none
Configure Forefront Identity Manager Synchronization Service security groups RRS feed

  • Question

  • Hi

    I was troubleshooting an environment were the Password Reset self service was not working. At the end it was permission issue were the FIM Service account was not in the FIMSyncPasswordSet group. The problem was that when FIM Sync was installed,  they did not specify a domain.

    e.g. in the Configure Forefront Identity Manager Synchronization Service security groups screen

    rather than specifying contoso\FIMSyncPasswordSet the default FIMSyncPasswordSet group was used.

    Question:

    Can I update this to use the AD domain groups without re-running the installation?

    PS: I have a problem running the FIM Sync and FIM Service program change in the programs and features. I will post the question on a new topic. 

    Wednesday, April 17, 2013 2:06 PM

Answers

  • The groups the Sync Engine are used in many different places. We ACL registry, file system, and DCOM with those. They are also stored in the DB so if you have a hot standby server the same permissions will apply after a failover. If you want to change which groups to use, running setup is the only practical way.

    Saturday, April 20, 2013 4:18 PM

All replies

  • Hello,

    Instead of change this with the re-installation, you can add a domain group in your local group.

    Sylvain

    Wednesday, April 17, 2013 2:26 PM
  • Thanks Sylvain.c did not think of that, 

    For the record does anyone know in which configuration file this sits?

    Thursday, April 18, 2013 9:49 AM
  • The groups the Sync Engine are used in many different places. We ACL registry, file system, and DCOM with those. They are also stored in the DB so if you have a hot standby server the same permissions will apply after a failover. If you want to change which groups to use, running setup is the only practical way.

    Saturday, April 20, 2013 4:18 PM