none
MIM SSPR - Power Shell Script for Registering Users Automatically RRS feed

  • Question

  • I came to know from a video on internet that it is possible to register users through a powershell script automatically by setting answer to security questions. Can anyone provide me with such script?

     


    F.

    Wednesday, June 12, 2019 12:29 PM

Answers

All replies

  • The Register-AuthenticationWorkflow PowerShell cmdlet is what you're looking for: https://docs.microsoft.com/en-us/powershell/module/fimautomation/register-authenticationworkflow?view=idm-ps-2016sp1


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Fahaad Majeed Monday, June 17, 2019 12:49 PM
    Sunday, June 16, 2019 2:45 PM
    Moderator
  • Dear Brian

    Thank you for your response. I checked this link and tried the solution given in this link. But I am getting this below error. Can you help me out of this?

    The term 'Get-AuthenticationWorkflowRegistrationTemplate' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    Below is my script:

    try{ 
    $template = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName "Password Reset AuthN Workflow"
              $usertemplate = $template.Clone()
              $usertemplate.GateRegistrationTemplates[0].Data[0].Value="engineer"
              $usertemplate.GateRegistrationTemplates[0].Data[1].Value="akhtar"
     
              Register-AuthenticationWorkflow -UserName "AD\fahad.majeed" -AuthenticationWorkflowRegistrationTemplate $usertemplate
    }   
      Catch { 
        $errorDetail = $_.Exception.Message; 
    Write-Host $errorDetail;
    }



    F.

    Sunday, June 16, 2019 8:07 PM
  • I am trying to run this script from power shell on fim server

    F.

    Sunday, June 16, 2019 8:08 PM
  •  Try doing an Add-PSSnapin FIMAutomation first.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Fahaad Majeed Monday, June 17, 2019 12:49 PM
    Sunday, June 16, 2019 11:14 PM
    Moderator
  • Hi Brian

    Firstly, thanks a lot. You really being very help full for getting out of this situation. Now I am stuck at this point. When I run the script in powershell, i get this error:

    No policy grants the Requestor permission to complete all changes.

    When I check event logs in event viewer, i got this error:

    Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
    Correlation Identifier: 700dba79-c744-4207-a538-793eddc51b33
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
       at System.Data.SqlClient.SqlDataReader.get_MetaData()
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader()
       at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
       --- End of inner exception stack trace ---
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

    I setup the password portal as per the guide and both registration and reset portal is working fine on browser. Now client is requiring auto registration and I am stuck at this point. I have checked all corresponding MPRs and they are enabled, except this below MPR as i could not find it in MIM 2016.

    Users can create registration objects for themselves


    F.

    Monday, June 17, 2019 12:57 PM
  • I haven't done this in a long time but you may need to create a blanket MPR that grants your admin user the ability to create registration objects. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Monday, June 17, 2019 5:03 PM
    Moderator
  • I am trying to register users for SSPR  using a powershell script. When I run the script, I get this below error. I have tried enabling multiple MPRs, creating new MPRs for giving access but all in vain. 

    Power shell error:

    Register-AuthenticationWorkflow : No policy grants the Requestor permission to complete all changes.
    At C:\Users\mimadmin\Desktop\MIM\sspr.ps1:25 char:1
    + Register-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationW ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Register-AuthenticationWorkflow], ClientPermissionDeniedException
        + FullyQualifiedErrorId : Microsoft.ResourceManagement.WebServices.Client.Exceptions.ClientPermissionDeniedExcepti
       on,Microsoft.ResourceManagement.Automation.RegisterAuthenticationWorkflow

    When I check event view logs, I get these error logs:

    Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
    Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
    Correlation Identifier: f882774e-9749-47b4-99af-447941ce9d02
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
       at System.Data.SqlClient.SqlDataReader.get_MetaData()
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader()
       at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
       --- End of inner exception stack trace ---
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

    Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
       at System.Data.SqlClient.SqlDataReader.get_MetaData()
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader()
       at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
       --- End of inner exception stack trace ---

    Below is my script, that I am trying to execute:
    Add-PSSnapin FIMAutomation
    
    $AccountName = "fmajeed"
    
    $Email = "fahad.majeed@xnrel.com"
    $FNAME = "fahad"
    $LNAME = "majeed"
    $MOBILE ="0000000000"
    $CNIC = "000000000000"
    $PASSPORT ="00000000"
    $DOB = "00-00-0000"
    
    
    $Domain = "AD\"
    if($Email)
    {
    $template = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName 'Password Reset AuthN Workflow For Students'
    $template.GateRegistrationTemplates[0].Data[0].Value = $FNAME
    $template.GateRegistrationTemplates[0].Data[1].Value = $LNAME
    $template.GateRegistrationTemplates[0].Data[2].Value = $MOBILE
    $template.GateRegistrationTemplates[0].Data[3].Value = $CNIC
    $template.GateRegistrationTemplates[0].Data[4].Value = $PASSPORT
    $template.GateRegistrationTemplates[0].Data[5].Value = $DOB
    Register-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowRegistrationTemplate $template
    Write-Host "Register Successfully";
    }
    else
    {
    Unregister-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowName 'Password Reset AuthN Workflow For Students'
    }

     


    F.

    Tuesday, July 2, 2019 8:23 AM
  • Dear Brian

    I tried to create a MPR as follow:

    Type: Request

    Requester: All Administrators

    Operations: Selected all

    Permission: Granted

    Target Resources before and after: All groups and sets

    Resource attributes: all 

    Policy workflows: Password Reset AuthN Workflow

    Still I am getting the same error "No policy grants the Requestor permission to complete all changes." 

    Can you correct me, if I am wrong at any step.

    I am stuck at this and not finding any way to get rid of this error


    F.

    Tuesday, July 2, 2019 8:48 AM
  • That's not going to do it for you.

    Target Resources needs to be a set of All Gate Registration Objects. I'm not sure if such a set exists offhand or if you need to manually create it. 

    You don't want any Policy Workflows. 


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, July 2, 2019 3:44 PM
    Moderator