Thursday, January 22, 2015

Using PowerShell to Find FIM Service Event Log Items

Turning FIM Service logging up to verbose yields some very useful detail, often revealing vital clues to a mystery problem.  The trouble is that verbose logging results in a heavy yield, making it very difficult to sift through manually with Event Viewer.

Here are a couple commands I had to use recently to find event log items relating to queries.  The command is very easy to use, the only trick is knowing what to look for.  Once you have an idea of what to look for you can use the Message parameter with wildcards to find it.

Find events regarding the FIM web service:

Get-EventLog -LogName 'Forefront Identity Manager' -Message 'WS*'

 

WS: Action.Get.Execute.Enter

WS: GetCurrentUserFromSecurityIdentifier.Exit

WS: GetCurrentUserFromSecurityIdentifier.Enter: S-1-5-21-2738960992-2406426622-3534036869-500

WS: ObjectID,CountXPath,CreatedTime,Creator,DeletedTime,Description,DetectedRulesList,DisplayName

WS: Get: enter

WS: Enumerate.Exit

WS: Action.Enumerate.Execute.Exit

WS: Action.Enumerate.Execute.Enter

WS: GetCurrentUserFromSecurityIdentifier.Exit

WS: GetCurrentUserFromSecurityIdentifier.Enter: S-1-5-21-2738960992-2406426622-3534036869-500

WS: Enumerate.Enter

 

Find events regarding the FIM Service enumeration (query):

Get-EventLog -LogName 'Forefront Identity Manager' -Message 'Enumerate*'

 

Enumerate(/AttributeTypeDescription[Name="Locale"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewPagesToCache"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewPageSize"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewCacheTimeOut"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="LastResetAttemptTime"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="LastName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="JobTitle"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsRASEnabled"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsConfigurationType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsAuthorizationActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsAuthenticationActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsActionActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IntegerMinimum"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IntegerMaximum"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="InitialFlow"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ImageUrl"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ILMObjectType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="HasCollateralRequest"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GrantRight"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateTypeId"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateID"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateData"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FunctionParameters"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FunctionName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FreezeLevel"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FreezeCount"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ForestConfiguration"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ForeignSecurityPrincipalSet"]), Principal(7fb2b853-24f0-4498-9534-4e105897...

Enumerate(/AttributeTypeDescription[Name="FlowType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FirstName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="Filter"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExplicitMember"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpirationTime"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpectedRulesList"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpectedRuleEntryAction"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExistenceTest"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="EndpointAddress"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="EmployeeStartDate"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

'@

Enumerate(/AttributeTypeDescription[Name="Locale"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewPagesToCache"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewPageSize"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ListViewCacheTimeOut"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="LastResetAttemptTime"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="LastName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="JobTitle"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsRASEnabled"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsConfigurationType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsAuthorizationActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsAuthenticationActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IsActionActivity"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IntegerMinimum"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="IntegerMaximum"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="InitialFlow"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ImageUrl"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ILMObjectType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="HasCollateralRequest"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GrantRight"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateTypeId"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateID"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="GateData"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FunctionParameters"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FunctionName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FreezeLevel"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FreezeCount"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ForestConfiguration"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ForeignSecurityPrincipalSet"]), Principal(7fb2b853-24f0-4498-9534-4e105897...

Enumerate(/AttributeTypeDescription[Name="FlowType"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="FirstName"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="Filter"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExplicitMember"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpirationTime"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpectedRulesList"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExpectedRuleEntryAction"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="ExistenceTest"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="EndpointAddress"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

Enumerate(/AttributeTypeDescription[Name="EmployeeStartDate"]), Principal(7fb2b853-24f0-4498-9534-4e10589723c4)

 

Thursday, January 15, 2015

Using PowerShell to Search FIM ExportObjects

The FIM Service enjoys some basic support for PowerShell in the fimautomation PowerShell snap-in.  One of the most useful commands is Export-FimConfig which essentially is a query tool for the FIM Service, returning objects of type ExportObject ([Microsoft.ResourceManagement.Automation.ObjectModel.ExportObject]).

Most often I convert the ExportObject objects to PSObjects which makes them way easier to use, but sometimes I want to work with ExportObject because of other commands that accept an ExportObject as input.

This little snippet shows how to use the PowerShell Where-Object command to filter through FIM ExportObjects.

The trick here is to dig through the ResourceManagementAttributes array using a nested Where-Object command. 

<# Now search for a specific object type - pretty easy #>

$aBunchOfExportObjects | Where {

    $_.ResourceManagementObject.ObjectType -eq 'WorkflowDefinition' `

    <# Now dig through the ResourceManagementAttriutes #>`

    -and ($_.ResourceManagementObject.ResourceManagementAttributes |

    <# Use a nested Where-Object to search for an attributeName and Value #>

    Where {

        $_.AttributeName -eq 'DisplayName' -and $_.Value -eq 'Some Fantastic Workflow'

    })

} 

 

Monday, January 05, 2015

Calling FIM debug.MakeCurrentUserAdministrator with the SQL PowerShell Module

Follow-up to this post:

debug.MakeCurrentUserAdministrator

I’ve been working on deploying FIM configurations with PowerShell Desired State Configuration (DSC) and to ring in the new year I started by wiping out the members of the administrators Set (oops).

The VMs I use for FIM don’t have SQL Management Studio installed (it just encourages them) so I needed a quick way to add myself back to the FIM administrators Set.

The quick solution is to call the stored procedure using the SQL PowerShell Module.  The only catch is that the stored procedure broke a while back (FIM R2 SP1 I think) so I just include the working T-SQL. 

Invoke-Sqlcmd -Database FimService -QueryTimeout 0 -Query @'

DECLARE

    @administratorsSetKey         BIGINT,

    @displayNameKey               SMALLINT,

    @groupAdministratorsSetKey    BIGINT,

    @nonAdministratorsSetKey      BIGINT,

    @setObjectTypeKey             SMALLINT,

    @userKey                      BIGINT,

    @explicitMemberAttributeKey   SMALLINT,

    @computedMemberAttributeKey   SMALLINT;      

 

SET @explicitMemberAttributeKey = [fim].[AttributeKeyFromName]  (N'ExplicitMember');

SET @computedMemberAttributeKey = [fim].[AttributeKeyFromName]  (N'ComputedMember');

SET @displayNameKey             = [fim].[AttributeKeyFromName]  (N'DisplayName');

SET @setObjectTypeKey           = [fim].[ObjectTypeKeyFromName] (N'Set');

 

SELECT @userKey = [UserObjectKey] FROM [fim].[UserSecurityIdentifiers]

WHERE [SecurityIdentifier] = SUSER_SID();

 

SELECT @administratorsSetKey = [ObjectKey] FROM [fim].[ObjectValueString] AS [ovs]

WHERE   [ovs].[ObjectTypeKey] = @setObjectTypeKey

    AND [ovs].[AttributeKey]  = @displayNameKey

    AND [ovs].[ValueString]   = N'Administrators';

 

SELECT @nonAdministratorsSetKey = [ObjectKey] FROM [fim].[ObjectValueString] AS [ovs]

WHERE   [ovs].[ObjectTypeKey] = @setObjectTypeKey

    AND [ovs].[AttributeKey]  = @displayNameKey

    AND [ovs].[ValueString]   = N'All Non-Administrators';

 

SELECT @groupAdministratorsSetKey = [ObjectKey] FROM [fim].[ObjectValueString] AS [ovs]

WHERE   [ovs].[ObjectTypeKey] = @setObjectTypeKey

    AND [ovs].[AttributeKey]  = @displayNameKey

    AND [ovs].[ValueString]   = N'Group Administrators';

 

SELECT @userKey                    as 'User Key'

SELECT @administratorsSetKey       as 'Administrator Set Key'

SELECT @nonAdministratorsSetKey    as 'Non-Administrator Set Key'

SELECT @groupAdministratorsSetKey  as 'Group Administrator Set Key'

SELECT @explicitMemberAttributeKey as 'ExplicitMember Attribute Key'

SELECT @computedMemberAttributeKey as 'ComputedMember Attribute Key'

SELECT @setObjectTypeKey           as 'Set Object Type Key'

 

EXECUTE [debug].[RemoveSetMember]

    @setKey    = @administratorsSetKey,

    @memberKey = @userKey;

 

INSERT INTO [fim].[ObjectValueReference]

(

    [ObjectKey],

    [ObjectTypeKey],

    [AttributeKey],

    [ValueReference],

      [Multivalued]

)

VALUES

(

    @administratorsSetKey,

    @setObjectTypeKey,

    @explicitMemberAttributeKey,

    @userKey,

      0

);

   

INSERT INTO [fim].[ObjectValueReference]

(

    [ObjectKey],

    [ObjectTypeKey],

    [AttributeKey],

    [ValueReference],

      [Multivalued]

)

VALUES

(

    @administratorsSetKey,

    @setObjectTypeKey,

    @computedMemberAttributeKey,

    @userKey,

      0

);

 

EXECUTE [debug].[DisplaySetMembers] @setKey = @administratorsSetKey

'@ -Verbose