How to Use PowerShell to Check Your MPR Configuration for Synchronization
FIM ScriptBox Item
Summary
To synchronize identity objects, you need to enable certain built-in MPRs in your environment.
The objective of this script is to check whether:
- All required MPRs are enabled
- There is a need to modify a built-in MPR
Script Code
| 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
#------------------------------------------------------------------------------------------------------------------------- # Name : Using PowerShell to check your MPR configuration for synchronization # Version: 2.0 #------------------------------------------------------------------------------------------------------------------------- Set-Variable -Name URI -Value "http://localhost:5725/resourcemanagementservice' " -Option Constant Set-Variable -Name msgWarning -Value "Caution: Your current MPR configuration requires your attention!" -Option Constant Set-Variable -name msgOK -Value "Your current MPR configuration meets all requirements" -Option Constant #------------------------------------------------------------------------------------------------------------------------- Function GetObjects { Param($Filter) End { $ExportObject = Export-Fimconfig -uri $URI ` –onlyBaseResources ` -customconfig ($Filter) ` -ErrorVariable Err ` -ErrorAction SilentlyContinue If($Err){Throw $Err} Return $ExportObject } } #------------------------------------------------------------------------------------------------------------------------- Function ShowResults { Param([ref]$bActionItem, $lstAttributes, $msgMissing) End { if([int]($lstAttributes.length) -eq 0) {return} $bActionItem.value = $true Write-Host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow ForEach($attributeName In $lstAttributes) {Write-Host " -$attributeName"} } } #------------------------------------------------------------------------------------------------------------------------- Function GetXmlDoc { Param($exportObjects, $attributeName) End { $curAttribute = $exportObjects.ResourceManagementObject.ResourceManagementAttributes | ` Where-Object {$_.AttributeName -eq "$attributeName"} Return "<root>$($curAttribute.Value)</root>" } } #------------------------------------------------------------------------------------------------------------------------- Function GetDataFromMpr { Param($mprName, [ref]$lstMissingMpr, [ref]$lstDisabledMpr) End { $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']" If($curMprObject -eq $null) {$lstMissingMpr.value += $mprName} Else { $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | ` Where-Object {$_.AttributeName -eq "Disabled"} If($curAttribute.Value -eq "True") {$lstDisabledMpr.value += $mprName} } } } #------------------------------------------------------------------------------------------------------------------------- Function GetResAttrsForMpr { Param($mprName) End { $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']" If($curMprObject -eq $null) {Return @()} $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | ` Where-Object {$_.AttributeName -eq "ActionParameter"} If($curAttribute -eq $null) {Return @()} return $curAttribute.Values } } #------------------------------------------------------------------------------------------------------------------------- Function GetEafAttributesForObjectType { Param($cdObjectType, $mvObjectType, $xmlDoc) End { $lstAttribute = @() $typeNode = $xmlDoc.selectSingleNode("//export-flow-set[@cd-object-type='$cdObjectType' and @mv-object-type='$mvObjectType']") If($typeNode -eq $null) {Return $lstAttribute} ForEach($curNode in $typeNode.selectNodes("export-flow[direct-mapping]")) { $lstAttribute += $curNode.selectSingleNode("@cd-attribute").get_InnerText() } Return $lstAttribute } } #------------------------------------------------------------------------------------------------------------------------- Function GetAttributeDiff { Param([array]$lstSource, [array]$lstTarget) End { $lstAttributes = @() ForEach($attrName in $lstSource) { If(!($lstTarget -contains $attrName)) {$lstAttributes += $attrName} } Return $lstAttributes } } #------------------------------------------------------------------------------------------------------------------------- If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation} #------------------------------------------------------------------------------------------------------------------------- $exportObjects = GetObjects -Filter "/ma-data[SyncConfig-category='FIM']" If($exportObjects -eq $null) {Throw "There is no FIM MA configured on your system!"} [xml]$xmlExportFlow = GetXmlDoc -exportObjects $exportObjects ` -attributeName "SyncConfig-export-attribute-flow" [xml]$xmlProjection = GetXmlDoc -exportObjects $exportObjects ` -attributeName "SyncConfig-projection" [array]$lstEafAttributesPerson = GetEafAttributesForObjectType -cdObjectType "Person" ` -mvObjectType "person" ` -xmlDoc $xmlExportFlow [array]$lstEafAttributesGroup = GetEafAttributesForObjectType -cdObjectType "Group" ` -mvObjectType "group" ` -xmlDoc $xmlExportFlow If($lstEafAttributesGroup -contains "Member") { $lstEafAttributesGroup = @($lstEafAttributesGroup | Where-Object {$_ -ne 'Member'}) $lstEafAttributesGroup += "ExplicitMember" } If($xmlProjection.selectNodes("//class-mapping[@cd-object-type='Person']").get_count() -eq 0) {Throw "The FIM management agent does not manage person objects"} $bHasGroups = $xmlProjection.selectNodes("//class-mapping[@cd-object-type='Group']").get_count() -gt 0 #------------------------------------------------------------------------------------------------------------------------- $mprNames = @() $mprNames += "General: Users can read schema related resources" $mprNames += "General: Users can read non-administrative configuration resources" $mprNames += "User management: Users can read attributes of their own" $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources" $mprNames += "Synchronization: Synchronization account can read schema related resources" $mprNames += "Synchronization: Synchronization account can read synchronization related resources" $mprNames += "Synchronization: Synchronization account can read users it synchronizes" $mprNames += "Synchronization: Synchronization account controls detected rule entry resources" $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources" $mprNames += "Synchronization: Synchronization account controls users it synchronizes" If($bHasGroups -eq $true) { $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes" $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes" } #------------------------------------------------------------------------------------------------------------------------- $bActionItem = $false $lstDisabledMpr = @() $lstMissingMpr = @() ForEach($mprName In $mprNames) { GetDataFromMpr -mprName $mprName ` -lstMissingMpr ([ref]$lstMissingMpr) ` -lstDisabledMpr ([ref]$lstDisabledMpr) } #------------------------------------------------------------------------------------------------------------------------- Clear-Host Write-Host "`nFIM MPR Configuration For Synchronization Check" Write-Host "===============================================" ShowResults -bActionItem ([ref]$bActionItem) ` -lstAttributes $lstMissingMpr ` -msgMissing "Missing MPRs:" ShowResults -bActionItem ([ref]$bActionItem) ` -lstAttributes $lstDisabledMpr ` -msgMissing "MPRs that need to be enabled:" $mprName = "Synchronization: Synchronization account controls users it synchronizes" [array]$lstResAttributes = GetResAttrsForMpr -mprName $mprName [array]$lstMissingAttrs = GetAttributeDiff -lstSource $lstEafAttributesPerson ` -lstTarget $lstResAttributes ShowResults -bActionItem ([ref]$bActionItem) ` -lstAttributes $lstMissingAttrs ` -msgMissing "Missing attributes of $($mprName):" If($bHasGroups -eq $true) { $mprName = "Synchronization: Synchronization account controls group resources it synchronizes" $lstResAttributes = GetResAttrsForMpr -mprName $mprName $lstMissingAttrs = GetAttributeDiff -lstSource $lstEafAttributesGroup ` -lstTarget $lstResAttributes ShowResults -bActionItem ([ref]$bActionItem) ` -lstAttributes $lstMissingAttrs ` -msgMissing "Missing attributes of $($mprName):" } #------------------------------------------------------------------------------------------------------------------------- If($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue} Else {write-host "`n$msgOK"} #------------------------------------------------------------------------------------------------------------------------- Trap { Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred Write-Host $_.Exception.GetType().FullName -foregroundcolor white -backgroundcolor darkred Exit 1 } #------------------------------------------------------------------------------------------------------------------------- |
Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.