none
Unable to delete all FIM Portal users via Powershell RRS feed

  • Question

  • Found a couple of powershell scripts which delete all users from fim portal DB..

    But everytime it runs it fails with

    Delete Resource: '' Request

    Unable to find which resource it its trying to delete and skip it..

    n00b at powershell & fim.. if someone can help with a script that would be great

    Friday, May 23, 2014 5:22 AM

Answers

  • If I need to delete a huge number of objects in the FIM Service, I sometime rely on my DeleteObject activity from my generic WF library - http://fimactivitylibrary.codeplex.com/wikipage?title=Delete%20Object&referringTitle=Documentation

    1) Create a Set of the objects that you want to delete

    2) Create the "suicide" workflow showed in the link above

    3) Create a MPR Transition In

    Sit back and watch the lemmings "die" :-)


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by FIM N00b Tuesday, June 3, 2014 10:44 PM
    Friday, May 30, 2014 9:11 AM
  • I'll try -

    1) Create a new Action workflow of type DeleteObjectActivitity

    2) Configure the workflow with this in the ObjectID setting "[//Target/ObjectID]"

    3) Create a MPR on type Transition In, select your created set and select the Action Workflow that you created in step 1.

    Now watch the objects get deleted (if you configured it right). Please make sure that your set filter is dead-right so that you dont delete the wrong objects - or maybe try with a smaller set of objects initially.


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by FIM N00b Tuesday, June 3, 2014 10:44 PM
    Tuesday, June 3, 2014 5:11 AM

All replies

  • Hello,

    Some questions to help you:

    • What is your script?
    • Did you check if you have the right to delete users? (Check MPRs)

    Regards,


    Sylvain

    Friday, May 23, 2014 8:21 AM
  • Hi

    Yes it says I don't have right to delete that ... But unable to get which user is it?

    Using

    http://social.technet.microsoft.com/wiki/contents/articles/23570.how-to-use-powershell-to-delete-fim-users-that-have-a-null-attribute-name.aspx

    But modified it to delete all users

     -customconfig "/Person"


    • Edited by FIM N00b Sunday, May 25, 2014 10:20 PM
    Sunday, May 25, 2014 10:20 PM
  • Also just to get around this error.. If I want to just get all users starting with A how can I do that? Then I can run it for all B, C, D etc.. and so on..

    -customconfig "/Person[displayName = 'A*' ]"

    Monday, May 26, 2014 12:17 AM
  • I don't know why such filter is not working, but you can try the following:

    Create a Set named !_TST with the following filter:

    After creating it, please try the following:

    Add-PSSnapin fimautomation
    
    $PeopleStartingWithA = export-fimconfig `
        –onlyBaseResources `
        -customconfig "/Person[ObjectID = /Set[DisplayName = '!_TST']/ComputedMember]"
    
    Write-Host $PeopleStartingWithA 


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.


    Monday, May 26, 2014 5:47 AM
  • FIM Noob,

    when running this in elevated PS prompt are you running this as the FIM admin user? that user should be able to delete user objects in portal by default. You would only not be able to do this if there were changes to default MPRs provided. Check the MPR that shows Administrators can read and update users, I believe it is that one, make sure the delete checkbox is checked in operations tab for this one.

    Tuesday, May 27, 2014 4:55 AM
  • I think it is one of those "ILMSync" account which shows as that..there are only 2-3 accounts with no displayname in portal..

    Is there a quick way to delete 100,000+ accounts from FIM portal?


    • Edited by FIM N00b Tuesday, May 27, 2014 5:00 AM
    Tuesday, May 27, 2014 4:59 AM
  • FIM Noob,

    Not really by using supported methods such as using PS. If your configuration is not that complicated you could start over, uninstall FIM and then remove the FIMService DB and reinstall it and set it up again.

    You could possibly use the configuration migration script to save the config first, then uninstall and remove DB, reinstall, apply the config and now you have the same config and almost no data, which sounds like its what you want. However, if using this method, using the migration scripts can be tedious and tricky, try this in non-prod environment first if possible. More information for the configuration migrations scripts can be found here:

    http://technet.microsoft.com/en-us/library/ee534906(v=WS.10).aspx

    Tuesday, May 27, 2014 5:03 AM
  • FIM Noob,

    Just one more thing.......you could also theoretically use the sync engine to do this as well. If you have MA that is joined to all 100k objects through he MV, you could apply configuration in way that objects will be deleted from portal via the sync engine and FIM MA. If this is non-R2, however, this won't be all that fast, for R2 it should be quite a bit faster than using PS.

    Tuesday, May 27, 2014 5:05 AM
  • It is R2 and Dev Box..

    Could you elaborate how to use the sync engine to delete all users from FIM portal? There is a FIM MA..

    Quite new to FIM so still getting my head around it.. this PS way is too slow.. way too slow..

    Tuesday, May 27, 2014 5:08 AM
  • FIM Noob,

    This might seem convoluted, but you could use something called a utility or operational MA to perform this.

    -you need some attribute that exists in the MV for each user and is unique, such as the AccountName (sAMAccountName, usually) or resource ID

    -you get all of these values in file such as CSV file

    -you create File MA for delimited text file and point to CSV file

    -you create join rule for this MA that joins on unique attribute

    -you then configure this MA to be authoritative for deletion using the MV designer

    -you configure the FIM MA de-provisioning rules to be the 3rd radio button, which is to delete on next export

    -you then import and sync from this MA, that should join all of these objects up

    -you then delete the CS for the operational MA, this will remove objects from MV which will trigger deletes of objects in FIM MA

    -subsequent export on FIM MA will result in these users getting deleted from the portal

    The users in the portal must have been put there by something such as the sync engine to begin with. So you may more of this set up already then you think. This is link to more information on using the operational MA:

    http://social.technet.microsoft.com/wiki/contents/articles/338.a-method-to-cleanup-a-connector-space-in-a-lab-environment.aspx#Designing_the_operational_management_agent

    I would attempt this in non-production environment first if you are going to use this method.

    • Proposed as answer by Andrew Masse Saturday, June 7, 2014 6:51 PM
    Tuesday, May 27, 2014 5:22 AM
  • If I need to delete a huge number of objects in the FIM Service, I sometime rely on my DeleteObject activity from my generic WF library - http://fimactivitylibrary.codeplex.com/wikipage?title=Delete%20Object&referringTitle=Documentation

    1) Create a Set of the objects that you want to delete

    2) Create the "suicide" workflow showed in the link above

    3) Create a MPR Transition In

    Sit back and watch the lemmings "die" :-)


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by FIM N00b Tuesday, June 3, 2014 10:44 PM
    Friday, May 30, 2014 9:11 AM
  • Probably easier to do displayName starts-with '%', then do displayName not-starts-with '%'.

    A good trick is to create a set with the criteria you want to use (note % is the wildcard character), then copy the filter from Advanced view.

    Monday, June 2, 2014 1:42 AM
  • Sorry could you explain how do I do this..

    1) Set is created

    2) Have installed "Delete Object Activity"

    Now

    3) How to create that workflow with the activity and

    4) How to do the transition inso that it starts affecting the set i.e. the users..

    Again FIM n00b :)

    Tuesday, June 3, 2014 2:01 AM
  • I'll try -

    1) Create a new Action workflow of type DeleteObjectActivitity

    2) Configure the workflow with this in the ObjectID setting "[//Target/ObjectID]"

    3) Create a MPR on type Transition In, select your created set and select the Action Workflow that you created in step 1.

    Now watch the objects get deleted (if you configured it right). Please make sure that your set filter is dead-right so that you dont delete the wrong objects - or maybe try with a smaller set of objects initially.


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by FIM N00b Tuesday, June 3, 2014 10:44 PM
    Tuesday, June 3, 2014 5:11 AM
  • Thanks.. Got it to work

    I had to edit the set again and change value so that it "Sees" the transition in..

    Excellent.. now lets see how quickly it does the job :)

    Tuesday, June 3, 2014 10:44 PM
  • Great. If you get the chance, let me know how fast it was to delete the number of objects you had.

    Thanks.


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Thursday, June 5, 2014 5:24 AM
  • Hey Soren

    On our dev environment with 4GB RAM portal server with SQL service running on same it did roughly 1-2 accounts per sec.. so nearly 2 days for 100,000+ accounts..

    Is that what you normally see on proper prod environment? Our dev environment is quite slow i think..

    Thanks..

    Thursday, June 5, 2014 10:38 PM
  • Can't say if thats okay or not. Seems a "little" slow but given your specs it may be okay.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Wednesday, June 11, 2014 6:28 PM