none
Import system accounts in FIM but make restriction for any changes RRS feed

  • Question

  • Hello all, 

    I have recently been asked to purpose a solution for a problem with FIM 2010 R2 and MS AD system accounts.

    The customer asked for import of all the systems accounts from AD that are outside of OUs set in AD management agent. After that the accounts will be present in FIM and its reports. However the customer wants to prevent any changes to those accounts from FIM and any automation processes.

    I can export the accounts from those specific OUs in AD and to prepare CSV or db management agent to import them into metaverse.

    The tricky part for me is how to prevent any changes to those specific accounts. 

    What is the best approach in your opinion?

    So far I have managed to think of two possible ways to achieve the task: 

    To add specific value to those system accounts using the management agent settings and after that to set filters on the rest of the management agents using this attribute and prevent synchronization to the rest of the systems? 

    To make them members of a new Set and to use that Set as exception in Outbound synchronization rules?

    I'm pretty new to FIM configuration and any suggestions are highly appreciated.

     Thanks in advance.

    Friday, October 23, 2015 11:57 AM

All replies

  • I am unclear on couple of things.

    1. Import once to FIM and never look at them again?

    2. Import all accounts from AD to FIM everytime a new one is created?

    3. Block updates where.  Do you want FIM to manage them or AD.


    Nosh Mernacaj, Identity Management Specialist

    Friday, October 23, 2015 2:40 PM
  • Hello Nosh, 

    I have received some more info and the requirements became more clear. 

    After the import of the system accounts they are expected to be managed by FIM in order to add them to security groups. That means that FIM should be able to update those accounts back to AD. The synchronization should be in place not only once.

    But otherwise those accounts should be protected from any automatic changes... 

    Monday, October 26, 2015 6:50 AM
  • In order for users to be added to groups, you need them both on the same Connector Space, so you need to include those OUs. 

    1. Include the OUs where these users live.

    2. You will need to modify the Synchronization Rule for users in AD MA to apply to user accounts only and not admin accounts.  Find something that is true only for users and not admin accounts.  This way you ensure these accounts are not touched.  Group membership will be managed natively. 

    3. Add them to the relevant groups in FIM Portal following your requirements.


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 1:33 PM