MIM 2016: finding & removing orphaned users and groups in MIM Portal

Introduction

For various reasons (from misconfiguration to system disaster recovery), you can end up with orphaned users and groups in the MIM portal.

The scripts below allow you to run a query on the MIM sync database, then list the ghostobjects. Next, you need to feed that output (with CSV) to a PowerShell script against the MIM service, to remove the users from the MIM portal.

Note

The objects we're looking for are only Identity objects like users and groups, connected in the MIM/FIM MA only, without any connections to other management agents.

Therefore in this article, these are called "ghost" objects.

The term 'orphaned' objects in the MIM portal has a different meaning (referring to an object that has missing sync rules, workflow or MPR)

 

Steps

1. Run an SQL query to locate the ghost objects (users, groups only connected to the FIM MA) on the MIM Sync Database
2. Export the query results to CSV
3. Feed the CSV to a Powershell script

SQL

Note

Any query on the MIM databases must be run with the with(nolock) statement to avoid any table or row locking, deadlocking the MIM services.

 

select rdn, object_type
from [FIMSynchronizationService].[dbo].[mms_connectorspace]  with(nolock)
where (object_type in  ('Person','Group')) and (ma_id ='<FIM MA GUID>') AND object_id  in
 (
 select csmv2.cs_object_id
 FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv2 with(nolock) 
 where csmv2.mv_object_id in
  (
  SELECT [mv_object_id]
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv1 with(nolock)
  group by  csmv1.mv_object_id
  having count(csmv1.cs_object_id) = 1
  )
 )
order by  object_type

Export to CSV

Export the results from the above query to a CSV file with header row which is required by the PowerShell command Import-CSV, to recognize the attribute names.

Attribute names must be fixed, like

• Column 1: MIM Portal objectSID, must be named 'rdn'
• Column 2: ObjectType, must be named 'ObjectType'

PowerShell

Run the below PowerShell with MIM Portal admin rights (right to delete users and groups in the Portal) on the MIM Portal server.

If you want to run the script remotely, you'll need to change the URI, pointing to the FIM/MIM Portal server.

 

   <#/span> Useful linkshttp://www.wapshere.com/missmiis/using-powershell-to-update-fim-portal-objects-from-a-csvhttps://social.technet.microsoft.com/Forums/en-US/a5486d43-7e76-4d1e-b906-9fbecf6a600a/using-powershell-to-delete-a-user-in-the-fim-portal?forum=ilm2https://www.petri.com/powershell-import-csv-cmdlet-parse-comma-delimited-csv-text-file#> #----------------------------------------------------------------------------------------------------------  set-variable -name URI -value  "http://localhost:5725/resourcemanagementservice' "  -option constant  #----------------------------------------------------------------------------------------------------------  function DeleteObject{  PARAM ($objectId, $objectType )  END{  $importObject  = New-Object  Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject    $importObject  .ObjectType = $objectType    $importObject  .TargetObjectIdentifier = $objectId    $importObject  .SourceObjectIdentifier = $objectId    $importObject  .State = 2  $importObject  | Import-FIMConfig  -uri $URI}} #----------------------------------------------------------------------------------------------------------  if (@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation" } ).count -eq 0 ) {add-pssnapin FIMAutomation }  clear-host    # the script will look for a CSV file that will contain the objects to delete    if ($args.count -ne 1 ) {throw "Missing file parameter" }  $CSVFile = $args[0]    # Parse CSV file.Note we're not using import-csv because we don't know what the column headers will be.  $CSVlist = Import-Csv $CSVFile    $CSVList    foreach ($object in $csvlist ){ <#Installer Account / Default Admin: 7fb2b853-24f0-4498-9534-4e10589723c4Built-in Synchronization Account : fb89aefa-5ea1-47f1-8890-abe7797d6497FIM Service Account : e05d1f1b-3d5e-4014-baa6-94dee7d68c89Anonymous : b0b36673-d43b-4cfa-a7a2-aff14fd90522#>  $object    if (0 -eq [String]:: Compare($object.rdn,"7fb2b853-24f0-4498-9534-4e10589723c4", $true )){throw "You can't delete the Installer account" }  if (0  -eq [String]:: Compare($object.rdn,"fb89aefa-5ea1-47f1-8890-abe7797d6497", $true )){throw "You can't delete Built-in Synchronization Account" }  if (0  -eq [String]:: Compare($object.rdn,"e05d1f1b-3d5e-4014-baa6-94dee7d68c89", $true )){throw "You can't delete the FIM Servcie Account" }  if (0  -eq [String]:: Compare($object.rdn,"b0b36673-d43b-4cfa-a7a2-aff14fd90522", $true )){throw "You can't delete Anonymous" } try{  DeleteObject -objectType $object.ObjectType -objectId $object.rdn  write-host "`nObject Deleted successfully`n"} #----------------------------------------------------------------------------------------------------------  catch{  $exMessage = $_.Exception.Message  if ($exMessage.StartsWith("L:" )){write-host "`n" $exMessage.substring(2 ) "`n" -foregroundcolor white -backgroundcolor darkblue }  else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred }  Exit} #----------------------------------------------------------------------------------------------------------}}

Download

You can download the scripts from TN Gallery

• SQL Script: MIM - Export ghost users (MIM MA only) to CSV
• PowerShell: - Bulk delete MIM2016 uses from MIM Portal with SID

References

• http://www.wapshere.com/missmiis/using-powershell-to-update-fim-portal-objects-from-a-csv
• https://social.technet.microsoft.com/Forums/en-US/a5486d43-7e76-4d1e-b906-9fbecf6a600a/using-powershell-to-delete-a-user-in-the-fim-portal?forum=ilm2
• https://www.petri.com/powershell-import-csv-cmdlet-parse-comma-delimited-csv-text-file