Forefront Identity Manager 2010 Installation & Configuration
Working with Distribution Lists
Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Prepared by Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Working with Distribution Lists
Now, we will configure a slightly more complex group management solution centered around Distribution Groups (and their relationship to Distribution Lists in Exchange). In this scenario, we will create a custom attribute in the portal and metaverse, edit an RCDC and create attribute flows that will allow us to tie Distribution Lists (DLs) in Exchange to Distribution Groups (DGs) in the portal. By doing so, we will be able to bring them into the portal and control send-to permissions for those DLs by way of a resource picker.
To begin, navigate to the FIM portal:
From the portal home screen, at the bottom of the left-hand menu, click on “Administration”.
From the Administration screen, select “Schema Management”
In the top navigation menu, select “All Attributes”.
This will display the Attributes screen. From here, click on “New”
This will open the create attribute dialogue. Enter a “System Name”, “Display Name” and select a “Data Type”. Here, we will be using a “Reference” attribute. Also, be sure to check the box for “Multivalued”, then click “Next” to continue.
You may step through the remaining tabs (such as “Localization”) by clicking “Finish”. This will take you directly to the “Summary” tab. Click “Submit”.
From the top navigation menu, select “All Bindings”
This will display the Bindings screen. Click “New”
This will open the Create Binding dialogue. Enter a “Resource Type” (here, a group), and click the green check button to resolve it. Next, type in the name of the attribute we just created and, again, click the green check button to resolve it.
Place a check in the box next to the newly created attribute, then click “OK”
Here we see both values resolved and validated. Click “Next” to continue.
At this stage, as before, you may click “Finish” to skip directly to the “Summary” page. Click “Submit” to finish.
Now, we must add our newly created custom attribute to the associated management policy rule. From the left-hand menu, click on “Management Policy Rules”.
This will display the Management Policy Rules screen.
In the search box in the top menu, enter “sync” and click on the magnifying glass.
The management policy rule we wish to edit is: “Synchronization: Synchronization account controls group resources it synchronizes.” Click on it to open it.
Once open, click on the “Target Resources” tab.
Under “Resource Attributes”, click on the browse button to the right of the text box.
Enter the name of the newly created attribute and click on the magnifying glass. Place a check in the box next to it and click “OK”. When finished, click “Submit”.
Now we must make the associated Active Directory attribute available to FIM. From the sync engine, right click on the AD management agent and select “Properties”
Under the “Select Attributes” tab, check the box next to “Show All”, then select the attribute “authOrig”. Click “OK” to continue.
Next, choose the tab for “Metaverse Designer”. Highlight the group object type.
Under “Actions”, select “Add Attribute”
This will open the “Add Attribute” dialogue. Click on “New attribute…”
Enter an “Attribute Name:”, and select an “Attribute Type:”. Also be sure to check the box for “Multi-valued”, then click “OK”.
Now it will be necessary to refresh the schemas. Right click on the FIM management agent and select “Refresh Schema…”
Click “OK”
Enter a password and click “OK”. Once the new schema is committed, click “Close”.
Now, right click on the FIM management agent select “Properties”. Click on the tab for “Configure Attribute Flow”, and expand the section for group. Select the attribute on each side (source and metaverse), choose “import” under “flow direction” and click “New”. Change “Flow Direction” to “export” and click “New” again. When finished, click “OK”.
Finally, we must add flows to our existing group synchronization rules. From the left-hand menu, click on “Administration”.
From the Administration screen, select “Synchronization Rules”.
Find your outbound group synchronization rule (to AD) and click to open it. Then, select the “Outbound Attribute Flow” tab.
Click on “New attribute flow”. In the “source” tab, select the newly created attribute.
In the “Destination” tab, select “authOrig”. Click “OK”, then “Submit”.
Similarly, these attributes will be reversed for the inbound group synchronization rule. Here, the “Source” attribute will be “authOrig”.
And the destination will be our newly created attribute.
To make the resource picker for the new attribute available, we need to edit two specific RCDCs:
Here is the code I am using for both. In my lab, I inserted this code directly below the section for “EmailAddress”, though you may put it elsewhere if you so desire.
my:Control my:Name="AuthorizedDGSenders" my:TypeName="UocIdentityPicker" my:Caption="{Binding Source=schema, Path=AuthorizedDGSenders.DisplayName}" my:RightsLevel="{Binding Source=rights, Path=AuthorizedDGSenders}">
<my:Properties
<my:Property my:Name="Mode" my:Value="MultipleResult"/>
<my:Property my:Name="ObjectTypes" my:Value="Person"/>
<my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName, AccountName, Department"/>
<my:Property my:Name="AttributesToSearch" my:Value="DisplayName, AccountName"/>
<my:Property my:Name="Value" my:Value="{Binding Source=object, Path=AuthorizedDGSenders, Mode=TwoWay}"/>
<my:Property my:Name="UsageKeywords" my:Value="Person"/>
<my:Property my:Name="ResultObjectType" my:Value="Person"/>
</my:Properties
</my:Control
It is also worth noting that this solution is contingent upon having inbound and outbound group synchronization rules in place in your environment.
Once complete, an existing (configured) DG should look like this:
And the Create dialogue for a new DG should look like this:
To understand how this works, we are manipulating a built-in feature of Exchange through direct manipulation of an AD attribute.
Under the “Mail Flow Settings” of the “Properties” of a Distribution Group:
Here we see the “Message Delivery Restrictions”. In this case, only the four listed users are authorized to send email to this DG.
If a non-authorized user attempts to send mail to a list, it will fail with the following returned delivery:
Page 21
Prepared by Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field Engineering