Tuesday, June 21, 2016

Manually adding admins to the FIM/MIM Service

One of the first things I do when building a new FIM service instance is to create an admin account for myself, so I can use PowerShell tools, log into the portal etc without having to use things like runas to log in as the built-in admin account.

While you can create a resource manually in the portal, you can't easily set the binary ObjectSID value on the resource, and without that, you can't log in. Manipulating binary attributes quite tricky to do with the out of box tools. To set the users up properly, you usually have to flow them in from the AD MA with the ObjectSID present. Which can take quite a bit of effort.

I prefer to cheat, and get my own account into the portal via script. The Lithnet FIM/MIM Service PowerShell Module has first-class support for binary attributes, so using this to add the ObjectSID is just as easy as it is to set a string value.

This script will add the specified AD user to the FIM/MIM service and add them to the administrators set. They can then log in using their own credentials.

Saturday, February 20, 2016

Powering though bulk object updates with Lithnet FIM/MIM Service PowerShell Module

The Lithnet FIM/MIM Service PowerShell module (LithnetRMA) allows you to not only drastically reduce the code you have to write to perform basic create, update and delete operations, but it’s significantly faster than the out-of-box FimAutomation module too. I love hearing reports from people about how they were able to cut hours off the execution time of their existing scripts by converting them to use LithnetRMA!


One of the biggest speed advantages that LithnetRMA has over the out-of-box FIMAutomation module is that it supports composite updates. Composite updates combine multiple updates for different objects into a single message that is sent to the server, providing a far more efficient approach than sending one message per object. Combining composite updates with the ability to selectively request only the attributes you need to work with, we reduce the processing effort and amount of data transferred to a bare minimum. Let’s have a look at a real world scenario.
Recently, I needed to delete a custom attribute from the schema. As luck would have it, this attribute had a value present on about 120,000 user objects, so all those values has to be cleared before I could remove the attribute from the schema. I could have been waiting for hours, if not days, had I used the FIMAutomation module. Instead, I wrote a quick script to do the job using LithnetRMA. It managed to do the job in a little under 20 minutes.
This script will get all the objects with a value present for myAttribute, in batches of 500, save them to the server, and repeat the process until there are no objects left. Note the use of the AttributesToGet parameter. We are only interested in the myAttribute value – so we can tell the server to only send us that attribute.
The MaxResults and PageSize parameters can be tuned to suit the operation you need to perform. In general, the larger these values, the faster the operation will be – but make them too large, and you risk timeout errors if the operation takes too long. You will need to tune these values to get the right balance between performance and reliability. There are no recommended values for these parameters as it varies based on many factors, including;
  • How many attributes are being requested
  • How many updates are being made
  • The hardware specifications of the FIM service server and database
A good starting point is probably to set the parameters at 200, and work your way up from there.
Get LithnetRMA today and start saving time with your bulk updates!