Friday, July 10, 2020

FIM/MIM XPath queries

Here are a few XPath queries I've built and collected along the way. It's intriguing how powerful and yet still ultimately rather crappy and limiting FIM XPath can be. And if you want a good explanation of why – try using SQL Profiler to see the resultant T-SQL when the FIM service translates what seems like even a simple XPath query with a few conditions (especially if you're using a negative condition).

You can test any of these with the FIMAutomation snap-in, with two simple commands to export the results, then return the displayname from each ($URI points to your resource management service, typically on port 5725):

$objects = Export-FIMConfig -uri $URI -onlyBaseResources -customConfig $filter
$objects.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'DisplayName'} | select value



Query for failed ERE's matching the specified sync rule
$filter = "/ExpectedRuleEntry[DisplayName='AD: SyncRule1' and StatusError = 'ma-extension-error']"

Find groups that have been modified in the last 10 days
$filter = "/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]"

People with Attribute1 set to Null
$filter = "/Person[(not(starts-with(Attribute1, '%')))]"

All people that are an owner of one or more groups
$filter = "/Person[ObjectID = /Group/Owner]"

Find groups owned by the specified person
$filter = "/Group[DisplayedOwner=/Person[DisplayName='User1']]"

Find groups that have no Owner or displayedOwner
$filter = "/Group[not(Owner = /Person) and not(DisplayedOwner = /Person)]"

Find all people that have an accountName set
$filter = "/Person[AccountName != '&Invalid&']"

Find all anonymous password resets in the last day
$filter = "/Request[Creator = /Resource[ObjectID = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522'] and RequestStatus = 'Completed' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P1D'))]"

Groups in a set that don't have the required ERE
$filter = "/Group[ObjectID = /Set[DisplayName = 'All Security Groups Internal Global Static Owner Approved']/ComputedMember and not(ExpectedRulesList = /ExpectedRuleEntry)]"

SSPR registered internal enabled people
$filter = "/Person[AccountType = 'Person' and AccountStatus = 'Enabled' and Domain = 'CORP' and not(AuthNLockoutRegistrationID = /GateRegistration)]"

People created in the last 8 hours
$filter = "/Person[CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find if the specified person is a member of a group
$filter = "/Person[ObjectID = /Group[DisplayName = 'Group1']/ComputedMember and AccountName = 'User1']"

Find distribution groups owned by the specified person
$filter = "/Group[Type='Distribution' and Owner=/Person[AccountName='User1']]"

How many people have filled out the QA gate in the last 8 hours
$filter = "/GateRegistration[GateID = 'authenticationGateActivity3' and CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find MA data
$filter = "/ma-data"

People with the specified SKU (multi-valued reference)
$filter = "/Person[Office365ServicePlans = /Office365License[SKU ='E3']]"

People with the specified Office 365 plan
$filter = "/Person[Office365ServicePlans = /Office365License[DisplayName ='E3 Office Pro Plus']]"

MPRs referencing a set of requestsors
$filter = "/ManagementPolicyRule[PrincipalSet=/Set[DisplayName='All Service Desk Users']]"

CORP user unabled without CORP outbound ERE
$filter = "/Person[AccountStatus = 'Enabled' and Domain = 'CORP' and not(ExpectedRulesList = /ExpectedRuleEntry[DisplayName = 'AD: CORP Outbound User'])]"

Security Groups that have one or more deleted owners
$filter = "/Group[Type = 'Security' and Owner = /Person[AccountStatus = 'Deleted']]"

Security Groups that have no owner
$filter = "/Group[Type = 'Security' and not(Owner = /Person)]"

People without an account name (null string attribute check)
$filter = "/Person[not(AccountName != '&NotPresent&') and not(DisplayName = 'Built-in Synchronization Account')]"

People without a display name (null string attribute check)
$filter = "/Person[not(DisplayName != '&NotPresent&')]"

Enabled People without a primary domain
$filter = "/Person[AccountStatus = 'Enabled' and not(Domain != '&NotPresent&')]"

Internal Enabled People without a specific attribute set
$filter = "/Person[Domain = 'CORP' and AccountStatus = 'Enabled' and not(Attribute1 != '&NotPresent&')]"

People synchronised to office 365 but without any licenses
$filter = "/Person[SyncTo365 = True and not(Office365ServicePlans = /Office365License)]"

People locked out for SSPR
$filter = "/Person[ObjectID = /Set[DisplayName = 'All People with Internal Accounts enabled']/ComputedMember and (AuthNWFLockedOut = '9c3aca59-a85c-437f-bb67-9ce5a70521d7')]"

Orphaned ERE's that don't have a parent
$filter = "/ExpectedRuleEntry[not(ResourceParent = /Set[DisplayName = 'All Objects']/ComputedMember)]"


Note that a few of these reference a custom object type of Office 365 license (see this post).

Wayne's World of IT (WWoIT). 

3 comments:

Tucson Rubberized coatings said...

Thank you so much for sharing such an informative blog with us.

The #1 Roof Coating Tucson Company
Roofing Company
Wall Coating
Driveways / Parking Lots
Water Sealers

Olivia Wilson said...

Great post! You are sharing amazing information through your blog. I found your excellent writing skills. Our team of professionals is highly experienced in providing taxation law assignment help, visit today!

Matthias said...

Great post. Thanks for the excellent example list. Saved me a lot of time.

Post a Comment