FIM Portal 2010: Filtering on a Date Time Field

So the FIM Portal does not allow you to reference a temporal Set, that is a criteria based set, in a filter for another Set. To be more specific a temporal Set that has a Date Time field such as Employee End date or Expiration Time as one of the criteria.

I actually tested with Sets where the criteria was a string field and it worked well. But what I wanted was to create a Set, lets call it “Contractor AD accounts without Expiration Time” with the following criteria

  • Employee Type is Contractor
  • Manager is Present
  • Expiration Time is not Present
  • Account is Enabled

For Expiration Time, there is no option to do a not Present so I created a Set which contains all users that have the Expiration Time value. So lets call the Set “Users with Expiration Time“. The criteria for the Set, is User matches any

  • Expiration Time prior to 1 day from Today
  • Expiration Time after Today

So in Contractor AD accounts without Expiration Time I put as a criteria “ResourceID not in Users with Expiration Time“. And then I get “Access Denied”, the Set update refuses to save. I research and find out I have come up against the Set filter rule.

The option then is to populate the Set Contractor AD accounts without Expiration Time via PowerShell and XPath filter. Not the best since it isn’t dynamic but not a big deal since actually this is a one time task I want to do. But if I had to do this constantly I guess one has to schedule the PowerShell to run and also code it to do deltas only. Here is the XPath filter I used in the PowerShell script

#Get the objectID
$PersonAccounts = GetFIMObjects -filter “/Person[not(ExpirationTime >= ‘1900-01-01T00:00:00.000’) and IsManagerPresent = ‘True’ and msDSUserAccountEnabled = ‘True’ and starts-with(EmployeeType,’Contractor’)]”

If ($PersonAccounts -ne $null){
    foreach ($PersonAccount in $PersonAccounts){…….Update the Set

Some Notes

  1. IsManagerPresent I have talked about in a previous post
  2. msDSUserAccountEnabled I create this as a standard field in my FIM Portal to show True or False if an account is enabled in AD. Based on the UAC code. Very useful for filtering.

3 thoughts on “FIM Portal 2010: Filtering on a Date Time Field

  1. The xPath filter /Person[not(ExpirationTime >= ‘1900-01-01T00:00:00.000’)] does not seem to work in MIM anymore.
    I allways get the error message in eventlog “This negation filter is not supported”.
    Any idea on how to fix this?


    • Hi Chris

      Works fine for me. I just ran this PS command, using Lithnet PS on my MIM 2016 server

      $obj=search-resources -Xpath “/Person[not(ExpirationTime >= ‘1900-01-01T00:00:00.000’)]”

      Got no errors



  2. It’s better to use two sets, one to detect “is present” and the other for “not present.” The “Is Present” set uses a very early date, such as Jan 1st, 1900 and allows any date after. The is “Not Present” set filters on Resource ID and “is not in” the “Is Present” set.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s