When a Security Group is renamed in the FIM Portal the Accountname and Displayname attributes are changed. I faced a project where there were exisiting SGs and they were all over the place in the directory, so coexistence had to managed carefully, one could not set up a synch rule in the Portal, for FIM to build the DN without possibly causing some havoc. So I didn’t want to do the system state approach for FIM to rename the SG, (using attribute flows to make the change) but do the rename directly in AD.
We need a solution that will ensure a group renamed in the FIM Portal changes the following 5 attributes for the same group in AD
- Canonical name (CN)
- I searched the FIM Request created after renaming a group and could not find the old name of the group, so I decided to create a group attribute to store the name. Extend the FIM Portal schema, create a new group attribute called “GroupDispName”. This will keep the AD name of the group and will only be updated by the AD inflow to the Portal. Create a binding called “GroupDispName” to bind the new attribute to the group object.
- Add the new attribute to synchronization MPRs.
- Refresh the schema of the FIM Service MA in the sync engine.
- Create a new MV group field called “GroupDispName”
- Configure in the FIM Service MA, the MV Group Displayname to flow to the FIM Service GroupDispName and the FIM Service GroupDispName to flow to the MV GroupDispName.
- Run a Full Sync and export on the FIM Service MA to populate the Portal GroupDispName with the MV group DisplayName
- We are going to use a PowerShell script which will call PowerShell AD commands and these are compiled in Dotnet 4.0 while the FIM workflow is compiled in Dotnet 3.5 and by default runs PowerShell 2.0. A workaround that one can use is call Powershell 3.0 from the PowerShell window.
- Give the FIM Portal service account rights to manage groups in AD since the script is going to run under this account.
- Setup a PowerShell workflow to run when a group is renamed. You can build your own custom PowerShell workflow or you can use one on Codeplex. This one by Brian Desmond&Craig martin is arguably the most stable. Create a PowerShell script to run in the workflow. Run it with this command “powershell -version 3.0 c:\RenamingSGgroup.ps1 $fimwf.TargetId.Guid“. $fimwf.TargetId.Guid is the ObjectID of Target group whose name is being changed (If you are using BD&CM’s PowerShell workflow). The PowerShell script will
- Get the new DisplayName of the changed group from the request using XPath
- Check if the GroupDispName is different from the request group displayname,
- If the name is different the script will rename the corresponding group in AD. The script uses Rename-ADObject for CN, DisplayName, Name, DN and Set-ADGroup for the SAMaccountname.
- Attach the workflow to an MPR for group updates. It advisable you create a separate MPR for renaming a group, make the Target attribute displayname, select modify. This way your workflow is only triggered when the displayname is changed. Do not use a permission MPR or any of the default MPRs.