none
FIM 2010 (not R2) need to search metaverse for user objects NOT joined to a particular connector. RRS feed

  • Question

  • Our initial FIM deployment has an improperly configured FIM MA in that the deprovisioning was not set up.

    I now have a number of objects from a few months of deletions that are still floating around in my FIM portal.

    I am looking for a way to search the metaverse and find objects that are NOT joined to a defined MA.

    Is there a way to do this? Or am I stuck digging out 400-ish invalid entries.

    Thank you,

    -Fred

    Thursday, March 7, 2013 9:42 PM

Answers

  • metaverse search

    csobjectid is not present

    objecttype does not contain "Rule"

    change columns to show object type and any other attribs you might find helpful.


    • Edited by gdtilghman Thursday, March 7, 2013 9:54 PM
    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Thursday, March 7, 2013 9:50 PM
  • Simplest solution I can imagine:

    • Use Powershell to dump all your user objects from FIM to some CSV including significant attributes which you can use for join. Import output into SQL table or other tool of choice - Excel will do the work as well.
    • Take your data from your authoritative data source or produce it with simple provisioning code and attribute flow to some SQL table
    • Join one set of data with another. Difference will be your set of objects to be deleted (remember to rule out built-in synch account and administrators account ;)
    • Delete not necessary objects with powershell based on the difference set.

    Other way is to identify all objects without MVObjectID in FIM Service and those should be pretty good candidates to be removed after verification. In that case also Powershell for dumping objects, converting them into some usable data and deleting them afterwards is your friend.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Thursday, March 7, 2013 9:54 PM
  • Fred

    I usually add an attribute called existsMAName for each MA to the metaverse. I use an import flow rule to flow dn > exists... with a constant value of true. it becomes very easy to do searches for exists... is true or is not present. if you don't mind running some full syncs, this would be an easy solution for you.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Friday, March 8, 2013 5:35 AM
    Moderator

All replies

  • metaverse search

    csobjectid is not present

    objecttype does not contain "Rule"

    change columns to show object type and any other attribs you might find helpful.


    • Edited by gdtilghman Thursday, March 7, 2013 9:54 PM
    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Thursday, March 7, 2013 9:50 PM
  • Simplest solution I can imagine:

    • Use Powershell to dump all your user objects from FIM to some CSV including significant attributes which you can use for join. Import output into SQL table or other tool of choice - Excel will do the work as well.
    • Take your data from your authoritative data source or produce it with simple provisioning code and attribute flow to some SQL table
    • Join one set of data with another. Difference will be your set of objects to be deleted (remember to rule out built-in synch account and administrators account ;)
    • Delete not necessary objects with powershell based on the difference set.

    Other way is to identify all objects without MVObjectID in FIM Service and those should be pretty good candidates to be removed after verification. In that case also Powershell for dumping objects, converting them into some usable data and deleting them afterwards is your friend.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Thursday, March 7, 2013 9:54 PM
  • Fred

    I usually add an attribute called existsMAName for each MA to the metaverse. I use an import flow rule to flow dn > exists... with a constant value of true. it becomes very easy to do searches for exists... is true or is not present. if you don't mind running some full syncs, this would be an easy solution for you.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Fred Buecker Friday, March 8, 2013 2:32 PM
    Friday, March 8, 2013 5:35 AM
    Moderator