How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object

How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object

FIM ScriptBox Item

Summary

Sometimes the ObjectSID just isn't what you want it to be or it's been unintentionally recalled due to another action. :)
This script should fix the portal object, just pass it the account name and domain on the command line and it will retrieve the SID, find the object by AccountName in the portal and then fix it if it is wrong.

Script Code

 

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
PARAM([string]$AccountName,[string]$Domain)
cls
#------------------------------------------------------------------------------------------------------
 set-variable -name URI    -value "http://localhost:5725/resourcemanagementservice"    -option constant
 
 function GetSidAsBase64
{
    PARAM($AccountName, $Domain)
    END
    {
        $sidArray = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAA71I1JzEyxT2s9UYraQQAAA==") # This sid is a random value to allocate the byte array
        $args = (,$Domain)
        $args += $AccountName
        $ntaccount = New-Object System.Security.Principal.NTAccount $args
        $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
write-host " -Account SID : ($Domain\$AccountName) $desiredSid"
        $desiredSid.GetBinaryForm($sidArray,0)
        $desiredSidString = [System.Convert]::ToBase64String($sidArray)
        $desiredSidString
    }
}
#------------------------------------------------------------------------------------------------------
 write-host "`nFix Account ObjectSID"
 write-host "=========================="
#------------------------------------------------------------------------------------------------------
#Retrieve the Base64 encoded SID for the referenced user
 $accountSid = GetSidAsBase64 $AccountName $Domain
#------------------------------------------------------------------------------------------------------
#Export the account configuration from the service:
 write-host " -Reading Account information"
 if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) 
 {add-pssnapin FIMAutomation}
 
 $exportObject = export-fimconfig -uri $URI `
                                  -onlyBaseResources `
                                  -customconfig ("/Person[AccountName='$AccountName']")
 if($exportObject -eq $null) {throw "Cannot find an account by that name"} 
 $objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `
                 Where-Object {$_.AttributeName -eq "ObjectSID"}

 Write-Host " -New Value = $accountSid"
 Write-Host " -Old Value =" $objectSID.Value
 
 if($accountSid -eq $objectSID.Value)
  {
Write-Host "Existing value is correct!"
}
 else
  {
$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation = 1
$importChange.AttributeName = "ObjectSID"
$importChange.AttributeValue = $accountSid
$importChange.FullyResolved = 1
$importChange.Locale = "Invariant"
$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType
$importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
$importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
$importObject.State = 1 
$importObject.Changes = (,$importChange)
write-host " -Writing Account information ObjectSID = $accountSid"
$importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
if($Err){throw $Err}
Write-Host "Success!"
}
#------------------------------------------------------------------------------------------------------
 trap
 { 
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
    Exit
 }
#------------------------------------------------------------------------------------------------------

 

note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the  FIM ScriptBox

 



See Also

Sort by: Published Date | Most Recent | Most Useful
Comments
  • thanks for this script, but i've encountered an error while running it.

    Please can you assist in debugging?

  • Hi Markus,

    I am trying to make FIM portal accessible to regular users and its failing. I have tried to run the script above and I get errors. I am not quite an expert with scripts and requesting your assistance with debugging. My script... is as below:

    set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant

    function GetSidAsBase64

    {

    PARAM($!fimuser, $mydomain)

    END

    {

    $sidArray = [System.Convert]::FromBase64String("01 00 00 05 00 00 00 00 00 05 15 00 0B 69 70 ")

    $args = (,$mydomain)

    $args += $fimuser

    $ntaccount = New-Object System.Security.Principal.NTAccount $args

    $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])

    write-host " -Account SID : ($mydomain\$fimuser) $desiredSid"

    $desiredSid.GetBinaryForm($sidArray,0)

    $desiredSidString = [System.Convert]::ToBase64String($sidArray)

    $desiredSidString

    }

    }

    write-host "`nFix Account ObjectSID"

    write-host "=========================="

    #Retrieve the Base64 encoded SID for the referenced user

    $accountSid = GetSidAsBase64 $fimuser $mydomain

    #Export the account configuration from the service:

    write-host " -Reading Account information"

    if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0)

    {add-pssnapin FIMAutomation}

    $exportObject = export-fimconfig -uri $URI `

    -onlyBaseResources `

    -customconfig ("/Person[AccountName='$fimuser']")

    if($exportObject -eq $null) {throw "Cannot find an account by that name"}

    $objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `

    Where-Object {$_.AttributeName -eq "ObjectSID"}

    Write-Host " -New Value = $accountSid"

    Write-Host " -Old Value =" $objectSID.Value

    if($accountSid -eq $objectSID.Value)

    {

    Write-Host "Existing value is correct!"

    }

    else

    {

    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange

    $importChange.Operation = 1

    $importChange.AttributeName = "ObjectSID"

    $importChange.AttributeValue = $accountSid

    $importChange.FullyResolved = 1

    $importChange.Locale = "Invariant"

    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject

    $importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType

    $importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier

    $importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier

    $importObject.State = 1

    $importObject.Changes = (,$importChange)

    write-host " -Writing Account information ObjectSID = $accountSid"

    $importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue

    if($Err){throw $Err}

    Write-Host "Success!"

    }

    #------------------------------------------------------------------------------------------------------

    trap

    {

    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

    Exit

    }

    I get these errors:

    1. PARAM($fimuser, $mydomain) missing ')'

    2. export-fimconfig : The term 'export-fimconfig' is not recognized as the name of a cmdlet, function, script file, or

    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try

    again.

    At line:1 char:17

    + $exportObject = export-fimconfig -uri $URI `

    +                 ~~~~~~~~~~~~~~~~

       + CategoryInfo          : ObjectNotFound: (export-fimconfig:String) [], CommandNotFoundException

       + FullyQualifiedErrorId : CommandNotFoundException

    Cannot find an account by that name

    At line:4 char:30

    + if($exportObject -eq $null) {throw "Cannot find an account by that name"}

    +                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : OperationStopped: (Cannot find an account by that name:String) [], RuntimeException

       + FullyQualifiedErrorId : Cannot find an account by that name

    Please assist.

    Josephine.

Page 1 of 1 (2 items)