FIM ScriptBox Item

Summary

This script displays the security group associated with all of the FIM security groups and whether they are domain groups or local groups.  By default these groups are local and called: FIMSyncAdmins, FIMSyncOperators, FIMSyncJoiners, FIMSyncBrowse and FIMSyncPasswordSet however the names can be changed during setup.

Script Code 

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
Function GroupLookup ($group_objSID)
{
$group_temp = new-object system.security.principal.securityidentifier($group_objSID,0)
$group_SID = New-Object System.Security.Principal.SecurityIdentifier $group_temp.value
$group_GroupName = $group_SID.Translate( [System.Security.Principal.NTAccount])
$dName = $group_GroupName.value.SubString(0,($group_GroupName.Value.IndexOf("\")))
$cName = $group_GroupName.Value.SubString($group_GroupName.Value.IndexOf("\") + 1)
   if ((Get-WMIObject -Class Win32_ComputerSystem).Name -eq $dName)
   # this is a local group
   { 
   "local group " + $dName + "\" + $cName
   }
   else
   # this is domain group
   {
   $root = [ADSI]''
   $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
   $searcher.filter = "(&(objectClass=group)(CN=$cName))"
   $adfind = $searcher.findone()
   $DN = $adfind.path
   "domain group " + $DN.SubString(7)
   }
}
$FIMSyncDBServer = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name Server | select-object Server | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1
$SQLServer = $FIMSyncDBServer[0]

$FIMSyncDBName = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name DBName | select-object DBName | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1
$SQLDBName = $FIMSyncDBName[0]

$FIMSyncSQLInstance = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name SQLInstance | select-object SQLInstance | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1
$SQLInstance = $FIMSyncSQLInstance[0]

$SQLServer = $SQLServer.tostring().trim()
$SQLDBName = $SQLDBName.tostring().trim()
$SQLInstance = $SQLInstance.tostring().trim()

if (($SQLServer -eq "") -or ($SQLServer -eq $null))
{$SQLServer = "localhost"} else {$SQLServer = $SQLServer}

if (($SQLInstance -eq "") -or ($SQLInstance -eq $null))
{$SQLInstance = $null} else {$SQLServer = "$SQLServer\$SQLInstance"}

$conn = New-Object System.Data.SqlClient.SqlConnection
$conn.ConnectionString = "server=$SQLServer;database=$SQLDBName;Integrated Security=sspi"
$conn.Open()

$sql = "SELECT * FROM [" + $SQLDBName + "].[dbo].[mms_server_configuration]"
$cmd = New-Object System.Data.SqlClient.SqlCommand($sql,$conn)
$rdr = $cmd.ExecuteReader()
while($rdr.Read())
{
    $groupa_objSID = $rdr["administrators_sid"]
    $groupo_objSID = $rdr["operators_sid"]
    $groupj_objSID = $rdr["account_joiners_sid"]
    $groupb_objSID = $rdr["browse_sid"]
    $groupp_objSID = $rdr["passwordset_sid"]
}

$FIMSyncAdmins = GroupLookup $groupa_objSID
$FIMSyncOperators = GroupLookup $groupo_objSID
$FIMSyncJoiners = GroupLookup $groupj_objSID
$FIMSyncBrowse = GroupLookup $groupb_objSID
$FIMSyncPasswordSet = GroupLookup $groupp_objSID

"FIMSyncAdmins group is " + $FIMSyncAdmins
"FIMSyncOperators group is " + $FIMSyncOperators
"FIMSyncJoiners group is " + $FIMSyncJoiners
"FIMSyncBrowse group is "+ $FIMSyncBrowse
"FIMSyncPasswordSet group is " + $FIMSyncPasswordSet
note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the  FIM ScriptBox

 



See Also