FIM 2010 R2: Limit the membership count of a Group

Now the FIM WAL is public we can play with some good ideas without the need to develop your own custom activity or go for PowerShell. Here is the scenario

I have a security group and I do not want the membership to exceed 2. Preferably I want this validation to occur when the submit button is pressed and not after.


  1. Create an Authorization Workflow activity.
  2. In the workflow activity, select the request validation option (this is added when FIM WAL is installed)
  3. In the condition line add the code to
  4. Check the number of current members – Count([//Target/ExplicitMember]) – a
  5. Check the number of adds = Count([//Delta/ExplicitMember/Added]) – b
  6. Check the number of removes – Count([//Delta/ExplicitMember/Removed]) – c
  7. a + b – c < 3 so it should be something like this

LessThan(Subtract(Add(Count([//Target/ExplicitMember]) , Count([//Delta/ExplicitMember/Added])), Count([//Delta/ExplicitMember/Removed]) ),3)

On the Right hand side add an error message like “You cannot have more than 2 members in the Security Group [//Target/DisplayName]”

  1. Setup an MPR to trigger the workflow when an Add is done to the Security group. The Target set is one that contains the SG you want to limit (If there isn’t one you can create a set) and the Target attribute is ExplicitMember.
  2. Now when someone tries to add members and the Net result will be greater than 2 members they will get “Access Denied”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s