FIM ScriptBox Item

Summary

To synchronize identity objects, you need to enable certain built-in MPRs in your environment.
The objective of this script is to check whether:
  • All required MPRs are enabled
  • There is a need to modify a built-in MPR

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#-------------------------------------------------------------------------------------------------------------------------
# Name : Using PowerShell to check your MPR configuration for synchronization
# Version: 2.0
#-------------------------------------------------------------------------------------------------------------------------
  Set-Variable -Name URI -Value "http://localhost:5725/resourcemanagementservice' " -Option Constant  
  Set-Variable -Name msgWarning -Value "Caution: Your current MPR configuration requires your attention!" -Option Constant
  Set-Variable -name msgOK -Value "Your current MPR configuration meets all requirements" -Option Constant
#-------------------------------------------------------------------------------------------------------------------------
 Function GetObjects  
 {    
    Param($Filter)    
    End
    {
       $ExportObject = Export-Fimconfig -uri $URI `
                             –onlyBaseResources `
                             -customconfig ($Filter) `
                             -ErrorVariable Err `
 -ErrorAction SilentlyContinue 
       If($Err){Throw $Err}
       Return $ExportObject  
     } 
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function ShowResults 
 {  
    Param([ref]$bActionItem, $lstAttributes, $msgMissing)  
    End  
    {
       if([int]($lstAttributes.length) -eq 0) {return}
       $bActionItem.value = $true    
       Write-Host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow    
       ForEach($attributeName In $lstAttributes) {Write-Host " -$attributeName"}  
    }
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function GetXmlDoc 
 {  
    Param($exportObjects, $attributeName)  
    End
    {    
       $curAttribute = $exportObjects.ResourceManagementObject.ResourceManagementAttributes | `
                   Where-Object {$_.AttributeName -eq "$attributeName"}    
       Return "<root>$($curAttribute.Value)</root>"  
    } 
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function GetDataFromMpr  
 {  
    Param($mprName, [ref]$lstMissingMpr, [ref]$lstDisabledMpr)  
    End
    {
       $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']"    
       If($curMprObject -eq $null) {$lstMissingMpr.value += $mprName}    
       Else
       {     
          $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | `
                          Where-Object {$_.AttributeName -eq "Disabled"}     
          If($curAttribute.Value -eq "True") {$lstDisabledMpr.value += $mprName}    
       }   
    }
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function GetResAttrsForMpr 
 {  
    Param($mprName)  
    End
    {    
       $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']"    
       If($curMprObject -eq $null) {Return @()}    
       $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | `
   Where-Object {$_.AttributeName -eq "ActionParameter"}    
       If($curAttribute -eq $null) {Return @()}    
       return $curAttribute.Values  
    }
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function GetEafAttributesForObjectType 
 {   
    Param($cdObjectType, $mvObjectType, $xmlDoc)   
    End   
    {    
       $lstAttribute = @()    
       $typeNode = $xmlDoc.selectSingleNode("//export-flow-set[@cd-object-type='$cdObjectType' and @mv-object-type='$mvObjectType']")    
       If($typeNode -eq $null) {Return $lstAttribute}    
       ForEach($curNode in $typeNode.selectNodes("export-flow[direct-mapping]"))    
       {
          $lstAttribute += $curNode.selectSingleNode("@cd-attribute").get_InnerText()    
       }
   
       Return $lstAttribute   
    }  
 }
#-------------------------------------------------------------------------------------------------------------------------
 Function GetAttributeDiff 
 {  
    Param([array]$lstSource, [array]$lstTarget)  
    End
    {    
       $lstAttributes = @()    
       ForEach($attrName in $lstSource)    
       {   
          If(!($lstTarget -contains $attrName)) {$lstAttributes += $attrName}    
       }
    
       Return $lstAttributes   

    }
 }
#-------------------------------------------------------------------------------------------------------------------------
 If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation}
#-------------------------------------------------------------------------------------------------------------------------
 $exportObjects = GetObjects -Filter "/ma-data[SyncConfig-category='FIM']" 
 If($exportObjects -eq $null) {Throw "There is no FIM MA configured on your system!"} 
 [xml]$xmlExportFlow = GetXmlDoc -exportObjects $exportObjects `
                                 -attributeName "SyncConfig-export-attribute-flow" 
 [xml]$xmlProjection = GetXmlDoc -exportObjects $exportObjects `
                                 -attributeName "SyncConfig-projection" 
 
 [array]$lstEafAttributesPerson = GetEafAttributesForObjectType -cdObjectType "Person" `
                                                                -mvObjectType "person" `
                                                                -xmlDoc $xmlExportFlow 
                                                                
 [array]$lstEafAttributesGroup = GetEafAttributesForObjectType -cdObjectType "Group" `
                                                               -mvObjectType "group" `
           -xmlDoc $xmlExportFlow 
 
 If($lstEafAttributesGroup -contains "Member") 
 {  
    $lstEafAttributesGroup = @($lstEafAttributesGroup | Where-Object {$_ -ne 'Member'})  
    $lstEafAttributesGroup += "ExplicitMember" } 
    If($xmlProjection.selectNodes("//class-mapping[@cd-object-type='Person']").get_count() -eq 0) {Throw "The FIM management agent does not manage person objects"} 
    
    $bHasGroups = $xmlProjection.selectNodes("//class-mapping[@cd-object-type='Group']").get_count() -gt 0
#-------------------------------------------------------------------------------------------------------------------------
 $mprNames = @()  
 $mprNames += "General: Users can read schema related resources" 
 $mprNames += "General: Users can read non-administrative configuration resources" 
 $mprNames += "User management: Users can read attributes of their own" 
 $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources" 
 $mprNames += "Synchronization: Synchronization account can read schema related resources" 
 $mprNames += "Synchronization: Synchronization account can read synchronization related resources" 
 $mprNames += "Synchronization: Synchronization account can read users it synchronizes" 
 $mprNames += "Synchronization: Synchronization account controls detected rule entry resources" 
 $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources" 
 $mprNames += "Synchronization: Synchronization account controls users it synchronizes" 
 
 If($bHasGroups -eq $true) 
 {
    $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes"  
    $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes" 
 }
#-------------------------------------------------------------------------------------------------------------------------
 $bActionItem = $false 
 $lstDisabledMpr = @()  
 $lstMissingMpr = @() 
 
 ForEach($mprName In $mprNames) 
 {  
    GetDataFromMpr -mprName $mprName `
               -lstMissingMpr ([ref]$lstMissingMpr) `
   -lstDisabledMpr ([ref]$lstDisabledMpr) 
 }
#-------------------------------------------------------------------------------------------------------------------------
 Clear-Host
 Write-Host "`nFIM MPR Configuration For Synchronization Check" 
 Write-Host "===============================================" 
 ShowResults -bActionItem ([ref]$bActionItem) `
             -lstAttributes $lstMissingMpr `
             -msgMissing "Missing MPRs:" 
             
 ShowResults -bActionItem ([ref]$bActionItem) `
             -lstAttributes $lstDisabledMpr `
             -msgMissing "MPRs that need to be enabled:" 
 
 $mprName = "Synchronization: Synchronization account controls users it synchronizes" 
 
 [array]$lstResAttributes = GetResAttrsForMpr -mprName $mprName 
 [array]$lstMissingAttrs = GetAttributeDiff -lstSource $lstEafAttributesPerson `
                                            -lstTarget $lstResAttributes 
 ShowResults -bActionItem ([ref]$bActionItem) `
             -lstAttributes $lstMissingAttrs `
             -msgMissing "Missing attributes of $($mprName):" 
             
 If($bHasGroups -eq $true) 
 {  
    $mprName = "Synchronization: Synchronization account controls group resources it synchronizes"  
    $lstResAttributes = GetResAttrsForMpr -mprName $mprName    
    $lstMissingAttrs  = GetAttributeDiff -lstSource $lstEafAttributesGroup `
                                         -lstTarget $lstResAttributes  
    ShowResults -bActionItem ([ref]$bActionItem) `
                -lstAttributes $lstMissingAttrs `
                -msgMissing "Missing attributes of $($mprName):" 
 }
#-------------------------------------------------------------------------------------------------------------------------
 If($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue} 
 Else {write-host "`n$msgOK"}
#-------------------------------------------------------------------------------------------------------------------------
 Trap 
 {  
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred   
    Write-Host $_.Exception.GetType().FullName -foregroundcolor white -backgroundcolor darkred  
    Exit 1 
 }
#-------------------------------------------------------------------------------------------------------------------------

 

note Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.

 



See Also