FIM 2010 R2: Review pending export changes to Active Directory using XSLT

 

---

Introduction

Many times, we end up having some pending exports to Active Directory Domain Services during FIM deployments. If those changes are few, then using the synchronization manager to go over them one by one is a convenient method. However, it would not be convenient if we had a large number of changes.

While it is possible to export those changes to an XML log file, looking at an XML tree is not very intuitive to everyone. In this post, I will show you how I used eXtensible Stylesheet Language (XSLT) to transform our exported XML document to a tabular format.

Create a Log File Using Export Run Profile

To export pending changes to a log file, you will need to do the following:

1. Launch the Synchronization Service Manager
2. Click on your Active Directory Domain Services MA (ADMA)
3. On the right hand side, click "Configure Run Profiles"
4. Click "New Profile..." ,

 http://1.bp.blogspot.com/-mq1eyJSboTE/U6g7jHQJxdI/AAAAAAAAAM0/U4IpQdTEres/s1600/ExportLogFile.png

1. Provide a name for this profile "Export to a log file"

2. Choose type Export

3. Click "Set Log File Options"

4. Choose "Create a log file and stop the run. Do not export to data source. (test only)"

5. Type the name of the file

   http://1.bp.blogspot.com/-gemexwbuI8Y/U6g7jLYx_oI/AAAAAAAAAM4/2iZ7rTUtsMU/s1600/SetLogFile.png

6. Click Ok

7. Click Next

8. Select a Partition, and click finish, then OK

Now, whenever you have a large number of changes you need to review and run this profile. You can run this profile, and find the log file under "MaData folder". If you installed FIM in the default location, then it will be here "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\MA Name>".

Using the XSLT with your XML log file

The idea here is to transform the exported XML log file into a nice view for everyone to look at. This is important because changes to Active Directory need to be verified and validated for correctness. Some changes, if not reviewed, can have hazardous effect in a production system. Group membership changes is one example.

The following XML is a result of an export from a test environment.

01.<?xml version = "1.0" encoding="UTF-16"?>
02.<?xml-stylesheet type="text/xsl" href="TransformIt.xsl"?>
03.<mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export">
04.  <directory-entries>
05.    <delta operation="update" dn="CN=Richardson\, Cynthia,OU=User Accounts,DC=zeva,DC=fim" newdn="CN=Richardson\, Cynthia,OU=FIM,OU=Disabled Users,DC=zeva,DC=fim">
06.      <anchor encoding="base64">zrhAXN2xhkabVubSXF7uiQ==</anchor>
07.      <attr name="userAccountControl" operation="update" type="integer" multivalued="false">
08.        <value operation="delete">0x200</value>
09.        <value operation="add">0x202</value>
10.      </attr>
11.    </delta>
12.    <delta operation="delete" dn="CN=Roberts\, Craig,OU=FIM,OU=Disabled Users,DC=zeva,DC=fim">
13.      <anchor encoding="base64">XEneeCZ4B06XGALDsYSrdw==</anchor>
14.    </delta>
15.    <delta operation="update" dn="CN=Test Group 1,OU=Dynamic,OU=FIMNABOXGroups,DC=zeva,DC=fim">
16.      <anchor encoding="base64">iggzf9vk+EyCOHVdQ7zcsg==</anchor>
17.      <dn-attr name="member" operation="add" multivalued="true">
18.        <dn-value>
19.          <dn>CN=Simon\, Britta,OU=User Accounts,DC=zeva,DC=fim</dn>
20.          <anchor encoding="base64">Imibf3GvqEOT/D50D3t4rA==</anchor>
21.        </dn-value>
22.      </dn-attr>
23.    </delta>
24.    …
25.    …
26.    …
27.    <delta operation="add" dn="CN=White\, Wade,,OU=User Accounts,DC=zeva,DC=fim">
28.      <primary-objectclass>user</primary-objectclass>
29.      <objectclass>
30.        <oc-value>user</oc-value>
31.      </objectclass>
32.      <dn-attr name="homeMDB" multivalued="false">
33.        <dn-value>
34.          <dn>CN=User-Mail-8,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups.....</dn>
35.          <anchor encoding="base64">vhX2Dmd+90+Ngp9kQmvNrA==</anchor>
36.        </dn-value>
37.      </dn-attr>
38.      <dn-attr name="manager" multivalued="false">
39.        <dn-value>
40.          <dn>CN=Pitt\, John,OU=User Accounts,DC=zeva,DC=fim</dn>
41.          <anchor encoding="base64">3n8M/DeLJkOB2RLKa6Ydyg==</anchor>
42.        </dn-value>
43.      </dn-attr>
44.      <attr name="description" type="string" multivalued="true">
45.        <value>New hire</value>
46.      </attr>
47.      <attr name="displayName" type="string" multivalued="false">
48.        <value>White, Wade</value>
49.      </attr>
50.      <attr name="givenName" type="string" multivalued="false">
51.        <value>Wade</value>
52.      </attr>
53.      <attr name="mDBUseDefaults" type="boolean" multivalued="false">
54.        <value>true</value>
55.      </attr>
56.      <attr name="mailNickname" type="string" multivalued="false">
57.        <value>wwhite</value>
58.      </attr>
59.      <attr name="msExchHomeServerName" type="string" multivalued="false">
60.        <value>/o=ZEVAK/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ZEVAEXMB05</value>
61.      </attr>
62.      <attr name="pwdLastSet" type="integer" multivalued="false">
63.        <value>0x0</value>
64.      </attr>
65.      <attr name="sAMAccountName" type="string" multivalued="false">
66.        <value>wwhite</value>
67.      </attr>
68.      <attr name="sn" type="string" multivalued="false">
69.        <value>White</value>
70.      </attr>
71.      <attr name="userAccountControl" type="integer" multivalued="false">
72.        <value>0x200</value>
73.      </attr>
74.      <attr name="userPrincipalName" type="string" multivalued="false">
75.        <value>wwhite@zeva.fim</value>
76.      </attr>
77.    </delta>
78.  </directory-entries>
79.</mmsml>

To be able to format your exported xml file, you will need to follow the instructions below:

1. Download the XSLT file from the link here
2. Copy it to the same folder where your XML log file is located
3. Modify your XML file by

   • Adding a reference for the XSLT

     <?xml-stylesheet type="text/xsl" href="PendingExportReview v1.0.xsl"?>

   • Modify the following tag by removing "xmlns" attribute from it

     <mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export">

4. Open your XML log file in a web browser such as Internet Explorer (IE) and you will find your XML now nicely formatted to look at. It is also searchable. Using (IE) you can search for keywords, and they will be highlighted for you.

The following screenshot shows the final results after applying an XSLT file to the XML log file.

http://3.bp.blogspot.com/-_SrjB9ZjtQ0/U6g7jMTJRBI/AAAAAAAAAM8/1GPINjuEWvg/s1600/ReviewInIE.png

Conclusion

In this post, we discussed how to utilize XSLT to transform ADMA exported XML log file into a nice tabular format for people to review. The XSLT applies only to Active Directory exported changes. You can use it on other management agent, however, I will not guarantee results. Perhaps future release to

the XSLT file will include other MAs. If you have feedback on how to make it look better, please don't hesitate to write a comment below. I will make sure to implement it and provide a new version of the XSLT file.

One of the draw backs of using this approach is it doesn't show deleted values. Also, it doesn't show attributes of deleted objects. It is very good to use to review attributes updates, and make sure they are correct.