Tuesday, November 25, 2014

Counting Members in a FIM Set

Troubleshooting a strange configuration issue today and am trying to figure out why performance of references is less than awesome.

This particular query helped narrow down the problem.  For some reason I have a bunch of Sets with huge numbers of explicit members.  The sample is a good illustration of getting the data out of the FIM Service, then querying it and formatting it using PowerShell.  In some cases you can define a better query using XPath against the FIM Service but often it is easier to just do it in PowerShell.

Here’s the query to find the sets:


### Get all the Sets

Export-FIMConfig -OnlyBaseResources -CustomConfig "/Set" |

### Convert to PSObjects (easier to deal with than FIM Export Objects)

Convert-FimExportToPSObject |

### Get just the Sets with ExplicitMember

Where-Object ExplicitMember |

### Sort by the count of members

Sort-Object {$_.ExplicitMember.Count} -Descending  |

### Output as a nice table

Format-Table DisplayName, @{Name='ExplicitMemberCount';Expression={$_.ExplicitMember.Count}} -AutoSize




DisplayName                           ExplicitMemberCount

-----------                           -------------------

Administrators                                          1

Password Reset Objects Set                              4

Crazy Set One                                      200000

FIM Support Tier One                                    7

FIM Programmatic Access                                 4






Thursday, November 13, 2014

Microsoft Acquires Aorato

Very interesting news today from Microsoft:

Active Directory Team Blog: Microsoft Acquires Aorato

This is interesting because it shows investment in the on-premises Active Directory (we’re already a tonne of investment in Azure AD, no complaints there).

We’re also seeing AD investments in the new Privileged Access Management (PAM) functionality, which also has ties into the next version of FIM (MIM).  MIM is not strictly required for the PAM functionality, but it augments it by adding extra policy enforcement.  The TTL nature of the group membership completely lives in AD.

It’s happened too often now that acquisitions get thrown into the FIM solution suite and don’t get truly integrated into AD or Windows Server or even FIM.  Looking forward to seeing where the Aorato technology lands; my preference would be for it to be baked into AD or a feature of the AD role.

Wednesday, November 12, 2014

Install SharePoint Foundation using PowerShell

Found this little stash of scripts (in the zip) on TechNet recently:

Install SharePoint Foundation 2010 by using Windows PowerShell

Having just finished the 2014 MVP Summit and getting my head full of PowerShell Desired State Configuration I thought I would be able to install SharePoint Foundation using DSC.

NOTE: I hope to post later on how to install the SharePoint prerequisites using the DSC Package Resource.

For now, here is the snippet for installing SharePoint Foundation using the DSC Package Resource:

configuration SharePoint


    node (hostname)



        This is just a snippet of a larger configuration that I'm working on

        In the larger configuration I am installing of the SharePoint prerequisites, but still working on that

        I've left the 'DependsOn' parameter in to demonstrate how you would make the SharePoint install happen after its prereqs


        Package InstallSharePointFoundation


            Ensure             = "Present"

            Name               = "Microsoft SharePoint Foundation 2013 Core"

            Path               = "C:\Temp\SharePointFoundation2013\Setup.exe"

            Arguments          = "/config C:\Temp\SharePointFoundation2013\files\setupsilent\config.xml"

            ProductID          = "90150000-1014-0000-1000-0000000FF1CE"

            ReturnCode         = 8

            DependsOn          = @(













SharePoint -OutputPath c:\temp\SharePoint


Start-DscConfiguration -Verbose -Wait -Path c:\temp\SharePoint


Monday, November 10, 2014

Microsoft Identity Manager Preview

The upcoming major release of FIM (already renamed to MIM) now has a preview available for download.  The Microsoft Connect site requires an agreement so expect some prompts and identity detail sharing:


To get an overview of what the preview includes, you can view the recorded TechEd Europe session on Channel 9:

Microsoft Identity Manager vNext Overview