Correct group objects with: Dynamic group has static member

Sometimes I have warnings in the group UI of my dynamic groups, telling me that “Dynamic group has static member”. Unless you cannot add static member to dynamic groups in FIM portal by yourself, it can be flow into through the Synchronization Engine, especially if you have equal precedence on the member attribute for groups. I need this setting, because groups can be managed in FIM Portal and in Active Directory.

So if someone add a user to a group in AD which is a dynamic group in FIM Portal it, this change flows into Portal and you get this warning. I still working on a solution that this will not happen in future.

I’ve tried to create a set to catch such groups in Portal and maybe send a notification message or clean up such groups with a workflow but I have no look in creating such a set. So I ended up in PowerShell once again to do this.

Here is my script to Remove all static member from dynamic groups.

add-pssnapin FIMAutomation

$grouplist = Export-FIMConfig -only -custom "/Group[MembershipLocked = 'true' and ExplicitMember = /Person]"

If ($grouplist -eq $null) { Write-Host "There is no dynamic group with static member" ; exit }

foreach ($group in $grouplist)
    $memberlist=($group.ResourceManagementObject.ResourceManagementAttributes | where {$_.AttributeName -eq "ExplicitMember"}).Values

    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = "Group"
    $importObject.TargetObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.SourceObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.State = 1

    foreach ($member in $memberlist)
        $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
        $importChange.Operation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]::Delete
        $importChange.AttributeName = "ExplicitMember"
        $importChange.AttributeValue = $member.Replace("urn:uuid:","")
        $importChange.FullyResolved = 1
        $importChange.Locale = "Invariant"
        $importObject.Changes += $importChange

    $importObject | Import-FIMConfig


The script currently only removes person objects from static member, you can modify this on your own if you have also group objects in the ExplicitMember attribute of dynamic groups.



About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

3 Responses to Correct group objects with: Dynamic group has static member

  1. tmacstips says:

    Thank you for this script – it solved a problem for us (we also have equal precedence for AD and FIM group sync), where I wouldn’t have even known where to start looking.

  2. Shashidhar says:

    How to send Welcome Email Notification, when user join Dynamic Group

  3. Ross Currie says:

    Came in useful 4 years later. Funny though, I don’t remember setting up equal precedence on group membership!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.