How to Use PowerShell to Test the FIM Management Agent Account

  • Article

FIM ScriptBox Item

Summary

During the installation of FIM, you have to specify a user account that is used to run the FIM management agent. This account must be entered when you configure your FIM MA. If your FIM service runs on a domain controller, the account must also be granted the right to logon locally. If you configure your management agent to use a different account or if the account has not been granted the right to logon locally, it is very likely that an error occurs when running a run profile on your FIM management agent.

The objective of the PowerShell script code below is to verify that the account you have configured to be used by your FIM management agent satisfies all prerequisites.

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
 #------------------------------------------------------------------------------------------------------
 set-variable -name RegKey -value "hklm:\SYSTEM\CurrentControlSet\Services\FIMService" -option constant 
 set-variable -name URI    -value "http://localhost:5725/resourcemanagementservice"    -option constant
#------------------------------------------------------------------------------------------------------
 write-host "`nFIM MA Account Test"
 write-host "===================="
#------------------------------------------------------------------------------------------------------
#Read the FIM MA account configuration from the registry:
 write-host " -Reading registry configuration"
 if((test-path $RegKey) -eq $false)
 {throw (new-object ExecutionEngineException "FIM registry key not found")}
 $accountSid = (Get-ItemProperty "$RegKey").SynchronizationAccountSid
 $sid = new-object System.Security.Principal.SecurityIdentifier $accountSid
 $ntAccountFromSid = $sid.Translate([System.Security.Principal.NTAccount])
 $ntAccountFromReg = (Get-ItemProperty "$RegKey").SynchronizationAccount
 if(0 -ne [String]::Compare($ntAccountFromSid,$ntAccountFromReg, $true))
 {throw "Registry FIM MA account name and SID don't match!"} 
 write-host " -FIM MA account name: $ntAccountFromSid"
 write-host " -FIM MA account SID : $accountSid"
#------------------------------------------------------------------------------------------------------
#Read the FIM MA account configuration from MA:
 write-host " -Reading MA configuration"
 if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) 
 {add-pssnapin FIMAutomation}
 
 $exportData = export-fimconfig -uri $URI `
                                -onlyBaseResources `
                                -customconfig ("/ma-data[SyncConfig-category='FIM']")
 if($exportData -eq $null) {throw "There is no FIM MA configured on your system"} 
 
 $privateData = $exportData.ResourceManagementObject.ResourceManagementAttributes | `
                Where-Object {$_.AttributeName -eq "SyncConfig-private-configuration"}
                
 [xml]$xmlPrivate = $privateData.Value
 $ntAccountFromMA = $xmlPrivate.selectSingleNode("//connection-info/domain").get_InnerText() + `
                    "\" + `
                    $xmlPrivate.selectSingleNode("//connection-info/user").get_InnerText()

 if(0 -ne [String]::Compare($ntAccountFromReg,$ntAccountFromMA, $true))
 {throw "Registry configuration and FIM MA configuration for MA account don't match!"}  
#------------------------------------------------------------------------------------------------------
 $a = [char]34 
 $startinfo = new-object diagnostics.processstartinfo 
 $startinfo.filename        = "runas"
 $startinfo.arguments       = "/user:$ntAccountFromMA " + $a + "cmd /c" + $a 
 $startinfo.RedirectStandardError = $true 
 $startinfo.UseShellExecute = $false 

 $process=[Diagnostics.Process]::Start($startinfo) 
 $process.WaitForExit()

 write-host "`n"
 if($process.exitcode -eq 0){write-host "Command completed successfully`n"}
#------------------------------------------------------------------------------------------------------
 trap
 { 
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
    Exit
 }
#------------------------------------------------------------------------------------------------------

 

Note

To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.

 

See Also