none
Administrators Set in FIM Portal

    Question

  • Hi,

    I have recently upgraded to FIM 2010 RC U3, but since I have done this I experience access denied errors when i want to add or modify MPRs.  In the process to try and resolve this I have accidentally deleted the only account form the Administrators set, now I can only access the portal the way a normal user would, no more administrations functions.

    To try and fix this I have removed and reinstalled the portal but with no success, I am using the same database though.  The question is, is there a way to fix this without trashing the whole installation and start again?  If this is such an important function maybe there should be some warning or confirmation request against it.

    Any help would be appreciated
    Thanks
    Johan Marais
    Thursday, February 04, 2010 12:05 PM

Answers

  • I'm afraid, you are out of luck in this case...
    You will have to reinstall FIM.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    • Marked as answer by Johan Marais Wednesday, February 10, 2010 1:06 PM
    Thursday, February 04, 2010 12:48 PM
    Owner

All replies

  • I'm afraid, you are out of luck in this case...
    You will have to reinstall FIM.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    • Marked as answer by Johan Marais Wednesday, February 10, 2010 1:06 PM
    Thursday, February 04, 2010 12:48 PM
    Owner
  • I was also getting "Access denied" errors when adding or modifying MPRs with the Administrators account, following an upgrade from RC1U2 to RC1U3.

    I did try and troubleshoot it for a while, but in the end I decided to start over with a fresh install.

    One of the things I noticed while troubleshooting was something that might have been a certificate error - it mentioned not being able to find a key. I had first tried to do the update with selecting the existing certificate, but I was logged in as the wrong account, and hadn't deleted the sharepoint site yet, and various other niggles. Once I got all that sorted I re-ran the installation .... but I can't remember if I selected the existing key that time, or chose to create a new one. IF this theory has any validity then it MAY be possible to reinstall the service and choose the old certificate which MIGHT still be in the cert store .... but as you can tell I haven't tried this as I just started over.

    Carol
    http://www.wapshere.com/missmiis
    Thursday, February 04, 2010 3:06 PM
  • not sure if that works or not.. but have u tried using the Built-in sync account?
    Thursday, February 04, 2010 6:29 PM
  • Ahh, you've encountered the same issue that I did - upgrade fails initially, subsequent updates complete (due to the version number being incremented incorrectly) but the database upgrade failed to apply updates to the MPR's.  In my case I can't start with a clean database, I have to upgrade otherwise I'll lose months worth of work.

    I am still searching for a fix - best I can tell you is restore back to Update 2 and try your upgrade again.

    The partial update problem will manifest in the following manners:
     - Access Denied errors when attempting to Create, Modify or Delete MPR's
     - You will not see the new attribute in the schema - "Management Policy Rule Type", nor is it bound to the user object
     - You do not have the 4th FIM SQL job - FIM_DeleteExpiredSystemObjectsJob
     - SELECT * FROM FIMService.fim.Version will return '5' (the version for Update 3)


    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Friday, February 05, 2010 5:33 AM
  • NTony Ho,

    yes, It also didn't work

    thanks for reply
    Friday, February 05, 2010 8:24 AM
  • Brad,

    Thanks for reply.  I sit in same situation of losing months worth of work.  But according to Markus's answer the only way to get an adminsitrator back for the portal is to start from scratch.  If no other solution presents itself, I will start that process next week.

    Thanks again
    Johan
    Friday, February 05, 2010 8:30 AM
  • Yeah, sorry, without a back up of some sort there currently isn't any mechanism to insert someone into the Administrators set without having a privilieged user do so.  We should probably have an MPR that prevents you from removing yourself from the Administrators set. :)
    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Friday, February 05, 2010 1:26 PM
  • when you say install fim, do you mean everything , or just the FIM portal ?

    I had an incident where i was a domain admin , installed the portal, had all my work done , and i was deleted from AD, now cannot access the FIM portal with newly created admin account.


    Rob

    Wednesday, November 21, 2012 6:01 PM
  • MasterPrawn,

    I was fortunate in that I had a recent backup and could restore that to get my FIM Portal administrator back.  in my experience it only affected my FIM portal, the other components are running on different servers.  But I think it will only affect the FIM portal and possibly the password portals.  Since then I use a separate account as and administrator for the FIM portal.  This is account is also not managed by FIM and is also outside the scope of the ADMA.

    This administrator account is used to add other adminsitrators.  I think the practise to  used a separate account for the FIM Portal should be more emphasized from Microsoft's side.  The other scenario one can get into is that when you use a normal user account as an adminstrator and have automated de-provisioning like us and that user leaves the company - your FIM admintrator is also gone :-)

    Regards

    Johan Marais


    JkM6228

    Thursday, November 22, 2012 5:15 AM