none
How to clear out Manually Added members from hundereds of Criteria based groups RRS feed

  • Question

  • We are trying to load our AD Groups and Group membership into the Portal (FIMMA). On AD there are thousands of groups but FIM only needs to managed about 500 of these. We have identified 100 AD groups which should be FIM "criteria based" groups.

    What we did was this:

    Step1.

    With simple Sync Rules move current Group name and members into FIM. membershipLocked = "false", workflow = "owner approval" filter = not present we used AD extensionattributes 10 11 and 12 to hold these strings (if present)

    Step2.

    Set on AD for the 100 or so Criteria-based Groups attribute10 = true attribute11 = None and attribute12 = Filter "<Filter>.../Person[...</Filter>"

    Import AD and Sync with FIMMA.

    On first sight it worked. No Sync Engine errors and on a quick view of the Groups the Members looked right.

    BUT on closer examination we have in these 100 odd groups the original membership before it switched to criteria-based held in the extended attribute "Manually added Members".

    I am not going to manually edit these for same reason why we set the criteria up in AD and imported... it will take forever.

    HOW CAN WE PROGRAMATICALLY CLEAR THESE DUPLICATES OUT? 

    OR

    IS THERE SOMEWHERE A CLEAR SET OF INSTRUCTIONS HOW BEST TO INITIALLY LOAD FROM AD A CRITERIA_BASED FIM GROUP??

    Monday, August 27, 2012 7:10 AM

Answers

  • A powershell script to remove ExplicitMember as well as a txt file containing the names of the groups to remove that attribute.

    Close to this:  This isn't exactly what you need as it will fail, but this is generally how everyone bulk updates attributes using powershell and the FIM Snapin

    A few edits here and there will get you what you need a whole lot quicker than manually editing.

    #-------------------------------------------------------------------------------
    	# bulk-update.ps1
    	# bulk update the value of an attribute for a certain type
    	#
    	# Example 1: Set the value of the "Department" attribute to "HR" for all users
    	# $> .\bulk-update Person Department HR
    	# 
    	# Example 2: Unset the value of the "Department" attribute to "HR" for all users
    	# and ask for confirmation before each operation
    	#
    	# $> .\bulk-update Person Department -ask
    	#-------------------------------------------------------------------------------
    	
    	
    	# load FIM snapin, ignore errors if already loaded
    	Add-PSSnapin FIMAutomation -ErrorAction SilentlyContinue
    	    [string] $uri = "http://FIMSERVICE:5725"
    			    $attributeValue = read-#host "Who is the Owner to be Deleted?"
    #Edit the following line to automatically pull in the groups you want to touch, or set a variable pointing to a file containing the group names
    $colGroup = Export-FIMConfig -uri $uri -CustomConfig “/Group[Owner=/Person[DisplayName='$attributeValue']]" -OnlyBaseResources
    
    foreach ($strGroup in $colGroup) { 
    		$gpdisplayname=$strGroup.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "DisplayName"}
            $gpdisplayname=$gpdisplayname.Value | Out-File -FilePath "\\FILESERVER\d$\Bulk Update Scripts\grouplist1.txt" -Append 
    				}
    
    $colGroup = get-content "\\FILESERVER\d$\Bulk Update Scripts\grouplist1.txt"
    
    
    #	param(
    #	    [string] $fimtype = $(throw "Specify the name of the class to update"),
    	    [string] $fimtype = "Group"
    	    [string] $attributeName = "ExplicitMember"
    	    [switch] $ask
    #		)
    	
    
    	
    	# gets the value of a single-valued attribute from an exported object
    	function GetAttributeValue($exportObject,[string] $name) {
    	    $attribute = $exportObject.ResourceManagementObject.ResourceManagementAttributes | 
    	        Where-Object {$_.AttributeName -eq $name}
    	    if ($attribute -ne $null -and $attribute.Value) {
    	        $attribute.Value
    	    }
    	}
    	
    	# suppress the progress indicator (makes screen unreadable with many operations)
    	$ProgressPreference="SilentlyContinue"
    	
        $ImportOperation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]
        
    	# get all objects of specified type
    	Write-Host "Getting $fimtype objects..."
    	foreach ($strGroup in $colGroup)
    	{
    	#	$objects = Export-FIMConfig -uri $uri -CustomConfig "/$fimtype" -OnlyBaseResources
    		$objects = Export-FIMConfig -uri $uri -CustomConfig “/$fimtype[DisplayName='$strgroup']" -OnlyBaseResources 		
    		
    		# confirmation message
    		if (${attributeValue} -ne $null) {
    		    $confirmationMessage = "Set ${attributeName} to '${attributeValue}' for ${fimtype}"
    		} else {
    		    $confirmationMessage = "Unset ${attributeName} for ${fimtype}"
    		}
    		
            $user=Export-FIMConfig -CustomConfig "/Person[DisplayName='$attributeValue']" -OnlyBaseResources
            $objectID2=$user.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "ObjectID"}
            $objectID2 = $objectID2.Value
            
    		# iterate objects and set attributes
    		foreach ($object in $objects) {
    		    $objectID = GetAttributeValue $object "ObjectID"
    		    $displayName = GetAttributeValue $object "DisplayName"
    		    $objectType = GetAttributeValue $object "ObjectType"
    			$objectOwner = GetAttributeValue $object "Owner"
    			
    			Write-Host $objectOwner
    		
    		    # ask for confirmation if specified
    		    if ($ask -and $(Read-Host "$confirmationMessage '$displayName'? (y/n)") -ne "y") {
    		        continue
    		    }
    		    
    		    # Write-Host "Setting ${attributeName} for ${fimtype} '$displayName'"
                Write-Host $displayName "is the" $objectType "whose" $attributeName "$attributeValue" "will now be deleted." 
    
    			$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    		    $importObject.ObjectType = $objectType
    		    $importObject.TargetObjectIdentifier = $objectID
    		    $importObject.SourceObjectIdentifier = $objectID
    		    $importObject.State = 1 
    		    $importObject.Changes = (,$importChange)
    		    $importObject | Import-FIMConfig -uri $uri	
    			
    		    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    		    $importChange.Operation = $ImportOperation::Delete
    #		    $importChange.Operation = 3
    		    $importChange.AttributeName = ${attributeName}
    		    if (${objectID2} -ne $null) {
    		        $importChange.AttributeValue = ${objectID2}
    		    }
    		    $importChange.FullyResolved = 1
    		    $importChange.Locale = "Invariant"
    		
    
    		}
    	}


    • Edited by gdtilghman Monday, August 27, 2012 1:41 PM Clarification
    • Proposed as answer by gdtilghman Monday, August 27, 2012 1:41 PM
    • Marked as answer by HaroldHare Monday, August 27, 2012 2:28 PM
    Monday, August 27, 2012 1:38 PM

All replies

  • A powershell script to remove ExplicitMember as well as a txt file containing the names of the groups to remove that attribute.

    Close to this:  This isn't exactly what you need as it will fail, but this is generally how everyone bulk updates attributes using powershell and the FIM Snapin

    A few edits here and there will get you what you need a whole lot quicker than manually editing.

    #-------------------------------------------------------------------------------
    	# bulk-update.ps1
    	# bulk update the value of an attribute for a certain type
    	#
    	# Example 1: Set the value of the "Department" attribute to "HR" for all users
    	# $> .\bulk-update Person Department HR
    	# 
    	# Example 2: Unset the value of the "Department" attribute to "HR" for all users
    	# and ask for confirmation before each operation
    	#
    	# $> .\bulk-update Person Department -ask
    	#-------------------------------------------------------------------------------
    	
    	
    	# load FIM snapin, ignore errors if already loaded
    	Add-PSSnapin FIMAutomation -ErrorAction SilentlyContinue
    	    [string] $uri = "http://FIMSERVICE:5725"
    			    $attributeValue = read-#host "Who is the Owner to be Deleted?"
    #Edit the following line to automatically pull in the groups you want to touch, or set a variable pointing to a file containing the group names
    $colGroup = Export-FIMConfig -uri $uri -CustomConfig “/Group[Owner=/Person[DisplayName='$attributeValue']]" -OnlyBaseResources
    
    foreach ($strGroup in $colGroup) { 
    		$gpdisplayname=$strGroup.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "DisplayName"}
            $gpdisplayname=$gpdisplayname.Value | Out-File -FilePath "\\FILESERVER\d$\Bulk Update Scripts\grouplist1.txt" -Append 
    				}
    
    $colGroup = get-content "\\FILESERVER\d$\Bulk Update Scripts\grouplist1.txt"
    
    
    #	param(
    #	    [string] $fimtype = $(throw "Specify the name of the class to update"),
    	    [string] $fimtype = "Group"
    	    [string] $attributeName = "ExplicitMember"
    	    [switch] $ask
    #		)
    	
    
    	
    	# gets the value of a single-valued attribute from an exported object
    	function GetAttributeValue($exportObject,[string] $name) {
    	    $attribute = $exportObject.ResourceManagementObject.ResourceManagementAttributes | 
    	        Where-Object {$_.AttributeName -eq $name}
    	    if ($attribute -ne $null -and $attribute.Value) {
    	        $attribute.Value
    	    }
    	}
    	
    	# suppress the progress indicator (makes screen unreadable with many operations)
    	$ProgressPreference="SilentlyContinue"
    	
        $ImportOperation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]
        
    	# get all objects of specified type
    	Write-Host "Getting $fimtype objects..."
    	foreach ($strGroup in $colGroup)
    	{
    	#	$objects = Export-FIMConfig -uri $uri -CustomConfig "/$fimtype" -OnlyBaseResources
    		$objects = Export-FIMConfig -uri $uri -CustomConfig “/$fimtype[DisplayName='$strgroup']" -OnlyBaseResources 		
    		
    		# confirmation message
    		if (${attributeValue} -ne $null) {
    		    $confirmationMessage = "Set ${attributeName} to '${attributeValue}' for ${fimtype}"
    		} else {
    		    $confirmationMessage = "Unset ${attributeName} for ${fimtype}"
    		}
    		
            $user=Export-FIMConfig -CustomConfig "/Person[DisplayName='$attributeValue']" -OnlyBaseResources
            $objectID2=$user.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "ObjectID"}
            $objectID2 = $objectID2.Value
            
    		# iterate objects and set attributes
    		foreach ($object in $objects) {
    		    $objectID = GetAttributeValue $object "ObjectID"
    		    $displayName = GetAttributeValue $object "DisplayName"
    		    $objectType = GetAttributeValue $object "ObjectType"
    			$objectOwner = GetAttributeValue $object "Owner"
    			
    			Write-Host $objectOwner
    		
    		    # ask for confirmation if specified
    		    if ($ask -and $(Read-Host "$confirmationMessage '$displayName'? (y/n)") -ne "y") {
    		        continue
    		    }
    		    
    		    # Write-Host "Setting ${attributeName} for ${fimtype} '$displayName'"
                Write-Host $displayName "is the" $objectType "whose" $attributeName "$attributeValue" "will now be deleted." 
    
    			$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    		    $importObject.ObjectType = $objectType
    		    $importObject.TargetObjectIdentifier = $objectID
    		    $importObject.SourceObjectIdentifier = $objectID
    		    $importObject.State = 1 
    		    $importObject.Changes = (,$importChange)
    		    $importObject | Import-FIMConfig -uri $uri	
    			
    		    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    		    $importChange.Operation = $ImportOperation::Delete
    #		    $importChange.Operation = 3
    		    $importChange.AttributeName = ${attributeName}
    		    if (${objectID2} -ne $null) {
    		        $importChange.AttributeValue = ${objectID2}
    		    }
    		    $importChange.FullyResolved = 1
    		    $importChange.Locale = "Invariant"
    		
    
    		}
    	}


    • Edited by gdtilghman Monday, August 27, 2012 1:41 PM Clarification
    • Proposed as answer by gdtilghman Monday, August 27, 2012 1:41 PM
    • Marked as answer by HaroldHare Monday, August 27, 2012 2:28 PM
    Monday, August 27, 2012 1:38 PM
  • Great... Just what we needed. I was examining these Powershell things.

    What is upsetting is that the explicitMembers attribute doesnt seem to be visible from FIMMA attribute selection. Its presence  caught us quite by surprise. I can see its use though.

    Monday, August 27, 2012 2:30 PM