none
XPATH filter help for a Set finding Criteria based groups with ExplicitMembers RRS feed

  • Question

  • I actually have two problems that I'm trying to solve here.  The issue i'm trying to solve related to criteria based groups that allow manually managed members to be imported from AD.  Say I have a criteria based group for all contractors.  if someone adds a member to this group in AD, this newly added member is imported as an ExplicitMember.  If you go to the details of this group there is an error that the dynamic group has static members and you can't make changes unless you clear out those explicitmembers.

    One approach we tried to fix this was to limit access to admins so they cannot modify membership of criteria groups.  this is possible since we put criteria groups in a single OU.  Our Server team didn't want to go this route.  next I setup and alert within FIM to notify me when a member was added to a criteria based group.  However the fix is still to manually go into the group and remove those members.

    So, I thought why not create a set that would contain criteria based groups (MembershipLocked = True) that have Manually Managed Members (ExplicitMember = /Person) so that I can create a policy to remove ExplicitMember.  I came up with the following XPATH filter /Group[(MembershipLocked = True) and (ExplicitMember = /Person)] yet I cannot get this to work in a set.  If I create a search scope with this filter it works perfectly.

    Why won't this XPATH filter work in a Set?

    As always, thanks in advance for your help.

    Kirk

    Monday, June 25, 2012 6:01 PM

Answers

All replies

  • You cannot reference Group membership in a Set.

    Check http://blog.msresource.net/2011/10/06/set-and-group-criteria-filters/ for some insight.

    Monday, June 25, 2012 6:42 PM
  • Old thread i know, but answer is usefull.

    You can do the cleanup using powershell in stead;

     $DefaultUri = "http://localhost:5725"

    if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

    function QueryResource

    {

        PARAM($Filter, $Uri = $DefaultUri)

        END

        {

            $resources = Export-FIMConfig -CustomConfig $Filter -Uri $Uri -OnlyBaseResources

            $resources

        }

    }

    $groups = QueryResource -Filter "/Group[(MembershipLocked = True) and (ExplicitMember = /Person)]" 

     foreach ($g in $groups){

        $name = ($g.resourcemanagementobject.resourcemanagementattributes | where {$_.attributename -eq "DisplayName"}).value    

             $a1="$name"

             $Group1 = Export-FIMConfig -customConfig "/Person[ObjectID = /Group[DisplayName = '$a1']/ExplicitMember]" -Uri "http://localhost:5725" -OnlyBaseResources

             foreach($i in $Group1)

                  {

    #DO SUFF TO EACH GROUP MEMBER

                  }

        


    /Frederik Leed


    • Proposed as answer by FrederikLeed Wednesday, April 29, 2015 7:28 AM
    • Edited by FrederikLeed Wednesday, April 29, 2015 7:45 AM
    Wednesday, April 29, 2015 7:28 AM