none
FIM 2010 R2. Add user from domain B to AD group from domain A RRS feed

  • Question

  • Hello!

    I have FIM 2010 R2. The FIM 2010 R2 have connection to domain A and domain B.

    Domain A and domain B have two-way trust.

    I can add user from domain A to group domain A via FIM.

    How can I add user from domain B to group from domain A via FIM?


    Alex

    Thursday, November 19, 2015 5:57 AM

Answers

  • I don't think this is possible.  Both user and group have to be on the same Connector Space to be managed in AD.  while you can add them in FIM Portal, you cannot export to AD, because user is in a different domain from GROUP.

    Nosh Mernacaj, Identity Management Specialist

    Of course it's possible - all you need is FSP in Group domain...

    please read https://technet.microsoft.com/en-us/library/ff721965(v=ws.10).aspx -

    Cross-Forest Management Deployment Guide

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by ArhangeL87 Tuesday, November 24, 2015 10:27 AM
    Saturday, November 21, 2015 4:45 PM

All replies

  • Do you use FIM Portal? If so, you have to add users from both domains to FIM Portal and then you are all good with it.

    Otherwise, if you are using for example SQL DB to calculate membership, you would have to have them in DB also -> and have them in the same view/table as current users/groups.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, November 19, 2015 7:31 AM
  • Yes, I have FIM Portal.

    In FIM Portal I have Security group and I add users to the Security group, after sync, users add to group AD (only domain A).


    Alex

    Friday, November 20, 2015 5:11 AM
  • Have you tried manually adding account from domainB to your group in domainA?

    Are those domains in the same forest?

    What is the type of this group? Have you tried with domain local group?

    Do you see any error in Sync engine?




    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, November 20, 2015 1:45 PM
  • I don't think this is possible.  Both user and group have to be on the same Connector Space to be managed in AD.  while you can add them in FIM Portal, you cannot export to AD, because user is in a different domain from GROUP.

    Nosh Mernacaj, Identity Management Specialist

    Friday, November 20, 2015 9:12 PM
  • I don't think this is possible.  Both user and group have to be on the same Connector Space to be managed in AD.  while you can add them in FIM Portal, you cannot export to AD, because user is in a different domain from GROUP.

    Nosh Mernacaj, Identity Management Specialist

    Of course it's possible - all you need is FSP in Group domain...

    please read https://technet.microsoft.com/en-us/library/ff721965(v=ws.10).aspx -

    Cross-Forest Management Deployment Guide

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by ArhangeL87 Tuesday, November 24, 2015 10:27 AM
    Saturday, November 21, 2015 4:45 PM
  • Hello,

    I confirm that Dominik have said. Moreover, you can use powershell module and parse users and groups to manage this part like you want.

    Joris


    Joris Faure

    Sunday, November 22, 2015 10:55 PM
  • Yes, I can manually add account from domainB to group in domainA.

    Domains from different forests.

    Type of group is local group.

    I don't see errors in Sync engine.


    Alex

    Tuesday, November 24, 2015 10:26 AM
  • Thanks!

    I try it.


    Alex

    Tuesday, November 24, 2015 10:27 AM