How to Use PowerShell to Set the Required Attributes for the FIM Portal Access
FIM ScriptBox Item
In the post called “Enabling FIM Portal Access for a Regular AD User Account”, Jorge de Almeida Pinto lists the attributes you must set on a user in the portal:
- AccountName
- Domain
- ObjectSID
One method to get these attribute values is to synchronize them from Active Directory into FIM by using an inbound synchronization rule on your Active Directory management agent.
However, there are cases where you need to enable access to the FIM Portal for accounts that are not managed.
One example for such an account is a second administrator account for FIM you want to create as backup.
In this case, you can use PowerShell to set the required attribute values in the FIM Portal.
One question you need to answer is in what format the FIM Portal stores an object’s SID value.
To examine the attributes of an object, you can use the “FIM Get Resource By Name” viewer from the FIM ScriptBox.
When looking at the ObjectSID value of an object, you will notice that SID values are stored as Base64 string values:
If all you need is the SID value for an object in Active Directory, you can use the "WinNT" provider to get the value and convert it into the required format:
#----------------------------------------------------------------------------------------------------------
set-variable -name domainName -value "fabrikam" -option constant
set-variable -name samName -value "bsimon" -option constant
#----------------------------------------------------------------------------------------------------------
clear-host
$user = [ADSI]("WinNT://$domainName/$samName")
if($user.objectGuid -eq $null) {throw "Object not found"}
$64Sid = [System.Convert]::ToBase64String($user.objectSid[0], 0, $user.objectSid.value.length)
$64Sid
#----------------------------------------------------------------------------------------------------------
trap
{
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
Exit 1
}
#----------------------------------------------------------------------------------------------------------
The WinNT provider supports only a subset of an object’s attributes in Active Directory.
If you want to set more attributes on the portal object, you can use the "LDAP" provider to request the data from Active Directory.
A simple method is in this case to bind to the object by using the DN attribute.
In this case, you can use the Translate method of the System.Security.Principal.SecurityIdentifier object to retrieve the NetBIOS domain name of the object:
#----------------------------------------------------------------------------------------------------------
set-variable -name DN -value "LDAP://CN=Britta Simon,OU=FIMObjects,DC=Fabrikam,DC=Com" -option constant
#----------------------------------------------------------------------------------------------------------
$AdUser = [ADSI]($DN)
If($AdUser.objectGuid -eq $null) {Throw "Object not found"}
If($AdUser.displayName.Value.Length -eq 0){Throw "Display Name not set on object in AD"}
$64Sid = [System.Convert]::ToBase64String($AdUser.objectSid[0], 0, $AdUser.objectSid.Value.Length)
$UserSid = New-Object System.Security.Principal.SecurityIdentifier($AdUser.objectSid[0], 0)
$Nt4Name = $UserSid.Translate([System.Security.Principal.NTAccount])
$Nt4Domain = ($Nt4Name.Value.Split("\"))[0]
$Nt4Account = ($Nt4Name.Value.Split("\"))[1]
Write-Host "`nAccount Name: $Nt4Account"
Write-Host "Domain Name : $Nt4Domain"
Write-Host "Object SID : $64Sid`n"
#----------------------------------------------------------------------------------------------------------
trap
{
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
Exit 1
}
#----------------------------------------------------------------------------------------------------------
The FIM ScriptBox provides already samples for creating and updating objects in FIM.
By putting all bits and pieces together, you can easily write a script that either creates a new object with all required attribute values or updates an existing object:
#----------------------------------------------------------------------------------------------------------
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant
set-variable -name DN -value "LDAP://CN=Britta Simon,OU=FIMObjects,DC=Fabrikam,DC=Com" -option constant
#----------------------------------------------------------------------------------------------------------
Function SetAttribute
{
PARAM($CurObject, $AttributeName, $AttributeValue)
END
{
$ImportChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$ImportChange.Operation = 1
$ImportChange.AttributeName = $AttributeName
$ImportChange.AttributeValue = $AttributeValue
$ImportChange.FullyResolved = 1
$ImportChange.Locale = "Invariant"
If ($CurObject.Changes -eq $null) {$CurObject.Changes = (,$ImportChange)}
Else {$CurObject.Changes += $ImportChange}
}
}
#----------------------------------------------------------------------------------------------------------
If(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
Clear-Host
#----------------------------------------------------------------------------------------------------------
$AdUser = [ADSI]($DN)
If($AdUser.objectGuid -eq $null) {Throw "Object not found"}
If($AdUser.displayName.Value.Length -eq 0){Throw "Display Name not set on object in AD"}
$64Sid = [System.Convert]::ToBase64String($AdUser.objectSid[0], 0, $AdUser.objectSid.Value.Length)
$UserSid = New-Object System.Security.Principal.SecurityIdentifier($AdUser.objectSid[0], 0)
$Nt4Name = $UserSid.Translate([System.Security.Principal.NTAccount])
$Nt4Domain = ($Nt4Name.Value.Split("\"))[0]
$Nt4Account = ($Nt4Name.Value.Split("\"))[1]
#----------------------------------------------------------------------------------------------------------
$CurObject = export-fimconfig -uri $URI `
–onlyBaseResources `
-customconfig ("/Person[DisplayName='$($adUser.displayName.Value)']")`
-ErrorVariable Err `
-ErrorAction SilentlyContinue
If($Err){Throw $Err}
$ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
If($CurObject -eq $null)
{
$ImportObject.ObjectType = "Person"
$ImportObject.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString()
}
Else
{
$ImportObject.ObjectType = $curObject.ResourceManagementObject.ObjectType
$ImportObject.TargetObjectIdentifier = $CurObject.ResourceManagementObject.ObjectIdentifier
$ImportObject.SourceObjectIdentifier = $CurObject.ResourceManagementObject.ObjectIdentifier
$ImportObject.State = 1
}
SetAttribute -CurObject $ImportObject -AttributeName "AccountName" -AttributeValue $nt4Account
SetAttribute -CurObject $ImportObject -AttributeName "DisplayName" -AttributeValue $adUser.displayName.Value
SetAttribute -CurObject $ImportObject -AttributeName "Domain" -AttributeValue $nt4Domain
SetAttribute -CurObject $ImportObject -AttributeName "ObjectSID" -AttributeValue $64Sid
$ImportObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
If($Err){Throw $Err}
Write-Host "`nCommand completed successfully`n"
#----------------------------------------------------------------------------------------------------------
Trap
{
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
Exit 1
}
#----------------------------------------------------------------------------------------------------------
Summary
If you need to enable FIM Portal access for a user, you can easily do this by writing a PowerShell script.
The only challenges in this case are the format of the SID and retrieving the domain value.
In this post, I have explained how you can get to these values.
Recommended Reading
- FIM Get Resource By Name
- Enabling FIM Portal Access for a Regular AD User Account
- Using PowerShell to display a user’s attribute values for FIM Portal access
- Using PowerShell to create a user in the FIM Portal
- Using PowerShell to enable a MPR
Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.