How to restrict users to synchronise from AD to FIM 2010 r2 RRS feed

  • Question

  • Hi,

    I am trying to synchronise selected users from Active directory to FIM 2010 r2 Portal  .

    I have multiple OU's in AD and each OU having multiple users . I want to restrict certain users from OU to be synchronised to the FIM 2010 r2 Portal. Any ways to achieve this ?


    Anil Kumar

    Tuesday, July 8, 2014 10:07 AM

All replies

  • Yes, in the AD MA you can either select the OUs you want, or if you need to be more granular than that then create a Connector Filter that excludes users based on their data.
    Tuesday, July 8, 2014 10:59 AM
  • Hello,

    since you must include your OUs in the Container filter, and if the users you dont want to have in FIM have a common criteria to use, consider putting them in a sub-OU which you then can exclude.

    If there are many objects (users) that you want to exclude, have in mind that object with an connection filter are imported to the connector space anyway.
    This slows down Syncs on the AD MA, so maybe consider to set the connection filter from declared to declared (import filter) to avoid this.

    As an alternative to the MA connection filter you can also use the "inbound scope filter" of portal sync rules to exclude users based on their attributes.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Tuesday, July 8, 2014 12:27 PM
  • I don't know what the TS wants to achieve, but those filters suggested above do not only prevent provisioning to FIM Portal but also blocks the user completely out of the FIM Sync metaverse (while he maybe wants to have the user in the metaverse for syncing purposes, but thats not clear from his question).

    Find me on linkedin:

    Wednesday, July 9, 2014 12:18 PM
  • Hi Anil,

    you can also have a specific filter in the inbound sync rule directly  (in the portal configuration).


    Joris Faure

    • Proposed as answer by Joris FAURE Tuesday, January 20, 2015 12:20 AM
    Thursday, July 10, 2014 10:18 PM
  • If you still need to have user in metaverse, but do not want to apply any outbound sync rules to it, you can set scope to check specific attribute value (ex: ExtensionAttribute11 eq "Non-managed User")
    Tuesday, July 15, 2014 11:01 AM