I am trying to rename an object in Active Directory. Obviously it can be done, because I did it in MIIS 2003. The question is how to do it in FIM 2010. I provision the user from FIM to AD just fine. I then try a rename on the accountName in the portal but get modify-naming-attribute : The attribute cannot be modified because it is owned by the system on the export to AD. As part of my DN string in the synch rule it is on initial flow only.

You need to change your flow on DN by unchecking initial flow only. Once you update the DN attribute the attribute flow should rename the object Issam Andoni Best Regards Issam http://www.zevainc.com/andoni

Almost :-) You need to add an additional flow mapping for the dn. One mapping must have the initial flow flag set; the other flow doesn't. If you don't have a dn flow with the initial flow flag set, provisioining will fail. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thank you for the replies. I found that it did work with the two entries. The only thing I do not really get is the error is still thrown on the export that takes care of the rename.

Are you sure the error is generated from the rename or maybe you are trying to change the CN directly not through DN attribute flow. The CN attribute is owned by AD and thus cannot be changed through an attribute flow. You need to perform a rename through DN flow to adjust your CN attribute Hope that help Best Regards, Issam Andoni http://zevainc.com/andoni

Thank you guys. The two entries did the rename and the I was sending over the CN.

So AD "owns" the cn and name attributes. When creating an AD account it seems to be allowed to ADD the cn attribute both in Attribute Flow cn -> cn and via the dn attribute setting. The rule is then that FIM does not allow us to flow any cn changes (e.g. surname change on marriage) via the cn -> cn attribute flow, but we CAN get FIM to modify this cn attribute indirectly via the dn attribute flow. My sync rule has the dn set (both as initial flow and a persistent flow) as: "CN=" + cn + ",OU=User Accounts,DC=MyDomain,DC=Local I also had the flow cn -> cn but this gives the error about attribute ownership. The Metaverse cn attribute can be modified OK and the dn attribute of the ADMA connector space can be modified.But we are not allowed to modify the cn attribute explicitly! Is this correct?

It seems you can have a cn Attribute flow in the Sync Rule's Outbound flow as long as its marked "initial flow only"

This is correct, if you want to modify the CN, you need to do this in the context of the DN flow. You need to configure at least one DN flow as initial flow to set a DN for an object. If you also need to update the CN, you need to configure a second DN flow that doesn't have the intial flow flag set. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation