Hi, We would like to setup an AD group, and the members would be FIM administrators...so what do we need to do to achieve that? Add FIM_Admin group to local admins? add it to any of the FIM groups? thanks

During the installation you had to specify a (AD) group for the FimSyncAdmin, add your administrators(group) to that group. For the FIM portal, there is an existing Set called "Administrators". Import your administrator users from AD and add them to the Set, either manually or by using a expression like i.e. description=FimAdmins. Kind regards, Freek Berson http://microsoftplatform.blogspot.com/

Thanks, thats providing I have installed FIM already? I am still trying to install FIM though.

Yes, thats correct, sorry I thought you already that FIM installed. The user that you install FIM with will be the first FIM Portal Administrator. And for FIM Sync part, during the setup you have supply a group FIM Sync Admins, if you supply an AD group here you could later add additional members or groups to it.

Ah, I think that might be my problem. I installed SQL and WSS using the domain administrator account. Then created FIMAdmin user account (local admin member of FIM server; full access to SQL Master db, part of WSS Farm Administartors). So essentially you are saying the above FIMAdmin account will not be able to install FIM?

No, the above is perfectly fine. You can use the FIMAdmin account to install FIM.

ok, thanks, should I post this as a separate thread in the forum then? When I next try to install FIM as FIMAdmin, I get asked for the FIM Sync Service account details, I type these in and get the following error message: "the service account cannot access SQL server. ensure that the server is accessible, the service account is not a local account being used with a remote SQL server, and that the account doesnt already have a SQL login"

actually if I add FIMAdmin to SQL Sysadmins, the installation seems to continue...

Yes that will work because you said to gave the FIMAdmin account the permissions on SQL. The FIM Sync Service account is the account that will actually be running the FIM Sync Service, did you prepare these accounts accoring to technet guide? http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx

Thanks Freek, yes i am busy working through this document - but nowhere does it state that the FIM admin account needs SQL sysadmin permissions though...I think I remember this from ILM days. ...and from what I remember one can remove this account from sysadmins after FIM is deployed?

Correct, after the installation is complete, and you imported your administrative users into FIM and gave them permissions in FIM portal you could remove the FIMAdmin account if you want and start using personal admin account for auditing purposes (or disable the FIMadmin for security purposes). Good luck with the install!

next issue: when installing the Service and Portal components; get this error: "to install FIM portal, the setup needs to run under Sharepoint Farm administrator account with at least Open permission that allows users to open a web site, list, or folder in order to access items inside that container" Now FIMAdmin is a local admin on the FIM server, and also part of Sharepoint Farm Admins....why would this fail now?

found this solution to the Sharepoint problem :-) http://blog.eight02.com/2010/09/fim-service-and-portal-installation.html

Ok, good! :-)