FIM 2010 (R2): Well-known GUIDS

 

---

Short URL

You can bookmark this page as:

• http://aka.ms/fim2010guids
• http://aka.ms/fimguids
• http://aka.ms/fimwellknownguids

---

Source references

• "FIM 2010 – Well-known GUIDS" on http://www.identitychaos.com/2010/08/fim-2010-well-known-guids.html (Published by Brad Turner - MSFT)
• Well-known GUIDS in FIM 2010, published on http://blog.goverco.com/2010/10/well-known-guids-in-fim-2010.html by Søren Granfeldt
• Make the installation and FIM MA accounts filtered disconnectors and save yourself a headache (and possibly a rebuild). (on Yet another identity management blog, by Paul Williams, MSFT)
• MissMIIS: Best practices for the FIM Portal Administrator account

 

---

FIM 2010 – Well-known GUIDS

As mentioned by Brad and Soren, within the FIM Service and Portal there are a few "well-known" GUID's that are used.

"Well-known", means they are the same on every installation.

Name	GUID
Installer Account / Default Admin	7fb2b853-24f0-4498-9534-4e10589723c4
Built-in Synchronization Account	fb89aefa-5ea1-47f1-8890-abe7797d6497
FIM Service Account	e05d1f1b-3d5e-4014-baa6-94dee7d68c89
Anonymous	b0b36673-d43b-4cfa-a7a2-aff14fd90522

 

---

Accounts

Installer account

The person that installs the FIM Service and Portal is by default assigned as first FIM Service and Portal administrator.

That account is automatically added to the Administrators set.

Therefore it's important to choose that account wisely (as it doesn't need to be a personal account pointing to a person that can leave the company...)

  

Built-in Synchronization Account

As explained by Brad (ILM 2 Beta 3 - Built-In Synchronization Account Goodness ), the "Built-in Synchronization Account" is also known as the FIM MA account.

It's NOT the FIM Synchronisation service account which keeps the FIM Sync service in the air.

As explained by Just Another Tech Guy (FIM 2010: Understand the Built-in Accounts):

"This account is used by the FIM MA in the FIM Synchronization Engine for writing to FIM web service. When a request is made by the FIM Sync account, AuthN and AuthZ workflows are skipped. The effect on this design is that if the FIM MA wants to make a huge number of requests, they do not trigger additional requests. "

  

FIM service account

See: here for more explanation on the FIM Service account.

In short:

• an instance of Resource object type (not User object type).
• created by FIM setup and cannot be deleted.
• immune to authentication and authorization
• out of box activities operate under this context

Consider this advice from the by Just Another Tech Guy: "This is why it is not recommended using this account (actor Id) as the context in workflows and activities – always keep this in mind when designing activities, workflows. "

 

---

See also

1. FIM 2010: Understand the Built-in Accounts (by by Just Another Tech Guy)
2. Who's this b0b guy anyway?
3. ILM 2 Beta 3 - Built-In Synchronization Account Goodness
4. MissMIIS: Best practices for the FIM Portal Administrator account

---