Hi, when running an export profile to AD from FIM I get the following error: cd-existing-object (the specified account already exists) CN=administrator,OU=FIM,DC=fabrikam,DC=com Now, in the FIM OU, there is no account called 'administrator'. Secondly, I have a filter in the AD MA for displayname = administrator. why is it still complaining though? thanks

In AD DS, samAccountNames must be unique on a per domain basis. Apparently, you already have an account called administrator in your fabrikam domain. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus, however the 3 FIM Portal accounts I am trying to get into AD are Bob, Sally and Jim....none of the have anything that says 'administrator'.

As Markus is saying, FIM is trying to create a user called Administrator in the domain. So somewhere in the Metaverse, and probably orriginating from the Portal is a user called Administrator. If you search for all objects of the type "Person" in the metaverse, don't you have a user called "administrator"? If you do, with what data sources does it have a connector? Besides that. Did you use "Administrator" to install the FIM Service & Portal? Did you filtered this user in the FIM MA filter configuration section? Filtering (in the FIM MA) the installer account and the build-in Synchronization account is a common best practice. Secondly, I have a filter in the AD MA for displayname = administrator. why is it still complaining though? If I'm correct such a filter will prevent objects in the Connector Space of the involved MA to be considered for joining and attribute flows towards objects in the Metaverse. It will not stop objects being added from within the FIM Logic to the CS of the MA. Obviously if they match the filter, they'll become disconnected. But my guess is that they'll get added to the CS nonetheless. http://setspn.blogspot.com

As Markus is saying, FIM is trying to create a user called Administrator in the domain. So somewhere in the Metaverse, and probably orriginating from the Portal is a user called Administrator. If you search for all objects of the type "Person" in the metaverse, don't you have a user called "administrator"? If you do, with what data sources does it have a connector? Besides that. Did you used "Administrator" to install the FIM Service & Portal? Did you filtered this user in the FIM MA filter configuration section? Filtering (in the FIM MA) the installer account and the build-in Synchronization account is a common best practice. Secondly, I have a filter in the AD MA for displayname = administrator. why is it still complaining though? If I'm correct such a filter will prevent objects in the Connector Space of the involved MA to be considered for joining and attribute flows to objects from the Metaverse. It will not stop objects being added from within the FIM Logic to the CS of the MA. Obviously if they match the filter, they'll become disconnected. But my guess is that they'll get added to the CS nonetheless.http://setspn.blogspot.com

Thomas, your explanation is very clear , thank you. I have reviewed the Portal and indeed you were both right - I can see that both the 'administrator' and the 'built-in synchronization account' is present in the FIM Portal. Maybe these accounts sneaked in somehow before I filtered them out. When I try delete the 'Administrator' account from the FIM Portal i get a 'access is denied' error message. Can I assume that, for future reference, both these accounts SHOULD NOT be in the Portal?

You should NOT delete them. The build-in synchronization account is used by the FIM MA to do it's exports/updates in FIM The administrator account is a convenient backdoor if you get locked out. They basically get added during the installation phase. What is advised: before you run any synchronization runs on the FIM MA is to filter those both in the FIM MA. This way they will only exist in the Portal and their attributes will never be cleared/updated.http://setspn.blogspot.com

Thank you Thomas, crystal clear now. I will just ignore the error messages for the rest of my lab then. Thank You.

Lol, The erorrs are there because you got the Administrator account added to the MV. If you got the filter in place, and perhaps toy around with the object deletion rule you should be able to get the Administrator account deleted from the MV somehow. However I'm not that familiar with this to guide you without you deleting other stuff by accident :) If Id be in front of the Synchronization Manager I could manage though.http://setspn.blogspot.com