Ask a question

Search Forums:

• Search Identity Lifecycle Manager 2 Forum
• Search All Identity Management Forums
• Search All Microsoft TechNet Forums

 

Using PowerShell to check your MPR configuration for synchronization

• Friday, November 06, 2009 9:26 PMMarkus VilcinskasMSFT, Moderator

   
  

  1

  Sign In to Vote

  To synchronize identity objects, you need to enable certain build-in MPRs  in your environment.
  The objective of this script is to check whether:

  • all required MPRs are enabled
  • there is a need to modify a build-in MPR

  Please let us know if you find this script helpful.

  #-------------------------------------------------------------------------------------------------------------------------------------------
   function ShowResults([ref]$bActionItem, $lstAttributes, $msgMissing)
   {
      if($lstAttributes.length -eq 0) {return}
      $bActionItem.value = $true
      write-host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow
      foreach($attributeName in $lstAttributes) {write-host " -$attributeName"}
   } 
  #-------------------------------------------------------------------------------------------------------------------------------------------
   set-variable -name nodeHead     -value "ResourceManagementObject[ObjectType='ManagementPolicyRule' " -option constant 
   set-variable -name nodeBody     -value "ResourceManagementAttributes/ResourceManagementAttribute" -option constant 
   set-variable -name nodeTail     -value "export-flow[direct-mapping]/@cd-attribute" -option constant
   set-variable -name attrDisabled -value "[AttributeName='Disabled']/Value" -option constant 
   set-variable -name flowHead     -value "ResourceManagementObject[ObjectType='ma-data']" -option constant 
   set-variable -name eafAttrName  -value "AttributeName='SyncConfig-export-attribute-flow'" -option constant
   set-variable -name msgWarning   -value "Caution: Your current MPR configuration requires your attention!"
   set-variable -name msgOK        -value "Your current MPR configuration meets all requirements"
  #-------------------------------------------------------------------------------------------------------------------------------------------
   $curFolder   = Split-Path -Parent $MyInvocation.MyCommand.Path
   if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
  #-------------------------------------------------------------------------------------------------------------------------------------------
   $maDataFile = "$curFolder\MAData.xml"
   $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data[SyncConfig-category='FIM']")
   if($data -eq $null) {throw "There is no FIM MA configured on your system!"} 
   $data | convertfrom-fimresource -file $maDataFile
   [xml]$xmlMAData = get-content $maDataFile 
   [xml]$xmlFlow   = "<Root>" + $xmlMAData.selectSingleNode("//$flowHead/$nodeBody[$eafAttrName]/Value").get_InnerText() + "</Root>"
   $userFlowPath  = "//export-flow-set[@cd-object-type='Person' and @mv-object-type='person']/export-flow[direct-mapping]/@cd-attribute"
   $groupFlowPath = "//export-flow-set[@cd-object-type='Group' and @mv-object-type='group']/export-flow[direct-mapping]/@cd-attribute"
   if($xmlFlow.selectNodes($userFlowPath).get_count() -eq 0) {throw "There are no export attribute flows for the object type person configured"}
   $bHasGroups = $xmlFlow.selectNodes($groupFlowPath).get_count() -gt 0
  #-------------------------------------------------------------------------------------------------------------------------------------------
   $mprDataFile = "$curFolder\MPRData.xml"
   $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ManagementPolicyRule")
   if($data -eq $null) {throw "The are no MPRs configured on your FIM server"} 
   $data | convertfrom-fimresource -file $mprDataFile
  
   $mprNames = @()
   $mprNames += "General: Users can read schema related resources"
   $mprNames += "General: Users can read non-administrative configuration resources"
   $mprNames += "User management: Users can read attributes of their own"
   $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources"
   $mprNames += "Synchronization: Synchronization account can read schema related resources"
   $mprNames += "Synchronization: Synchronization account can read synchronization related resources"
   $mprNames += "Synchronization: Synchronization account can read users it synchronizes"
   $mprNames += "Synchronization: Synchronization account controls detected rule entry resources"
   $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources"
   $mprNames += "Synchronization: Synchronization account controls users it synchronizes"
  
   if($bHasGroups -eq $true)
   {
      $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes"
      $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes"
      $mprNames += "Security group management: Owners can read selected attributes of group resources"
      $mprNames += "Security group management: Owners can update and delete groups they own"
      $mprNames += "Security group management: Users can add or remove any member of groups subject to owner approval"
      $mprNames += "Security group management: Users can create group resources"
      $mprNames += "Security group management: Users can read selected attributes of group resources"
      $mprNames += "Security groups: Users can add and remove members to open groups"
   }
  
   $bActionItem = $false 
   $disabledMPRs = @()
   $missingMPRs  = @()  
  
   [xml]$mprDoc = get-content $mprDataFile
   foreach($mprName in $mprNames)
   {
      $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$mprName']]")
      if($curMprNode -eq $null) {$missingMPRs += $mprName}
      else {if($curMprNode.selectSingleNode("$nodeBody$attrDisabled").get_InnerText() -eq "True") {$disabledMPRs += $mprName}}
   }
  #-------------------------------------------------------------------------------------------------------------------------------------------
   clear-host
   write-host "`nFIM MPR Configuration For Synchronization Check"
   write-host "==============================================="
   ShowResults ([ref]$bActionItem) $missingMPRs "Missing MPRs:"
   ShowResults ([ref]$bActionItem) $disabledMPRs "MPRs that need to be enabled:"
   $dataList = @()
   if(!($missingMPRs -contains "Synchronization: Synchronization account controls users it synchronizes"))
   {$dataList += "Synchronization: Synchronization account controls users it synchronizes|Person|person"}
  
   if($bHasGroups -eq $true)
   {
      if(!($missingMPRs -contains "Synchronization: Synchronization account controls group resources it synchronizes"))
      {$dataList += "Synchronization: Synchronization account controls group resources it synchronizes|Group|group"}
   }
  
   foreach($dataItem in $dataList)
   {
      $a = $dataItem.split("|")
      $missingAttributes = @()
      $maAttributes = @() 
      foreach($attrName in $xmlFlow.selectNodes("//export-flow-set[@cd-object-type='$($a[1])' and @mv-object-type='$($a[2])']/$nodeTail"))
      {$maAttributes += $attrName.get_InnerText()}
  
      $mprAttributes = @()
      $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$($a[0])']]")
      foreach($attrName in $curMprNode.selectNodes("$nodeBody[AttributeName='ActionParameter']/Values/string")) 
      {$mprAttributes += $attrName.get_InnerText()}
  
      foreach($curAttribute in $maAttributes) {if(!($mprAttributes -contains $curAttribute)) {$missingAttributes += $curAttribute}}
      ShowResults([ref]$bActionItem) $missingAttributes "Missing Resource Attributes on MPR $mprName"
  }
  #-------------------------------------------------------------------------------------------------------------------------------------------
   if($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue}
   else {write-host "`n$msgOK"}
  
   if(test-path $mprDataFile) {remove-item $mprDataFile}
   if(test-path $maDataFile)  {remove-item $maDataFile}
   write-host "`nCommand completed successfully`n" 
  #-------------------------------------------------------------------------------------------------------------------------------------------
   trap 
   { 
      Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
      if(test-path $mprDataFile) {remove-item $mprDataFile}
      if(test-path $maDataFile)  {remove-item $maDataFile}
      Exit
   }
  #-------------------------------------------------------------------------------------------------------------------------------------------
  
  

  ---

  Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  • Edited byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 10:27 PM
  • Edited byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 10:22 PM
  •  
  • Reply
  • Quote