none
Accidentally deleted Administrator from Portal - now can't access RRS feed

  • Question

  • I've stupidly deleted the Administrator account from the MIM Portal and now I don't have access to Users, MPRs etc.

    I was trying to re-import the administrator account and a few new accounts into the portal and thought I could just delete them out of the portal and import them back through the Synchronization Manager. This is clearly not the case!

    I don't have any back ups of the Fim Database or anything to fall back on, so I was wondering if there was any powershell commands or any other way of getting the administrator back to how it was. 

    I'm hoping I don't have to do a complete re-install! 

    Can't believe I have done this! What an idiot!!!

    Hoping for an easy fix :(

    Tuesday, September 27, 2016 3:44 PM

Answers

  • You can restore the FIM Service database from a backup prior to your deletion, but since you don't have that -- you will most likely need to reinstall. You won't need to reinstall the Sync Service just the FIM Service and Portal.

    Any manual attempt has to start with the knowledge that the administrator account used to install FIM has a well known GUID (in other words in every FIM installation they get the same GUID). 7fb2b853-24f0-4498-9534-4e10589723c4. Since you can't set the GUID of an object in the FIM Portal without manipulating the database you are in for a tricky situation.

    Next time I recommend a database backup right after installation and that you follow these guidelines:

    http://social.technet.microsoft.com/wiki/contents/articles/4170.best-practices-for-the-fim-portal-administrator-account.aspx

     


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Proposed as answer by Todd Heron Tuesday, September 27, 2016 9:07 PM
    • Marked as answer by Stephen_Clark Friday, October 21, 2016 3:11 PM
    Tuesday, September 27, 2016 8:49 PM

All replies

  • You can restore the FIM Service database from a backup prior to your deletion, but since you don't have that -- you will most likely need to reinstall. You won't need to reinstall the Sync Service just the FIM Service and Portal.

    Any manual attempt has to start with the knowledge that the administrator account used to install FIM has a well known GUID (in other words in every FIM installation they get the same GUID). 7fb2b853-24f0-4498-9534-4e10589723c4. Since you can't set the GUID of an object in the FIM Portal without manipulating the database you are in for a tricky situation.

    Next time I recommend a database backup right after installation and that you follow these guidelines:

    http://social.technet.microsoft.com/wiki/contents/articles/4170.best-practices-for-the-fim-portal-administrator-account.aspx

     


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Proposed as answer by Todd Heron Tuesday, September 27, 2016 9:07 PM
    • Marked as answer by Stephen_Clark Friday, October 21, 2016 3:11 PM
    Tuesday, September 27, 2016 8:49 PM
  • Thanks David. So would I need to uninstall the fim service and portal first, then re-install? Would I need to recreate the database too? Thanks and apologies for my stupidity here! Stephen
    Tuesday, September 27, 2016 10:14 PM
  • Hi David, 

    Would you know how to do the manual fix?

    Hope you can help. 

    Thanks

    Stephen

    Thursday, September 29, 2016 9:30 AM
  • Hi David,

    If I uninstall the Service and Portal, will I need to delete the virtual directories for SharePoint and start fresh with those too? 

    Hope you can advise. 

    Stephen

    Wednesday, October 5, 2016 1:32 PM
  • Stephen Like David mentioned the account is hard coded to the 7fb guid. without a backup it is really hard to recover. but, If you have a premier contract I would recommend opening a ticket. As there is a possibly a way to get you up and running , Again this would be best effort but possibly doable
    Wednesday, October 5, 2016 2:01 PM
    Moderator
  • Hi.

    OK, I've uninstalled the FIM Service and Portal and looking to re-install it now. Do I need to Create a new database or re-use the current one (will re-using the current one correct the administrator GUID)?

    Any help is appreciated.

    Thanks

    Stephen

    Friday, October 7, 2016 8:43 AM
  • If you re-use existing, it will be without this GUID - maybe installer will add it - please give it a try. But if it won't change it, new one will be required.

    I honestly don't know if GUID will be recreated, but I don't think so as it would be a security issue (that local server admin without admin rights on FIM Service during reinstall/change mode will gain admin permissions)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, October 7, 2016 12:20 PM
  • Full reinstall had to be done. Back up and running. 
    Friday, October 21, 2016 3:12 PM
  • I see it is too late now as you reinstalled it. But I believe there should be way to fix it manually. Take a look on this (similar case -

    FIM PORTAL NO ACCESS FOR FIM ADMIN ACCOUNT

    )

    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    Thursday, October 27, 2016 1:06 PM
  • One more thing to avoid removing any of these special accounts (see well known guids) is to filter them out on FIM MA. That way they will not be connected to objects in sync metaverse so no accidental updates and deletion.

    Please check this article as well:  Best practices for the FIM Portal Administrator account.


    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    Thursday, October 27, 2016 1:19 PM