Basic Security/Distribution Group Management

Forefront Identity Manager 2010 Installation & Configuration

Basic Security/Distribution Group Management

Anthony Marsiglia & Kristopher Tackett

Microsoft Premier Field Engineering

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.

© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

1

Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering

Forefront Identity Manager 2010 Installation & Configuration

Basic Security/Distribution Group Management

At present, group management in FIM tends to be a rather manual process. Here we will attempt to “ease the pain”, as it were, by walking through the necessary steps as easily as possible.

The issue, as it stands, is that when you create a security group in AD and bring it into the Portal it comes in as a manually managed group. While this may be fine in certain circumstances, generally speaking, criteria-based groups offer more flexibility and less routine administration (for example, no need to manually add/remove members).

Here is an example of what an AD security group looks like when brought into the Portal:

From here, we can enter a “Description” and change the “Member Selection” from “Manual” to “Criteria-based”. Also notice the check box to mail enable the group.

By clicking on the “Members” tab, we are able to set the criteria for group membership. In this example, when “user” matches a defined value for the “Department” and “Description” attributes, they become a member of this group (as seen by clicking on “View Members”).

Finally, clicking on the “Owners” tab shows that we need to define both an “Owner” as well as a “Displayed Owner”.

Clicking on the “Browse” button brings up a search window. However, maybe we want to add many users as “owners” of the group. Clicking on “Advanced Search” will allow you to easily search for and add multiple users quickly.

Much like defining criteria for group membership, we can easily search for all members of this group and, if desired, add them all as “Owners”, as shown below:

Finally, we must select a “Displayed Owner”. The key thing to remember here is that the “Displayed Owner” must be in the “Owner” list above.

From here, click “OK” and “Submit” to commit these changes.

After completing these steps, on the next import/sync/export run, the group will be updated accordingly in AD. Whenever a new user is created who matches the defined criteria, they will automatically receive membership in this group. Likewise, if a user has an attribute change which no longer matches the defined criteria, they will automatically lose membership in this group.

If, however, groups are not synchronizing correctly, be sure to check precedence settings for “group” objects under the “Metaverse Designer” tab in the synchronization engine.

Page 1

Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering