How to Use PowerShell to Test the FIM Management Agent Account
FIM ScriptBox Item
Summary
During the installation of FIM, you have to specify a user account that is used to run the FIM management agent. This account must be entered when you configure your FIM MA. If your FIM service runs on a domain controller, the account must also be granted the right to logon locally. If you configure your management agent to use a different account or if the account has not been granted the right to logon locally, it is very likely that an error occurs when running a run profile on your FIM management agent.
The objective of the PowerShell script code below is to verify that the account you have configured to be used by your FIM management agent satisfies all prerequisites.
Script Code
| 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 |
#------------------------------------------------------------------------------------------------------ set-variable -name RegKey -value "hklm:\SYSTEM\CurrentControlSet\Services\FIMService" -option constant set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant #------------------------------------------------------------------------------------------------------ write-host "`nFIM MA Account Test" write-host "====================" #------------------------------------------------------------------------------------------------------ #Read the FIM MA account configuration from the registry: write-host " -Reading registry configuration" if((test-path $RegKey) -eq $false) {throw (new-object ExecutionEngineException "FIM registry key not found")} $accountSid = (Get-ItemProperty "$RegKey").SynchronizationAccountSid $sid = new-object System.Security.Principal.SecurityIdentifier $accountSid $ntAccountFromSid = $sid.Translate([System.Security.Principal.NTAccount]) $ntAccountFromReg = (Get-ItemProperty "$RegKey").SynchronizationAccount if(0 -ne [String]::Compare($ntAccountFromSid,$ntAccountFromReg, $true)) {throw "Registry FIM MA account name and SID don't match!"} write-host " -FIM MA account name: $ntAccountFromSid" write-host " -FIM MA account SID : $accountSid" #------------------------------------------------------------------------------------------------------ #Read the FIM MA account configuration from MA: write-host " -Reading MA configuration" if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} $exportData = export-fimconfig -uri $URI ` -onlyBaseResources ` -customconfig ("/ma-data[SyncConfig-category='FIM']") if($exportData -eq $null) {throw "There is no FIM MA configured on your system"} $privateData = $exportData.ResourceManagementObject.ResourceManagementAttributes | ` Where-Object {$_.AttributeName -eq "SyncConfig-private-configuration"} [xml]$xmlPrivate = $privateData.Value $ntAccountFromMA = $xmlPrivate.selectSingleNode("//connection-info/domain").get_InnerText() + ` "\" + ` $xmlPrivate.selectSingleNode("//connection-info/user").get_InnerText() if(0 -ne [String]::Compare($ntAccountFromReg,$ntAccountFromMA, $true)) {throw "Registry configuration and FIM MA configuration for MA account don't match!"} #------------------------------------------------------------------------------------------------------ $a = [char]34 $startinfo = new-object diagnostics.processstartinfo $startinfo.filename = "runas" $startinfo.arguments = "/user:$ntAccountFromMA " + $a + "cmd /c" + $a $startinfo.RedirectStandardError = $true $startinfo.UseShellExecute = $false $process=[Diagnostics.Process]::Start($startinfo) $process.WaitForExit() write-host "`n" if($process.exitcode -eq 0){write-host "Command completed successfully`n"} #------------------------------------------------------------------------------------------------------ trap { Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred Exit } #------------------------------------------------------------------------------------------------------ |
Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.