Correct group objects with: Dynamic group has static member


Sometimes I have warnings in the group UI of my dynamic groups, telling me that “Dynamic group has static member”. Unless you cannot add static member to dynamic groups in FIM portal by yourself, it can be flow into through the Synchronization Engine, especially if you have equal precedence on the member attribute for groups. I need this setting, because groups can be managed in FIM Portal and in Active Directory.

So if someone add a user to a group in AD which is a dynamic group in FIM Portal it, this change flows into Portal and you get this warning. I still working on a solution that this will not happen in future.

I’ve tried to create a set to catch such groups in Portal and maybe send a notification message or clean up such groups with a workflow but I have no look in creating such a set. So I ended up in PowerShell once again to do this.

Here is my script to Remove all static member from dynamic groups.

add-pssnapin FIMAutomation

$grouplist = Export-FIMConfig -only -custom "/Group[MembershipLocked = 'true' and ExplicitMember = /Person]"

If ($grouplist -eq $null) { Write-Host "There is no dynamic group with static member" ; exit }

foreach ($group in $grouplist)
{
    $memberlist=($group.ResourceManagementObject.ResourceManagementAttributes | where {$_.AttributeName -eq "ExplicitMember"}).Values

    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = "Group"
    $importObject.TargetObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.SourceObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.State = 1

    foreach ($member in $memberlist)
    {
        $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
        $importChange.Operation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]::Delete
        $importChange.AttributeName = "ExplicitMember"
        $importChange.AttributeValue = $member.Replace("urn:uuid:","")
        $importChange.FullyResolved = 1
        $importChange.Locale = "Invariant"
        $importObject.Changes += $importChange
    }

    $importObject | Import-FIMConfig
}

Notes:

The script currently only removes person objects from static member, you can modify this on your own if you have also group objects in the ExplicitMember attribute of dynamic groups.

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

2 Responses to Correct group objects with: Dynamic group has static member

  1. tmacstips says:

    Thank you for this script – it solved a problem for us (we also have equal precedence for AD and FIM group sync), where I wouldn’t have even known where to start looking.

  2. Shashidhar says:

    How to send Welcome Email Notification, when user join Dynamic Group

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s