Wednesday, September 30, 2009

Download details: FIM 2010 Release Candidate 1

RC1 of Forefront Identity Manager 2010 is out, go get it!

Download details: FIM 2010 Release Candidate 1

Using PowerShell to Clear ILM Run and Password History

With our latest implementation running completely Windows Server 2008, SQL Server 2008 in a Windows 2008 Active Directory I've noticed that my old standby of calling the MIIS Resource Kit utility ClearRunHistory no longer works. Despite having the following in place:
  • Domain service account
  • Member of the ILM Administrators domain group (our renamed MIISAdmins)
  • Granted the "Logon as batch" right via policy
  • Runs fine logged in as the service account interactively
My scheduled task runs fine, but when it executes the utility it fails with a generic "Access Denied" error. So, I've said goodbye to the last of my Resource Kit buddies and hello to PowerShell! I'm now using the following script to clear both the run history and the password history (in the event you are using PCNS).
The script below is parameterized and I borrowed heavily from earlier work by Craig Martin and Markus Vilcinskas. If you pass no parameters it should default to 14 days of history to maintain, otherwise you can pass the value, in days, to the script for each. To call this from your own scheduled task, setup the task to call a CMD file of your creation and add the following:
 1: # Call ClearHistory.ps1 from a CMD file 
 2: powershell -nologo -command "& D:\ILMTasks\ClearHistory.ps1 5 10"

Remember that you must always refer to your script with the full path.


 1: # Setup the argument parameters and declare defaults
 2: # Default is two weeks of history to retain
 3: param([string]$NumDaysToKeepRunHistory = 14,[string]$NumDaysToKeepPwdHistory = 14)
 5: # Calculate the date to clear runs against
 6: [string]$ClearRunsDate = [DateTime]::Now.AddDays(-$NumDaysToKeepRunHistory).ToUniversalTime()
 7: # Calculate the date to clear password history against
 8: [string]$ClearPwdHistoryDate = [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()
 10: # Get the WMI Object for MIIS_Server
 11: $miiserver = @(get-wmiobject -class "MIIS_SERVER" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")
 13: # Clear the Run History
 14: Write-Host "Clearing the Run History prior to (UTC)" $ClearRunsDate
 15: Write-Host "Result: " $miiserver[0].ClearRuns($ClearRunsDate).ReturnValue
 16: #--------------------------------------------------------------------------------------------------------------------
 17:  trap 
 18:  { 
 19:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
 20:  }
 21: #--------------------------------------------------------------------------------------------------------------------
 23: # Clear the Password History
 24: Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate
 25: Write-Host "Result: " $miiserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue
 26: #--------------------------------------------------------------------------------------------------------------------
 27:  trap 
 28:  { 
 29:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
 30:  }
 31: #--------------------------------------------------------------------------------------------------------------------

This script is calling the WMI provider and invoking the functions. The API calls for handing the dates formatted as UTC. I have these scripts posted separately in the ILM ScriptBox in the ILM Forum.

Tuesday, September 08, 2009

Acceptance Testing Confessional

Our daily morning team meetings for the project I'm currently on have become less team meeting and more confessional now that we're getting close to go-live. This is what a typical morning sounds like now:

Tester 1: Bless me PM for I have tested. I found 4 bugs today.

PM: Very good, hand your results to the developer.

Tester 2: Bless me PM for I have tested. I found 2 bugs today.

PM: Very good, hand your results to the developer.

You get the idea, it was much funnier when I made the observation this morning.

Thursday, September 03, 2009

Issues with SQL Server in a Windows 2008 Domain

Oh boy, where to start, we have been having various issues with SQL applications failing with different security related error messages and we did not see a connection until just today. The two prominent issues we saw were:

  • Could not apply patches to an ILM 2007 FP1 installation running on SQL Server 2008 with the servers in a Windows 2008 domain/forest, the errors we got were:
  • Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

    MSI (s) (6C!80) [16:34:17:656]: Product: Microsoft Identity Integration Server -- Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

  • SQL Server Reporting Services report subscriptions were failing to run in the SQL Agent with the following errors:

SQL Server Scheduled Job '52840C4F-5D9F-4CAA-96BE-4C587F655571' (0xBB61E338688B8C459E28A61A6761669D) - Status: Failed - Invoked on: 2009-09-03 17:40:03 - Message: The job failed.  Unable to determine if the owner (DEV\svc.ssrs.ilm) of job 52840C4F-5D9F-4CAA-96BE-4C587F655571 has server access (reason: Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5. [SQLSTATE 42000] (Error 15404)).

Subsequently, it was this troubleshooting technique using xp_logininfo found by Jaime Martinez that led us to the eventual solution posted by Matticus:

  • Find the account that you're getting the error on and open up a new query in SQL Management Studio and then run the xp_logininfo command against it – in our case it looked like this:

xp_logininfo 'DEV\svc.ssrs.ilm'

  • This command generated the following new error:
  • Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
    Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5.

As it turns out there is a new built-in security group in Windows Server 2008 domains called BUILTIN\Windows Authorization Access Group. The description on this group reads, "Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects". This somehow causes issues when certain operations require enumeration of a person's group memberships (the computed tokenGroupsGlobalAndUniversal attribute).


Add the domain service account for your SQL Server (your SQL Server service account) to the BUILTIN\Windows Authorization Access Group group. You don't need to restart anything, it just starts working from that point forward. What was bizarre is that this also fixed my problem with applying the patches to ILM!

Tuesday, September 01, 2009

Office 2010 Technical Preview: Unable to Read or Save to SharePoint

I've been running the Office 2010 Technical Preview for a few weeks now and I really like it…once again. For a time there I was really cursing it due to some issues when reading or writing changes to documents (in this case Office 2007 documents, including OneNote notebooks) stored in our Microsoft Office SharePoint Server 2007 document libraries. I first noticed the issue when attempting to modify a shared OneNote 2007 notebook which, again, is hosted in MOSS 2007 – changes could not be replicated back to the document library and OneNote 2010 would return the following error:

This section contains changes that could not be synced because the
section file was not found. The section may have been moved or
deleted. If OneNote finds the section file later, it will sync the
changes. Alternatively, you can move this section to a new location.
Click here for more information.

I would get a similar problem when using Word 2010 to check out and edit a document hosted in a MOSS 2007 document library; however, in this case it manifested in the Office Synchronization Center failing to upload the modified document. You get a nasty red bar in the Pending Uploads section.

If you're part of the Technical Preview then you can track down these threads and the solutions in microsoft.connect.o2010techprev._general and search for "sharepoint". This problem has affected people in the following conditions it seems:

  • MOSS 2007 or WSS 3.0 document libraries
  • Opening files in a document library
  • Opening local files
  • Saving files to a document library

Mark Knight of Microsoft posted the workaround as follows:

1. In your LAN settings, check "Use a proxy server for your LAN" (you can
keep "Automatically detect" checked)
2. Assuming you do not require proxy to reach any servers, you can specify
http://fake in the Address field to give it a fake proxy
3. Click Advanced
4. In the Exceptions field, type the wildcard * to manually bypass the fake
proxy for all servers you are trying to reach.
5. OK out of the dialogs to accept the settings and retry opening files from

The only thing I did differently was in step 2 I used instead of http://fake since I don't seemingly random hosts. At least in my case, using the above workaround has resolved my issues. If you continue to have issues I would encourage you to post to the newsgroup.

Newer Posts Older Posts Home