It is year 2016 and Identity Manager looks like it did in 2010 when Forefront Identity Manager (FIM) was released. Who came up with the name and added it to the Forefront portfolio anyway, crazy stuff. As you probably know, looks can be deceiving. Even if MIM looks the same and run basically the same features, it is still a powerful state machine. I have been buzy collecting scripts and tools I have used the last couple of years and have started on 2 Powershell modules for MIM. This post is just a brief introduction to the module and the plans for the future.
Why create a moduleWait a minute. Does not Identity Manager come with a Powershell module? No, it comes with a Powershell snap-in from 2010. Back in those days Snap-ins where the cool kids on the block and everybody created snap-ins for things that should be created as a module. I blame Powershell version 1.0, however they fixed that in Powershell version 2.0, I think. I use the snap-in as a nested module and have created a Powershell manifest for the snap-in. That way you can choose to load the snap-in as a module if you like (look in the FIMmodule folder for the manifest).
The Snap-In that comes with Identity Manager is very generic/crude and allows you to do almost anything you can in the Identity Manager portal. You just need to remember the syntax and the XPath queries that you need to run. Doable, nevertheless quite hard to remember and prone to producing errors. Hence the effort on my side to create a module that is easy to use and a lovely experience.
I also have a side project where I focus on Operation Validation in FIM/MIM using Pester. Pester is the Unit Test framework for Powershell and the Operation Validation framework from Microsoft. You can have a look at the unit test in this link “Operation Validation”. Point of this being an test you can run to validate you Identity Manager infrastructure and make sure that all the bells and whistles are working as they should. A nice way to detect if your infrastructure peers have installed a new domain controller you should install PCNS on!
Introducing the Identity Manager Powershell moduleIt is still work in progress and I am focusing in on the Get-CMDlets for all the different object types in FIM/MIM. Currently I have added the following cmdlets:
|Get-IMObject||A generic cmdlet used by all of the Get-Cmdlets. It is responsible for running the core cmdlets in the Identity Manager snap-in|
|Get-IMObjectMember||Used to list members of a group/set. It can list ComputedMembers or ExplicitMembers|
|Get-IMPerson||Get person information|
|Get-IMPersonMembership||Show person membership in Groups/sets|
|Get-IMSecurityGroup||Show information about Security groups in Identity Manager|
|Get-IMSet||Show information about Sets in Identity Manager|
|Get-IMSetUsage||Show all related usage of a Set in Identity Manager|
|Get-IMXPathQuery||Create simple XPath queries with hashtable|
|Out-IMAttribute||Cast a ResourceManagementObject to a PSCustomObject Used by the Get-IMObject cmdlet|
It is currently not on the PowershellGallery, however it will be in May 2016. The module will require Powershell version 4.0 (Windows Management Framework 4) or later. It may work with Powershell version 3.0, however I have not tested it with that version. It will work with either Forefront Identity Manager 2010 R2 or Microsoft Identity Manger 2016.
If you want to browse the code and have a look, you can visit the GitHub repro on this link.
Introducing the Identity Manager Synchronization Powershell moduleBut, wait, there is more :-) This month I will also publish a new Powershell module for the Synchronization engine in Identity Manager. Normally this would be executed as a VBscript per Microsoft. Nothing wrong with that and it works. I on the other hand would like to use Powershell to do this. Thankfully Microsoft has included a WMI/CIM namespace/class for Identity Manager that we can leverage to do this. My Identity Manager Synchronization module (IdentityManagerSynch) will support the following cmdlets:
|Get-IMManagementAgent||List Management Agents or Agent details|
|Get-IMAgentRunProfile||List the RunProfiles associated with an Agent|
|Get-IMAgentStatus||List the last known status of an Agent|
|Invoke-IMAgentRunProfile||Execute a RunProfile for an Agent|
|Invoke-IMManagementAgentMethod||Invoke a CIM-method on the Agent|
The cmdlets implement dynamic parameters for the agent and runprofile thus preventing you to try and start a runprofile that is not implemented in the agent.
I may or may not include a cmdlet that enables you to search for Metaverse Objects. The synchronization client has a nice GUI that solves most issues and lets you poke around. From time to time I find myself wishing for a way to extract information from Metaverse that is not possible in the GUI.