none
Using PowerShell to Fix an ObjectSID on a Portal object

    General discussion

  •   Summary
     

    Sometimes the ObjectSID just isn't what you want it to be or it's been unintentionally recalled due to another action. :)
    This script should fix the portal object, just pass it the account name and domain on the command line and it will retrieve the SID, find the object by AccountName in the portal and then fix it if it is wrong.
    Based on earlier examples by Joe Schulman and Markus Vilcinskas.

     

    PARAM([string]$AccountName,[string]$Domain)
    cls
    #------------------------------------------------------------------------------------------------------
     set-variable -name URI    -value "http://localhost:5725/resourcemanagementservice"    -option constant
     
     function GetSidAsBase64
    {
        PARAM($AccountName, $Domain)
        END
        {
            $sidArray = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAA71I1JzEyxT2s9UYraQQAAA==") # This sid is a random value to allocate the byte array
            $args = (,$Domain)
            $args += $AccountName
            $ntaccount = New-Object System.Security.Principal.NTAccount $args
            $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
    		write-host " -Account SID : ($Domain\$AccountName) $desiredSid"
            $desiredSid.GetBinaryForm($sidArray,0)
            $desiredSidString = [System.Convert]::ToBase64String($sidArray)
            $desiredSidString
        }
    }
    #------------------------------------------------------------------------------------------------------
     write-host "`nFix Account ObjectSID"
     write-host "=========================="
    #------------------------------------------------------------------------------------------------------
    #Retrieve the Base64 encoded SID for the referenced user
     $accountSid = GetSidAsBase64 $AccountName $Domain
    #------------------------------------------------------------------------------------------------------
    #Export the account configuration from the service:
     write-host " -Reading Account information"
     if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) 
     {add-pssnapin FIMAutomation}
     
     $exportObject = export-fimconfig -uri $URI `
                                    -onlyBaseResources `
                                    -customconfig ("/Person[AccountName='$AccountName']")
     if($exportObject -eq $null) {throw "Cannot find an account by that name"} 
     $objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `
                     Where-Object {$_.AttributeName -eq "ObjectSID"}
    
     Write-Host " -New Value = $accountSid"
     Write-Host " -Old Value =" $objectSID.Value
     
     if($accountSid -eq $objectSID.Value)
     	{
    	Write-Host "Existing value is correct!"
    	}
     else
     	{
    	$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    	$importChange.Operation = 1
    	$importChange.AttributeName = "ObjectSID"
    	$importChange.AttributeValue = $accountSid
    	$importChange.FullyResolved = 1
    	$importChange.Locale = "Invariant"
    	$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    	$importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType
    	$importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
    	$importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
    	$importObject.State = 1 
    	$importObject.Changes = (,$importChange)
    	write-host " -Writing Account information ObjectSID = $accountSid"
    	$importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
    	if($Err){throw $Err}
    	Write-Host "Success!"
    	}
    #------------------------------------------------------------------------------------------------------
     trap
     { 
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        Exit
     }
    #------------------------------------------------------------------------------------------------------
    
    

     

      Go to the FIM ScriptBox
    Saturday, March 27, 2010 10:55 PM

All replies

  • Hi Brad!

    I'm trying to run your script but I'm receiving this error:

    Some or all identity references could no be translated

    The instruction $ntaccount.Translate is near to the error.

    Any clue or suggestion?

    Regards

    Alejandro

    Monday, November 29, 2010 3:16 AM
  • Did you provide the accountname and domain as parameters?
    http://setspn.blogspot.com
    Monday, November 29, 2010 8:04 AM
  • Yes I do.

    In Powershell, I am running:

    >> BradScript.PS1  FimServiceAccount, MyDomain

    I also added some Write-Host lines to check the script, and the variables $AccountName $Domain are showing the rights values.

    But the script stops with error at:

    $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])

     

     

     

    Monday, November 29, 2010 11:34 AM
  • If I'm correct the correct syntax is:

    >> BradScript.PS1  FimServiceAccount MyDomain

    So no "," is involved between those parameters.


    http://setspn.blogspot.com
    Monday, November 29, 2010 2:08 PM
  • Thank you Thomas!!!.. the "," was my mistake. Now the script is running!!!!!
    Alejandro
    Monday, November 29, 2010 5:11 PM
  • When i run the script i get the following:


    Fix Account ObjectSID
    ==========================
     -Account SID : (mydomain\USERID) S-1-5-21-1314303383-2379350573-4036118543-289936
     -Reading Account information
     -New Value = AQUAAAAAAAUVAAAAl61WTi0C0o0PSJLwkGwEAA==
     -Old Value =
     -Writing Account information ObjectSID = AQUAAAAAAAUVAAAAl61WTi0C0o0PSJLwkGwEAA==


    SourceObjectIdentifier : urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    TargetObjectIdentifier : urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    ObjectType             : Person
    State                  : Put
    Changes                : {ObjectSID}
    AnchorPairs            :


    Error: Failure when making web service call.

    SourceObjectID = urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    Error = Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The request message contains errors that prevent processing the request.
       at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate(String synchronizationSequenceIdentifier)
       at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()
       at Microsoft.ResourceManagement.Automation.ImportConfig.UnifiedClientPut(List`1 changeList, UniqueIdentifier objectIdentifier, String objectType, CultureInfo locale)
       at Microsoft.ResourceManagement.Automation.ImportConfig.ProcessLocaleBucket(String objectIdentifier, String objectType, Dictionary`2 localeBucket)
       at Microsoft.ResourceManagement.Automation.ImportConfig.Put(String objectIdentifier, String objectType, List`1 changeList)
       at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()


    Opper ...don't stop.

    Thursday, February 16, 2012 2:34 PM
  • Any help on this?  Please?  :)

    Opper ...don't stop.

    Monday, April 02, 2012 10:39 AM
  • Is there anything in the request history or event viewer when you run this command that might shed a little more light on it?

    Monday, April 02, 2012 3:38 PM
  • The event log has 2:

    1.

    Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException' was thrown.

    2.

    Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
    Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException' was thrown.
       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
       at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
       at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)


    Opper....

    Tuesday, April 03, 2012 10:50 AM