none
Question around EREs & DREs RRS feed

  • Question

  • Hi,

    In error, the following powershell was executed (thinking it would remove orphaned EREs and DREs): http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/3db4100d-16da-4002-9708-43949659a4f8 - it removed all EREs and DREs.

    So now there are Users in the FIM Portal without any EREs or DREs - they're still in the correct Set (we only have 1 working Set), and everything is working fine. However, we are worried that things may break in the future?

    The correct users are in the only Set they need to be - the only other alternative state for a User is to transition-out of that particular Set.

    So maybe things are not that bad after all?

    Or should we re-associate the Portal Users with EREs & DREs - and how would we do this?

    Thank you,

    SK

    Friday, September 21, 2012 1:58 AM

All replies

  • I'm assuming you have a set which is executing for users workflow to assign them with synchronization rule (create ERE) and result it that you have then also DRE for user when rule is applied. Your script has resulted in all EREs and DREs being deleted. If everything is still working finr this means that there was no de-provisioning actions taken on objects in target.

    I would create ERE back to have it in correct state. In order to do this I would mark the corresponding Workflow which assigns people with Synchronization rule with "Run on Policy Update" and then disable \ enable MPR which triggers this workflow. It will execute workflow again for all users, effectively assigning them with SR and creating ERE.

    Now:

    (1) - I don't know what your workflow is doing so if it has more actions than only SR assignment you should consider if you want to apply those actions again as well or not

    (2) I don't know SR configuration so please test it if it will work for you in synchronization and if it will not result for example in provisioning of duplicate accounts etc

    (3) Good thing is that in any case you can delete EREs and DREs again and you will have everything back in place ... but ... backup is always your good friend :). 

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 12:15 PM
    Friday, September 21, 2012 9:28 AM
  • Hi,

    Correct, no deprovisioning has taken place, as the users are still in the Sets. We do have a lab environment - so I will try this 'fix' there first.

    Thank you for your time.

    Wednesday, September 26, 2012 12:06 PM
  • I thought I should chime in here with my 2 cents' worth:

      • When you disable/enable your set to add the ERE to an object, this can have a negative affect if you're not careful ... I've seen cases where a FIM object has multiple instances of the same ERE in their ERL binding because the workflow which adds the SR does not first remove any existing SR.  While I haven't blogged about this specifically or anything, I probably now consider it best practice to always do a remove followed by an add of the same SR in my "Run on Policy Update" workflow.  Since you have no EREs right now, this won't be a problem ... however if you are worried about future inconsistencies then that may not always be the case.
      • In a moment of enlightenment I came up with the idea of enabling/disabling a set transition MPR on a schedule ... and called it housekeeping.  Carol calls it "full synchronization for the FIM Portal".  The reason I mention this is that you're "worried that things may break in the future".  This is exactly why I implement this kind of policy for every FIM deployment I do.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 12:15 PM
    Wednesday, September 26, 2012 2:16 PM