none
FIM 2010 R2. Add manager from other forest. RRS feed

  • Question

  • Hello!

    I have 2 forests A and B in 2-way trust.

    I need add manager from forest A for user from forest B.

    From ADUC I can't do it. I can do it only with Foreign Security Principals but in Preperties of user I see only account name.


    Alex

    Thursday, January 21, 2016 7:47 AM

Answers

  • for FIM, to add reference attribute (such as Manager, Owner or Assistant), both objects - subject and its referenced object - have to be in the same connector space, so both of them have to be viewed by at least one management agent.

    Now - if you want to build a reference, you have to have both in one AD (one forest that one MA can manage) or you can handle it by flowing users and FSPs from both forests to helper database, where you would then create a view which object is manager of another one. Once FIM would get this information, it would be able to assign FSP as user's manager.

    Moreover, you have written that you see only account name displayed. How the object is displayed will depend on the tool used to render the display. And tools have their limitations, too. When I use ADUC to populate the membership of a domain local group I can choose objects from all trusted domains and forests in addition to the local domain.  However, when I use ADUC to populate the manager attribute using ADUC the object picker limits me to the local domain.  Not sure why this is the case, it just is what it is. For example the object picker that Exchange users to assign linked mailboxes allows you to see the trusted domains and forests when assigning the master account.  So basically, it just comes down to what restrictions the tools impose.  These don't necessarily correspond to the limitations that AD imposes.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by UNIFYBobMVP Monday, January 25, 2016 1:39 AM
    • Marked as answer by ArhangeL87 Wednesday, January 27, 2016 7:03 AM
    Thursday, January 21, 2016 9:26 AM

All replies

  • for FIM, to add reference attribute (such as Manager, Owner or Assistant), both objects - subject and its referenced object - have to be in the same connector space, so both of them have to be viewed by at least one management agent.

    Now - if you want to build a reference, you have to have both in one AD (one forest that one MA can manage) or you can handle it by flowing users and FSPs from both forests to helper database, where you would then create a view which object is manager of another one. Once FIM would get this information, it would be able to assign FSP as user's manager.

    Moreover, you have written that you see only account name displayed. How the object is displayed will depend on the tool used to render the display. And tools have their limitations, too. When I use ADUC to populate the membership of a domain local group I can choose objects from all trusted domains and forests in addition to the local domain.  However, when I use ADUC to populate the manager attribute using ADUC the object picker limits me to the local domain.  Not sure why this is the case, it just is what it is. For example the object picker that Exchange users to assign linked mailboxes allows you to see the trusted domains and forests when assigning the master account.  So basically, it just comes down to what restrictions the tools impose.  These don't necessarily correspond to the limitations that AD imposes.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by UNIFYBobMVP Monday, January 25, 2016 1:39 AM
    • Marked as answer by ArhangeL87 Wednesday, January 27, 2016 7:03 AM
    Thursday, January 21, 2016 9:26 AM
  • I would also note that strictly speaking this is not so much a FIM question but an ADDS question :)

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Monday, January 25, 2016 1:41 AM
  • I would also note that strictly speaking this is not so much a FIM question but an ADDS question :)

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    It is... But we become DS MVP instead FIM MVPs ;)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Monday, January 25, 2016 7:09 AM
  • Thanks!

    Alex

    Wednesday, January 27, 2016 7:04 AM