Admin account not managed by FIM?
In AD we are going to allow administrators access to one specific OU only, which is also the only OU we want managed by FIM. Are administrators who will access the FIM Portal required to have their user accounts within that OU? Is there a way
to have their accounts in a separate OU, unknown to FIM? We want admins to be able to provision new users, but right now we don't have their accounts located within that area.
May 11th, 2011 5:13pm
They don't need to be within that OU, or don't need to be synced by FIM. They have to be known in the Portal though. Obviously the Portal should know the sAMAccountName. But also the objectSID. Which is a bit more tricky.
You could create them in the Portal by hand, set their description to "NOT_SYNCED" and then configure this description as a connector filter criteria on your FIM MA.
As for filling in the objectSID, I got a customer where I created a PowerShell script which prompts for a sAMAccuntName. It then queries AD, retrieves the SID and puts it on the correct user in the Portal.
This process is a bit of a hasle, but it keeps your Admin accounts out of the Sync process/scope.
For the script you could check the
FIM Scriptbox, there's some great examples to get you started.http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 5:19pm
Very helpful, thanks!
May 11th, 2011 6:02pm