Hi, Poking around the FIM Portal and clicked on 'Manage my requests' and I see the following: Update to ExpectedRuleEntry: 'AD User Inbound/Outbound' request is DENIED. Requester is Administrator (the enterprise admin account I have been using for everything...to avoid security permissions issues :-) ) Any ideas? Thank you

Just because it's Administrator doesn't mean it can do everything. Administrator has to be explicitly given access to things too, using MPRs. If you look on the "Applied Policy" tab in the request you can see which policy/ies were applied. Unless there is one that explicity gives Administrator the correct rights you will be denied.http://www.wapshere.com/missmiis

I see, just reviewed the 'Applied Policy' tab, and it contain No Items at all. Still does not explain why there is the 'Access Denied' error message though.

Administrators don't have control of EREs out of the box. You need to build an MPR which grants the Administrators set control of EREs.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

I see, just reviewed the 'Applied Policy' tab, and it contain No Items at all. Still does not explain why there is the 'Access Denied' error message though. It does... You should read Carol's response, which is absolutely correct, again. By design, in FIM, <ALL> activities are denied. There is no policy that denies anything - policies can only grant permissions to do something. This is why there is no policy listed. The affected account is not part of any of the MPRs that grants permission to perform the requested operation. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

ok, i see now - thank you. so the next question is how do i find the correct MPRs to modify? How do I know which MPRs are required? also "You need to build an MPR which grants the Administrators set control of EREs." how do I do that? Beginning to think that maybe the old style MIIS method of provision (which involved code) is actually the easier to way to go here....

As far as building the MPR: Create a new MPR, use the default Request type Specify the Administrators set under Requestors, tick all the check boxes next to Operation, and check Grants Permission Specify the All Expected Rule Resources for both sets under Target Resources, and select All Attributes. My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Thanks did that...no I get more errors... When doing an Export from FIM MA I get a whole lot of these: dn attributes failure: Fault reason: The endpoint could not dispatch the request any ideas?

Lets close this thread - I will rebuild the lab from scratch again. Thank you.