to FIMService. But yeah helped me to do large modifications / deletes pretty quickly.
Happy New Year!!! Hope everyone had a great 2017 and hopefully an even better 2018
If you know disconnectors then you definitely know how irritating the FIM/MIM GUI can be to convert a disconnector from explicit to normal or vice versa when you have potentially 10’s or 100’s of them… Joiner tab isn’t really friendly to select multiple disconnectors and “batch” convert them.
So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.
Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
Although the password policy is the same between the two domains.
After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.
Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script
This one has been long overdue and about time that the community realizes how easy it can make your daily life with FIM/MIM.
A wonderful tool which keeps our engine purring like a kitten and all the cogs moving – Autosync written by @RyanLNewington
Since the past two year or so, it has evolved and now it is becoming mainstream with him making it more user friendly, GUI enabled and with KISS strategy (Love the strategy – Keep It Simple Stupid!!!).. It has now culminated as AutoSync.
We’ve worked together and I’ve done a lot of testing (somehow I have the notorious name of bug finder – I find them or say they find me in every product I’ve touched – FIM / MIM / Google / Lithnet / Oracle MA / Generic LDAP MA <– don’t even get me started with that one)
It’s extremely simple to use and self explanatory. It installs as a service, and has a easy to read XML config (no need to dive into as GUI makes it easy) and an “Execution Monitor” to show you the status of all your runs.
Some of the features to list
Auto detect all MA in the environment and list them for configuration.
Automatically detect and prepopulate run profiles tab with best matching one.
Advance trigger capability to detect changes in the MA source and run only when needed
Ability to make changes to individual MA and restart only that component.
Ability to mention a list of MA’s not to run if a particular MA is running (to give priority or avoid deadlock situations)
One-Click button to create MPR / Set and service account in FIMService which helps in change detection in FIM/MIM Service.
Easy to configure and send mail notification of errors and customize it according to the errors you want to see / or ignore
Clear run history and store it as a maintenance task.
Different execution modes according to your choice (Supported / Exclusive / Unsupported)
The above is definitely not an exhaustive list and there are many more hidden and advance features which I can cover if it makes it to the final cut.
Let’s take an example on how we can utilize it in real world very easily. No coding experience needed.
We have an environment with 9 Management Agents (not the biggest in the world out there by far). We have some business rules which bind us to set provisioning times and deprovisioning times. Which means we need to keep the wheel moving – always and in sync.
Lithnet Autosync has a very easy to understand GUI interface. We can set which profiles to run to confirm an export (Confirming Import) or say which profile to run if the MA hasn’t run for X amount of time – scheduled import (which you can set as well).
For AD / LDS / LDAP MA we have change detection capabilities which basically runs the delta import / Full Import (whatever you configure) only when it detects a change for the system.
In the above example you can see I have also configured a “scheduled interval” which runs a full import for the MA every day at 2am. We do this to make sure the system is clean and up-to-date with the source. I have configured it for all the MA to run daily at different time intervals during non business hours so that the system is “clean” when we come back the next day. You can also configure them run exclusively to each other so that no clash occur (if that is a concern in your system).
You can also do change detection by writing power shell scripts and then running import run profile. We use an SQL based MA (ACMA) where we use such and example where the script looks at the Object Delta table and makes runs the DI (Delta Import) profile only if a change is detected. It can be as little as every second check but I run it every 5 second.
SQL Change Detection for Autosync
$table=Invoke-SQL"localhost""DBNAME""SELECT TOP 1 cast(rowversion AS BIGINT) AS RV FROM DBO.MA_OBJECTS_DELTA where rowversion >= $global:lastRowVersion order by rowversion asc";
There are more such examples in “C:\Program Files\Lithnet\AutoSync\Examples” folder once you install it. We also have scripts to detect changes in a PostGres DB.
There is so much more we do with it. There are some MA which we use just for versioning purpose. So we simply have them as “unconfigured” so they are not used in the run.
Two most useful features I would like to show you are
The text below are self explanatory but in a nutshell
Supported (Recommended): What Microsoft dictates – Never run sync profiles while any other profile is running. Import and export profiles of different MA can still run in parallel. When a sync profile runs its take precedence lock and doesn’t allow other profiles to run (they queue up)
Exclusive Mode (I call it the SloMo Mode): Every run profile in every MA are run exclusively. Slowest mode and possibly the safest mode if you are not concerned with timings and speed.
Unsupported Mode (Against the Bible): I use this quite often as I am confident of our environment and what we need in terms of SLA to provision / deprovision users. The difference in this mode v/s supported is that in this mode a sync profile can run while other MA are running their import / export profile.
This is where you can keep an eye on things like what is MA is running, what profile is running, what has the lock and what others are waiting to run next.
You can see a lot of live and useful information there.
You can see two MA are executing Full Import (FI) – A Play button indicates that
You can see that an MA has a lock and its preparing to start a Delta Sync (DS) and then after that it has Delta Import (DI) and EALL (Export All) queued up.
Another MA wants to run a delta sync (DS) and is waiting to take lock from the previous MA.
You can click on the MA and see the run history and logs of what it has done (depicted in the windows below)
As you would have guessed – my system is running in unsupported mode currently.
You can stop all execution and/or stop and cancel all runs from the button on top.
You can also uncheck the “Automatically start executors when service starts” so that when Autosync service starts it will not start any executions – handy when you want to check all config before you kick off the syncs.
There is so much you can do with the package that I haven’t even begin to list them here.
Hope this small post has given you some insight on the capabilities of Autosync and the potential it has to radicalize and make your environment more friendly and easy to use.
Let me know if you need a solution with AutoSync and I can probably help you with that….
I have been promising to get this post out there.. So here it is..
If you make extensive use of Lithnet ResourceManagement Powershell for MIM/FIM (You should if you don’t) you will probably be using the cmdlets “Search-Resources” or “Search-ResourcesPaged” which require an “-XPATH” input.
Now my xpath is real bad in for a complicated search.
Thankfully Ryan (Lithnet God) has written a few tools to make it easier for us to write xpath queries. We would use his cmdlets like New-XPathQuery , New-XPathQueryGroup and New-XPathExpression
Let’s start with simple query: Find everyone whose AccountName (string) starts with “P”
/Person[(((starts-with(Email, ‘P’)) and (accountDisabled = False)) or ((starts-with(AccountName, ‘%’)) and (contains(Email, ‘p@’))))]
Above searches might not make sense logically in real world scenarios but what I am trying to show here is that how easy it is to build complex XPath search strings without knowing the XPath language and doing it pretty easily on Powershell.. (And don’t get me started how many times I have messed up the brackets 😛 )
Enormous potential and implantation capabilities if you come to think of it..