none
Controlling Domain Admins RRS feed

  • Question

  • Hi!

    I have been asked to control 'Domain Admins' members in FIM.

    For some reason, that I cannot figure out, the AD MA cannot see the membership of 2 specific users during import. The 2 users are in the connectorspace as user objects.

    So, every time the MA exports I get an error, that the users are already members. But when importing, they are not there as members.

    All other users in the group works just fine.

    I guess it is a security problem, but I cannot figure out where the problem is.

    anyone tried this?

    Thanks,

    Søren.

    Thursday, April 23, 2015 12:54 PM

Answers

  • Hello,

    I think this is because the user is not directly a member of Domain admins Group, instead Domain Admins is set as a Primary Group on those 2 users.

    In AD they seems to be in that Group directly if you check member of Groups but on Import they get not imported.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, April 23, 2015 2:31 PM

All replies

  • Do you have a filter preventing users from making it to the MV?


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 23, 2015 1:24 PM
  • No both group and and all users are joined up just fine all the way from the Portal MA to the AD MA. And the problem is only in the import of the AD MA

    /Søren

    Thursday, April 23, 2015 1:45 PM
  • You through me off, when you said CS.  I thought they are not in MV.

    Are you getting any errors??  Usually AD restricted security prevents you from adding/removing users from a group.  In that case, a very clear error appears.  "permission-issue".

    Maybe you have 2 CS objects, one that is already a member and one that is trying to be added???

    I believe you have an issue with order of operations.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 23, 2015 1:49 PM
  • No, I only have one CS object per user.

    I only get an error when exporting (saying that the user is already a member). But the import does not show these 2 users as members.

    /Søren

    Thursday, April 23, 2015 2:17 PM
  • 1. Do you have the OU where these 2 users live selected in Container Selection in AD MA

    2. Does the user used to run AD MA have access to these containers and objects


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 23, 2015 2:20 PM
  • Hello,

    I think this is because the user is not directly a member of Domain admins Group, instead Domain Admins is set as a Primary Group on those 2 users.

    In AD they seems to be in that Group directly if you check member of Groups but on Import they get not imported.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, April 23, 2015 2:31 PM