none
Groups Errors in FIM.

    Question

  • From user side if they create group in FIM and group not provision in AD, then there is no indication that group creation was successful unless the user does not get the feeling that group is not working at all or some one from IT get into it to investigate.

    As I have experienced user created group with scope universal and domain local group as member, the group failed to sync and if the user want to delete the group in FIM, it errors out ObjectSIDString  is either null and empty, cannot delete the group at this time.

    To delete the group I have to go advanced view of the group in FIM, locate the field for “ObjectSIDString Gropu binding”, and type any number in it (for example 1234).Click OK and submit the change.

    The group got deleted at last.

    It would be great if we can apply some work flow that indicates about the successful provision of the group in other data store.

     I am new to FIM may be I am wrong in my observation, correct me.

    ____________
    Anirban(India)

    Saturday, February 18, 2012 1:50 PM

Answers

  • There is no need for a workflow to determine whether something has been provisioned to an external system.
    One method to get the related information is to flow the anchor (in case of ADDS the GUID) of the object into FIM.
    Since that value can only come from the external system, the object must exist in the external system if the value is populated.

    You can also get the information from an object's ERE.
    If an outbound synchronization rule has been applied to an object, the status of the ERE is updated to reflect this.
    For more details on this, see Understanding Data Synchronization with External Systems.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Tuesday, February 21, 2012 1:13 AM
    Owner
  • By way of monitoring such things, you could use the ERE idea and set up a search scope (say "Unapplied group exports") on the group object with xpath something like the following:

    /Group[ExpectedRulesList = /ExpectedRuleEntry[not(SynchronizationRuleStatus = 'Applied')]]

    ... and assign an appropriate UsageKeyWord to ensure it appears on the main Group Search drop-down list.

    I use the Event Broker service to ensure all groups are provisioned all the way to AD as soon as the ERE is added to the group ERL.


    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Tuesday, February 21, 2012 2:13 PM

All replies

  • There is no need for a workflow to determine whether something has been provisioned to an external system.
    One method to get the related information is to flow the anchor (in case of ADDS the GUID) of the object into FIM.
    Since that value can only come from the external system, the object must exist in the external system if the value is populated.

    You can also get the information from an object's ERE.
    If an outbound synchronization rule has been applied to an object, the status of the ERE is updated to reflect this.
    For more details on this, see Understanding Data Synchronization with External Systems.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Tuesday, February 21, 2012 1:13 AM
    Owner
  • By way of monitoring such things, you could use the ERE idea and set up a search scope (say "Unapplied group exports") on the group object with xpath something like the following:

    /Group[ExpectedRulesList = /ExpectedRuleEntry[not(SynchronizationRuleStatus = 'Applied')]]

    ... and assign an appropriate UsageKeyWord to ensure it appears on the main Group Search drop-down list.

    I use the Event Broker service to ensure all groups are provisioned all the way to AD as soon as the ERE is added to the group ERL.


    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Tuesday, February 21, 2012 2:13 PM