Recovery of an group from the AD recycle bin.

Useful Link in Recovery of an group from the AD recycle bin.  http://darshanaj.wordpress.com/2011/11/29/active-directory-recycle-bin/

It work and able to recover the group that has been deleted in AD.
Note - Recovery of group deleted in FIM require few change in the attribute of the group in ADSI EDIT after recover the group as shown in the snapshot. -- I will cover the recovery of FIM manged group some where in future.

MPR configuration for FIM Portal Access

Using Power Shell to check your MPR configuration for FIM Portal Access

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/73954797-afb4-4448-8c3e-af5b4f9e2eb5

FIM Portal

Create a Search Scope for Groups in FIM portal.

How to display the new attribute in FIM Portal from the serch within tab. The steps are below to show the All Groups attribute in the seach within tab in FIM portal.

Click Administrator --> Click Search Scope-->Click New

On the General pages,type
Display Name: All Groups
Description:All Groups
Usage Keyword(on Separate lines):
BasicUI
Global
GlobalSearchResult
Group

Order: 94

Click Next

On the search definition page,type:
Attribute Searched: DisplayName
Filter: /Group
Click Next

On the result tab, from the resource type drop-down list, select Group, and then in Attribute ,type DisplayName,Email
Click Finish and submit.

Perform an IISRESET.
Browse the FIM Home pages.

Groups Errors in FIM.

From user side if they create group in FIM and are not provision in AD, then there is no indication that group creation was successful unless the user does not get the feeling that group is not working at all or some one from IT get into it to investigate.

As I have experienced a user created group with scope universal and domain local group as member, the group failed to sync and if the user want to delete the group in FIM, it errors out ObjectSIDString is either null and empty, cannot delete the group at this time.

To delete the group I have to go advanced view of the group in FIM, locate the field for “ObjectSIDString Group binding”, and type any number in it (for example 1234).Click OK and submit the change.

The group got deleted at last.

Fine-Grained Password Policies

In Day to Day life at my work  if there is a  need to extend the password of the system accounts I enrolled the system account to the security group in AD or in FIM and the requestor will need to  re set the password of the accounts.

I grab information on FGPP's and present in details way what it is and how it works..............

Active Directory domain could only have one password and account lockout policy per domain for domain accounts.
FGPP's allowed organizations to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of groups and users in a domain.

To know more about how it works refer to

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

Windows Server 2008 R2 - Recycle Bin feature is an irreversible action.

Active Directory Recycle Bin provides a very quick way to recover Active Directory objects that have been deleted without needing to reboot a domain controller, perform authoritative restore operations, and wait for replication. Once enabled, any object can be quickly restored using a simple PowerShell command