In our environment, we have regular user accounts and privileged accounts. Not all users have a higher-level account, but those that do end with a -1. I'm having trouble creating a set for those higher-level accounts because of the is/is not/starts/not starts with limiter on user attributes. Does anyone know of a way I can seperate those -1 accounts out in order to use the set of them for exclusion elsewhere? the last name/display name and account name are the only attributes that distinguish those higher level privileged accounts. Thanks!

There's not an "ends with" operator so you may need to revisit how you tag these to use an actual attribute or something. Once you populate a set, you can use the Resource ID "in" or "not in" operators to exclude/include these people from other sets.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Thanks Brian...I knew all that. I was hoping someone could come up with some magical way of doing it. What I'm trying to do now is: 1. Created a Boolean attribute called HighLevel and bound it to User 2. Modified MPR to allow administrator to edit new attribute 3. Manually selected my own highlevel and edited attribute to make it True. 4. Set creation with criteria of User matching all...HighLevel is True....when i view members...I'm the only one. The problem is that it tells me access denied. filter definition not permitted. I've looked at the two policies that match and they both should allow me to do this. Can anyone say why it won't let me do it? I'll worry later how to automatically get the checkmark on new highlevel users....we are still creating users in AD for now.

Create a Custom Attribute on the user objects, call it "AdministrativeUser" or something like it. Then populate the attribute with the privileged user. Now you are able to filter on user objects in Person objects AdministrativeUser attribute./Frederik Leed

I've tried a number of different ways to make this as automatic as possible and failed so far every time. When I build the set with criteria like this: ALL Resource ID in All Active AD Users Administrator is not -1 ----also tried: Administrator is not 1 ANY Company is **** Company is non-**** it Fails...filter not permitted. I can set it and even view the correct expected membership, but it won't let me make the change. I've checked the MPR's applicable and I should have permissions. What am I doing wrong? I need to exclude the people that have -1 or 1 in Administrator attribute or whose many names ends with -1. How?

You could create a MV attribute and an attribute in the FIM Service schema to distinguish admin and non-admin accounts. You could populate this attribute during inbound attribute flow from your AD MA using a rules extension and 1 line of .Net code. -JeremyJeremy Palenchar

Good suggestion Jeremy....I will probably end up doing that! Now to just find someone to write it for me! :) Thanks all.