Using Security Groups

Microsoft® Forefront Identity Manager (FIM) 2010 R2 creates three groups during installation that control which tasks in Synchronization Service Manager that users can perform. The following groups are created by FIM:

  • FIMSyncAdmins—Members of this group have full access to everything in Synchronization Service Manager.

  • FIMSyncOperators—Members of this group have access to Operations in the Synchronization Service Manager only. FIMSyncOperators can run management agents, view synchronization statistics for each run, and save the run histories to a file. Members of the FIMSyncOperators group must also be members of the FIMSyncBrowse group to open links in synchronization statistics.

  • FIMSyncJoiners—Members of this group have access to Joiner and Metaverse Search in Synchronization Service Manager. FIMSyncJoiners can join or project disconnectors by using Joiner, and they can use Metaverse Search to view object properties and disconnect objects from the metaverse.


During installation and setup, FIM adds the user account that is running the installation to the FIMSyncAdmins group, but only if the FIMSyncAdmins group is also created during setup. If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group.

FIM also creates two security groups during installation that do not have access to Synchronization Service Manager but are used for authentication during password management operations:

  • FIMSyncBrowse—Members of this group have permission to gather information about a user's lineage when resetting passwords by using Windows Management Instrumentation (WMI) queries.

  • FIMSyncPasswordSet—Members of this group have permission to perform all operations by using the password management interfaces with WMI. Members in this group inherit all FIMSyncBrowse permissions. For more information about setting passwords by using WMI, see the FIM Developer Reference.

The following table lists the permissions granted during the default FIM installation.


Special permission is defined as all permissions, with the following exceptions:

  • Full Control

  • Change permission

  • Take Ownership


The default location of INSTALLDIR is Program Files\Microsoft Forefront Identity Server\2010\Synchronization Service

Folder Assigned Permissions


(Inherited from Program Files)

Administrators – Full Control

SYSTEM – Full Control

Creator Owner – Special

TrustedInstaller – Special

Users – Read & Execute






Inherit from parent.





Does not inherit from parent.

Permissions removed:

  • Users – Read & Execute

Permissions assigned:

  • FIMSyncServiceSvc – Special

  • FIMSyncAdmins – Special


Inherit from parent.

Program Files\Common Files\Microsoft Shared\Forefront Identity Manager

Inherit from parent.


Does not inherit from parent.

Permissions assigned:

  • FIMSyncServiceSvc – Special


The local computer administrator account also has full rights to all FIM folders.

Local computer groups and domain local groups

By default, FIM setup creates these groups as local computer groups, rather than domain local groups. Local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain. There might be cases where you need to use domain local groups for these roles. For example, the following situations demonstrate why you might need to use domain local groups:

  • If you plan to have two servers running FIM share a database for the purposes of redundancy, it is recommended that the same users be members of the security groups that you create, and that they be recognized as such by FIM. You can accomplish this by using domain local groups.

  • If FIM management is distributed across the organization, using domain local groups enables you to grant access to the appropriate people within your organization.

  • If the FIM configuration needs to be moved from one server to another, using domain local groups enables you manage access from a single location.

  • If your log files from other systems are located on other servers or in folders that are not accessible to FIM, you can use domain local groups to control access to these folders and remote servers.

  • If you are enabling password synchronization on FIM, you must use a domain account for the FIM Synchronization Service service account.


If you plan to use domain local groups, create the groups before installing FIM. For more information about creating domain local groups in Active Directory, see Windows Server® 2008 operating system Help.