Closed teknowledgist closed 8 years ago
ryannewington
commented
8 years ago Hi @teknowledgist,
The Set-ResourceManagementClient cmdlet will allow you to specify credentials. This cmdlet will connect to the FIM server and download the schema. If there is an error, it will throw an exception. Otherwise it will silently succeed.
Attribute names in the fim service are case sensitive, the correct form of the attribute is AccountName
Hope that helps
Ryan
teknowledgist
commented
8 years ago @ryannewington,
Ah! Proper case was what I missed. It seems to be working!
I'll play around with it, but would you be willing to give an example of querying for all groups of which a particular user is an owner? I'm stuck creating the XPathQuery. I tried:
$query = New-XPathQuery -AttributeName "Owner" -Operator Contains -Value $user.ObjectID
but I get 'The operator Contains is not compatible with data type Reference'.
Thanks!
ryannewington
commented
8 years ago @teknowledgist,
Glad its working. Be aware that not all attributes are in proper case. You can get a list of all attribute names using the following cmdlet
Search-Resources -XPath "/AttributeTypeDescription" -AttributesToGet @("Name") | ft NameThe 'Contains' operator is used to find a word in a string value. You can only use 'Equals' for reference types. You full query should read below
$query = New-XPathQuery -AttributeName "Owner" -Operator Equals -Value $user.ObjectID
$expression = New-XPathExpression -ObjectType Group -QueryObject $query
Search-Resources $expressionAlso, you can bypass the expression builder if you know the XPath you want to search for
Search-Resources -Xpath "/Group[Owner='$($user.ObjectID.Value)'"Hope that helps
teknowledgist
commented
8 years ago This is awesome! :+1: SOoooo much faster than the FIM Automation plugin.
One more question (for now :smile: )...
If I want to get info on all the users of a group, I can do this:
$xpathstring = "/Person[("
$Group.ExplicitMember.value | % {$xpathstring += "(ObjectID = '$_') or "}
$xpathstring = $xpathstring.trim(" or ") + ")]"
$Members = Search-Resources -XPath $xpathstring -AttributesToGet AccountName,DisplayName,ObjectIDbut I'm concerned that the xpath string will get too long for large groups. Is there a direct Xpath method comparable to what I can do with with an ADO SQL string like "SELECT Displayname, DistinguishedName FROM '$LDAP' WHERE memberOf='$groupDistName'"?
I'm guessing there must be since the FIM, Group Access Manager web interface shows the Display Name for group membership. I doubt it is using a clunky call like I generated above.
Thanks so much.
ryannewington
commented
8 years ago You should be able to use dereferencing
Search-Resources -XPath "/Group[ObjectID='<value>']/ComputedMember" -AttributesToGet AccountName,DisplayName,ObjectIDAlso, it's much faster and less resource intensive to use the pipeline with search resources.
When you do $members = Search-Resources, you force the enumerator to get every user from the FIM service before the next call can proceed. This can take a large amount of RAM for big groups. Using the pipeline you can enumerate on the fly, and use minimal memory
Search-Resources -XPath "/Group[ObjectID='<value>']/ComputedMember" -AttributesToGet AccountName,DisplayName,ObjectID | % {
write-host $_.DisplayName
}Here are some good links that have lots of XPath examples https://msdn.microsoft.com/en-us/library/windows/desktop/ee652287(v=vs.100).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ff393652(v=vs.100).aspx
ryannewington
commented
8 years ago @teknowledgist did you need any further assistance with this or are you happy for me to close it?
teknowledgist
commented
8 years ago I think I am good for now. It works very well and fast! It's what Microsoft should have created for their own product.
I may end up with another question when I eventually get to the point of needing to make updates and not just queries, but not now.
Thank you very much.
Sent from my phone. Please excuse the brevity.
On Oct 30, 2016, at 7:46 PM, Ryan Newington notifications@github.com wrote:
@teknowledgist did you need any further assistance with this or are you happy for me to close it?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
ryannewington
commented
8 years ago @teknowledgist Thanks for the feedback. Feel free to open another issue if you run into any troubles.
Disclaimer: I am not a FIM admin! I am a technician/scripter in one division of a larger infrastructure.
I would love to use the LithnetRMA module to perform simple searches against the FIM server with manipulable returns. I'm really tired of either clicking through the Group Access Manager web interface and copy-paste-cleanup or waiting ridiculously long for the FIM Automation DLLs to retrieve the results.
How can I tell if I am making a connection to the FIM server with this module? When I try get-resource similar to your example, I'm getting "The attribute 'accountname' does not exist on this object".
Also, is there any way to pass credentials to these cmdlets?
Thanks.