Tuesday, June 21, 2016

Manually adding admins to the FIM/MIM Service

One of the first things I do when building a new FIM service instance is to create an admin account for myself, so I can use PowerShell tools, log into the portal etc without having to use things like runas to log in as the built-in admin account.

While you can create a resource manually in the portal, you can't easily set the binary ObjectSID value on the resource, and without that, you can't log in. Manipulating binary attributes quite tricky to do with the out of box tools. To set the users up properly, you usually have to flow them in from the AD MA with the ObjectSID present. Which can take quite a bit of effort.

I prefer to cheat, and get my own account into the portal via script. The Lithnet FIM/MIM Service PowerShell Module has first-class support for binary attributes, so using this to add the ObjectSID is just as easy as it is to set a string value.

This script will add the specified AD user to the FIM/MIM service and add them to the administrators set. They can then log in using their own credentials.