Hi, Is this still true? Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = 7CF6B5A3-01B2-45d3-8337-5EB521DDA08D]/ComputedMember]. http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx Is there another way to create/maintain a Portal Sets based on an AD Group membership? Thanks, Sk

You could add a custom MA which populates the 'MemberOf' attribute on each person and then build the sets based on this attribute.

this is what we are doing.. We wrote a simple powershell script that reads AD group membership and populates the SETs. you could have the group and the associated Set in an input file, and schedule the powershell on frequent basis. you could use Quest cmdlets and FIM powershell module from codeplex to make your Powershell simple and clean..

Prakaaz, let me see if I understand what you are saying: - you created the FIM powershell activity you got from codeplex, yep know this one - in there you execute a powershell script to obtain the group memberships per user? here you are using Quest cmdlets? - how do you pass the result of this powershell cmdlet/script to build the actual set? thanks

yes. using FIM Powershell Module from codeplex, you could update FIM Sets ExplicitMember attribute like below Get-FIMResource -Filter $SetFilter|Set-FIMResource -Add @{ExplicitMember={$groupMember.Replace("urn:uuid:","")}} Here $setFilter is your target filter and You will need to first fetch the AD group members using ADSI query or Quest cmdlets. for example if you want to fetch DisplayName or EmployeeID from your group membership, you could use LDAP Query like [memberof=<GroupDN>] and retrieve any attributes from the result sets. so i fetch AD member's employeeID or samaccountname [in ArrayList] and also will fetch the current Sets members employeeID, and will compare and identify the New Adds and Removal. Then fetch the Portal GUID for the members to be added/removed using Get-FIMResource. Finally Perform the Update [one by one ofcourse!] on the Set as mentioned above. The benefit is i can populate any sets with one or multiple Groups [we can easily handle that in the code].. especially when you have RBAC groups in Active Directory, we need to use existing Role Groups to grant FIM Portal permissions. It will take couple of days to build and test but it is worth doing. You can also build some custom WF to achieve this, but writing , managing and troubleshooting the PS is much easier than Custom WFs.