Skip to main content

Identity Manager and Powershell

It is year 2016 and Identity Manager looks like it did in 2010 when Forefront Identity Manager (FIM) was released. Who came up with the name and added it to the Forefront portfolio anyway, crazy stuff. As you probably know, looks can be deceiving. Even if MIM looks the same and run basically the same features, it is still a powerful state machine. I have been buzy collecting scripts and tools I have used the last couple of years and have started on 2 Powershell modules for MIM. This post is just a brief introduction to the module and the plans for the future.

Why create a module

Wait a minute. Does not Identity Manager come with a Powershell module? No, it comes with a Powershell snap-in from 2010. Back in those days Snap-ins where the cool kids on the block and everybody created snap-ins for things that should be created as a module. I blame Powershell version 1.0, however they fixed that in Powershell version 2.0, I think. I use the snap-in as a nested module and have created a Powershell manifest for the snap-in. That way you can choose to load the snap-in as a module if you like (look in the FIMmodule folder for the manifest).

The Snap-In that comes with Identity Manager is very generic/crude and allows you to do almost anything you can in the Identity Manager portal. You just need to remember the syntax and the XPath queries that you need to run. Doable, nevertheless quite hard to remember and prone to producing errors. Hence the effort on my side to create a module that is easy to use and a lovely experience.

I also have a side project where I focus on Operation Validation in FIM/MIM using Pester. Pester is the Unit Test framework for Powershell and the Operation Validation framework from Microsoft. You can have a look at the unit test in this link “Operation Validation”. Point of this being an test you can run to validate you Identity Manager infrastructure and make sure that all the bells and whistles are working as they should. A nice way to detect if your infrastructure peers have installed a new domain controller you should install PCNS on!

Introducing the Identity Manager Powershell module

It is still work in progress and I am focusing in on the Get-CMDlets for all the different object types in FIM/MIM. Currently I have added the following cmdlets:

Name Description
Get-IMObject A generic cmdlet used by all of the Get-Cmdlets. It is responsible for running the core cmdlets in the Identity Manager snap-in
Get-IMObjectMember Used to list members of a group/set. It can list ComputedMembers or ExplicitMembers
Get-IMPerson Get person information
Get-IMPersonMembership Show person membership in Groups/sets
Get-IMSecurityGroup Show information about Security groups in Identity Manager
Get-IMSet Show information about Sets in Identity Manager
Get-IMSetUsage Show all related usage of a Set in Identity Manager
Get-IMXPathQuery Create simple XPath queries with hashtable
Out-IMAttribute Cast a ResourceManagementObject to a PSCustomObject Used by the Get-IMObject cmdlet

It is currently not on the PowershellGallery, however it will be in May 2016. The module will require Powershell version 4.0 (Windows Management Framework 4) or later. It may work with Powershell version 3.0, however I have not tested it with that version. It will work with either Forefront Identity Manager 2010 R2 or Microsoft Identity Manger 2016.

If you want to browse the code and have a look, you can visit the GitHub repro on this link.

Introducing the Identity Manager Synchronization Powershell module

But, wait, there is more :-) This month I will also publish a new Powershell module for the Synchronization engine in Identity Manager. Normally this would be executed as a VBscript per Microsoft. Nothing wrong with that and it works. I on the other hand would like to use Powershell to do this. Thankfully Microsoft has included a WMI/CIM namespace/class for Identity Manager that we can leverage to do this. My Identity Manager Synchronization module (IdentityManagerSynch) will support the following cmdlets:

Name Description
Get-IMManagementAgent List Management Agents or Agent details
Get-IMAgentRunProfile List the RunProfiles associated with an Agent
Get-IMAgentStatus List the last known status of an Agent
Invoke-IMAgentRunProfile Execute a RunProfile for an Agent
Invoke-IMManagementAgentMethod Invoke a CIM-method on the Agent

The cmdlets implement dynamic parameters for the agent and runprofile thus preventing you to try and start a runprofile that is not implemented in the agent. 

I may or may not include a cmdlet that enables you to search for Metaverse Objects. The synchronization client has a nice GUI that solves most issues and lets you poke around. From time to time I find myself wishing for a way to extract information from Metaverse that is not possible in the GUI.




Popular posts from this blog

Serialize data with PowerShell

Currently I am working on a big new module. In this module, I need to persist data to disk and reprocess them at some point even if the module/PowerShell session was closed. I needed to serialize objects and save them to disk. It needed to be very efficient to be able to support a high volume of objects. Hence I decided to turn this serializer into a module called HashData. Other Serializing methods In PowerShell we have several possibilities to serialize objects. There are two cmdlets you can use which are built in: Export-CliXml ConvertTo-JSON Both are excellent options if you do not care about the size of the file. In my case I needed something lean and mean in terms of the size on disk for the serialized object. Lets do some tests to compare the different types: (Hashdata.Object.ps1) You might be curious why I do not use the Export-CliXML cmdlet and just use the [System.Management.Automation.PSSerializer]::Serialize static method. The static method will generate t

Toying with audio in powershell

Controlling mute/unmute and the volume on you computer with powershell. Add-Type -TypeDefinition @' using System.Runtime.InteropServices; [Guid("5CDF2C82-841E-4546-9722-0CF74078229A"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IAudioEndpointVolume { // f(), g(), ... are unused COM method slots. Define these if you care int f(); int g(); int h(); int i(); int SetMasterVolumeLevelScalar(float fLevel, System.Guid pguidEventContext); int j(); int GetMasterVolumeLevelScalar(out float pfLevel); int k(); int l(); int m(); int n(); int SetMute([MarshalAs(UnmanagedType.Bool)] bool bMute, System.Guid pguidEventContext); int GetMute(out bool pbMute); } [Guid("D666063F-1587-4E43-81F1-B948E807363F"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IMMDevice { int Activate(ref System.Guid id, int clsCtx, int activationParams, out IAudioEndpointVolume aev); } [Guid("A95664D2-9614-4F35-A746-DE8DB63617E6"), Inte

Creating Menus in Powershell

I have created another Powershell module. This time it is about Console Menus you can use to ease the usage for members of your oranization. It is available on GitHub and published to the PowershellGallery . It is called cliMenu. Puppies This is a Controller module. It uses Write-Host to create a Menu in the console. Some of you may recall that using Write-Host is bad practice. Controller scripts and modules are the exception to this rule. In addition with WMF5 Write-Host writes to the Information stream in Powershell, so it really does not matter anymore. Design goal I have seen to many crappy menus that is a mixture of controller script and business logic. It is in essence a wild west out there, hence my ultimate goal is to create something that makes it as easy as possible to create a menu and change the way it looks. Make it easy to build Menus and change them Make it as "declarative" as possible Menus The module supports multiple Men