Creating Groups in the FIM Portal using powershell

Posted on by Carol

I’ve been having a bit of a play with the powershell interface to the FIM Portal. I wanted to pre-populate a demo environment with an interesting set of criteria-based Securoity and Distribution groups, but they get a bit tedious to create by hand, and I wanted to see if powershell was the answer.

I’m pretty pleased with the results. Both of the following scripts use a CSV to bulk-create the groups. The links have now been updated to their new home on the Technet Wiki:

How to Use Powershell to Create Criteria-Based Security Groups from a CSV File

How to Use Powershell to Create Manager-Based Distribution Lists from a CSV File

The scripts run pretty slowly, but it’s still quicker than creating the groups by hand.

If you want to have a go at a script like this (and you can’t find an example in the ever-growing FIM Scriptbox) then I suggest you create a sample object by hand and then inspect both the object’s Advanced Properites, and the Details of the Request object which created it, for an idea of which attribute to populate.

While developing the scripts I saw the following error far more times that I would have liked:

Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException: Policy prohibits the request from completing.

After messing around with MPRs it eventually became clear that this just meant I had populated an attribute incorrently, or missed one out, and was not about permissions at all.

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.

7 Replies to “Creating Groups in the FIM Portal using powershell”

  1. Hi,

    Im just wondering, i would like to run your script above but also make it produce “mail enabled secuirty groups” with email alias… im not fluent in powershell scripting so can you let me know how i would add these additional variables to the script?

    stu

  3. Thanks carol

    Ive added the following to the following section:

    # Create group and add attributes
    $newGroup = CreateObject -objectType “Group”

    I added:

    SetAttribute -object $newGroup -attributeName “Email” -attributeValue $Email
    SetAttribute -object $newGroup -attributeName “MailNickname” -attributeValue $MailNickname

    and also put values in the csv for them…stil no joy?
    I got the following output…seems like the 2 new fields arent getting there value?:

    PS C:\import> powershell c:\import\Groupimport.ps1
    Email
    MailNickname
    DisplayName test
    AccountName test
    Domain FIM
    Scope Global
    Type Security
    Filter /P
    erson[(DepartmentMultiple = ‘ADMIN’)]
    Description test csv with email fields
    Owner 7fb2b853-24f0-4498-9534-4e10589723c4
    DisplayedOwner 7fb2b853-24f0-4498-9534-4e10589723c4
    MembershipLocked True
    MembershipAddWorkflow None

    SourceObjectIdentifier : c56586a8-3672-44b5-8894-3816846b1ac3
    TargetObjectIdentifier :
    ObjectType : Group
    State : Create
    Changes : {Email, MailNickname, DisplayName, AccountName…}
    AnchorPairs :

    Import-FIMConfig : Failure when making web service call.
    SourceObjectID = c56586a8-3672-44b5-8894-3816846b1ac3
    Error = Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The request message contains errors that
    prevent processing the request.
    at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()
    at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()
    at Microsoft.ResourceManagement.Automation.ImportConfig.Create(String objectType, List`1 changeList)
    at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()
    At C:\import\Groupimport.ps1:80 char:29
    + $newGroup | Import-FIMConfig <<<< -uri $URI

    Group creation request complete

    cheers
    stu

  4. I think your problem may be missing underscores. When referring to a variable taken from the csv you have to write it like “$_.Email”.

  5. Great worked fine Carol…appreciate the prompt response…:)

    Just one more thing…i want the “email enabled” box ticked…i put the following line into the set attribute…dosent seem to like it much? Any thoughts?

    SetAttribute -object $newGroup -attributeName “EmailEnabling” -attributeValue $true

    My end goal is to have mail enabled security groups…does the “email enabled” box need to be ticked even if ive already synced a group mail address across? Im assuming it does so the email become a routable address within exchange? I will put an alias in as well because i think it is a required field once the mail enabled box is ticked.

    Stu

Comments are closed.