For various reasons (from misconfiguration to system disaster recovery), you can end up with orphaned users and groups in the MIM portal.

The scripts below allow you to run a query on the MIM sync database, then list the ghostobjects. Next, you need to feed that output (with CSV) to a PowerShell script against the MIM service, to remove the users from the MIM portal.

The objects we're looking for are only Identity objects like users and groups, connected in the MIM/FIM MA only, without any connections to other management agents.

Therefore in this article, these are called "ghost" objects.

The term 'orphaned' objects in the MIM portal has a different meaning (referring to an object that has missing sync rules, workflow or MPR)



  1. Run an SQL query to locate the ghost objects (users, groups only connected to the FIM MA) on the MIM Sync Database
  2. Export the query results to CSV
  3. Feed the CSV to a Powershell script


Any query on the MIM databases must be run with the with(nolock) statement to avoid any table or row locking, deadlocking the MIM services.


select rdn, object_type
from [FIMSynchronizationService].[dbo].[mms_connectorspace] with(nolock)
where (object_type in ('Person','Group')) and (ma_id ='<FIM MA GUID>') AND object_id in
 select csmv2.cs_object_id
 FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv2 with(nolock)
 where csmv2.mv_object_id in
  SELECT [mv_object_id]
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv1 with(nolock)
  group by csmv1.mv_object_id
  having count(csmv1.cs_object_id) = 1
order by object_type

Export to CSV

Export the results from the above query to a CSV file with header row which is required by the PowerShell command Import-CSV, to recognize the attribute names.

Attribute names must be fixed, like

  • Column 1: MIM Portal objectSID, must be named 'rdn'
  • Column 2: ObjectType, must be named 'ObjectType'


Run the below PowerShell with MIM Portal admin rights (right to delete users and groups in the Portal) on the MIM Portal server.

If you want to run the script remotely, you'll need to change the URI, pointing to the FIM/MIM Portal server.



Useful links



set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant


function DeleteObject


PARAM ($objectId, $objectType )



$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject

$importObject.ObjectType = $objectType

$importObject.TargetObjectIdentifier = $objectId

$importObject.SourceObjectIdentifier = $objectId

$importObject.State = 2

$importObject | Import-FIMConfig -uri $URI




if (@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation" } ).count -eq 0 ) {add-pssnapin FIMAutomation }


# the script will look for a CSV file that will contain the objects to delete

if ($args.count -ne 1 ) {throw "Missing file parameter" }

$CSVFile = $args[0]

# Parse CSV file.Note we're not using import-csv because we don't know what the column headers will be.

$CSVlist = Import-Csv $CSVFile


foreach ($object in $csvlist )


<#Installer Account / Default Admin: 7fb2b853-24f0-4498-9534-4e10589723c4

Built-in Synchronization Account : fb89aefa-5ea1-47f1-8890-abe7797d6497

FIM Service Account : e05d1f1b-3d5e-4014-baa6-94dee7d68c89

Anonymous : b0b36673-d43b-4cfa-a7a2-aff14fd90522



if (0 -eq [String]:: Compare($object.rdn,"7fb2b853-24f0-4498-9534-4e10589723c4", $true ))

{throw "You can't delete the Installer account" }

if (0 -eq [String]:: Compare($object.rdn,"fb89aefa-5ea1-47f1-8890-abe7797d6497", $true ))

{throw "You can't delete Built-in Synchronization Account" }

if (0 -eq [String]:: Compare($object.rdn,"e05d1f1b-3d5e-4014-baa6-94dee7d68c89", $true ))

{throw "You can't delete the FIM Servcie Account" }

if (0 -eq [String]:: Compare($object.rdn,"b0b36673-d43b-4cfa-a7a2-aff14fd90522", $true ))

{throw "You can't delete Anonymous" }



DeleteObject -objectType $object.ObjectType -objectId $object.rdn

write-host "`nObject Deleted successfully`n"





$exMessage = $_.Exception.Message

if ($exMessage.StartsWith("L:" ))

{write-host "`n" $exMessage.substring(2 ) "`n" -foregroundcolor white -backgroundcolor darkblue }

else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred }






You can download the scripts from TN Gallery