Here are a few XPath queries I've built and collected along the way. It's intriguing how powerful and yet still ultimately rather crappy and limiting FIM XPath can be. And if you want a good explanation of why – try using SQL Profiler to see the resultant T-SQL when the FIM service translates what seems like even a simple XPath query with a few conditions (especially if you're using a negative condition).
You can test any of these with the FIMAutomation snap-in, with two simple commands to export the results, then return the displayname from each ($URI points to your resource management service, typically on port 5725):
$objects = Export-FIMConfig -uri $URI -onlyBaseResources -customConfig $filter
$objects.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'DisplayName'} | select value
Query for failed ERE's matching the specified sync rule
$filter = "/ExpectedRuleEntry[DisplayName='AD: SyncRule1' and StatusError = 'ma-extension-error']"
Find groups that have been modified in the last 10 days
$filter = "/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]"
People with Attribute1 set to Null
$filter = "/Person[(not(starts-with(Attribute1, '%')))]"
All people that are an owner of one or more groups
$filter = "/Person[ObjectID = /Group/Owner]"
Find groups owned by the specified person
$filter = "/Group[DisplayedOwner=/Person[DisplayName='User1']]"
Find groups that have no Owner or displayedOwner
$filter = "/Group[not(Owner = /Person) and not(DisplayedOwner = /Person)]"
Find all people that have an accountName set
$filter = "/Person[AccountName != '&Invalid&']"
Find all anonymous password resets in the last day
$filter = "/Request[Creator = /Resource[ObjectID = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522'] and RequestStatus = 'Completed' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P1D'))]"
Groups in a set that don't have the required ERE
$filter = "/Group[ObjectID = /Set[DisplayName = 'All Security Groups Internal Global Static Owner Approved']/ComputedMember and not(ExpectedRulesList = /ExpectedRuleEntry)]"
SSPR registered internal enabled people
$filter = "/Person[AccountType = 'Person' and AccountStatus = 'Enabled' and Domain = 'CORP' and not(AuthNLockoutRegistrationID = /GateRegistration)]"
People created in the last 8 hours
$filter = "/Person[CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"
Find if the specified person is a member of a group
$filter = "/Person[ObjectID = /Group[DisplayName = 'Group1']/ComputedMember and AccountName = 'User1']"
Find distribution groups owned by the specified person
$filter = "/Group[Type='Distribution' and Owner=/Person[AccountName='User1']]"
How many people have filled out the QA gate in the last 8 hours
$filter = "/GateRegistration[GateID = 'authenticationGateActivity3' and CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"
Find MA data
$filter = "/ma-data"
People with the specified SKU (multi-valued reference)
$filter = "/Person[Office365ServicePlans = /Office365License[SKU ='E3']]"
People with the specified Office 365 plan
$filter = "/Person[Office365ServicePlans = /Office365License[DisplayName ='E3 Office Pro Plus']]"
MPRs referencing a set of requestsors
$filter = "/ManagementPolicyRule[PrincipalSet=/Set[DisplayName='All Service Desk Users']]"
CORP user unabled without CORP outbound ERE
$filter = "/Person[AccountStatus = 'Enabled' and Domain = 'CORP' and not(ExpectedRulesList = /ExpectedRuleEntry[DisplayName = 'AD: CORP Outbound User'])]"
Security Groups that have one or more deleted owners
$filter = "/Group[Type = 'Security' and Owner = /Person[AccountStatus = 'Deleted']]"
Security Groups that have no owner
$filter = "/Group[Type = 'Security' and not(Owner = /Person)]"
People without an account name (null string attribute check)
$filter = "/Person[not(AccountName != '&NotPresent&') and not(DisplayName = 'Built-in Synchronization Account')]"
People without a display name (null string attribute check)
$filter = "/Person[not(DisplayName != '&NotPresent&')]"
Enabled People without a primary domain
$filter = "/Person[AccountStatus = 'Enabled' and not(Domain != '&NotPresent&')]"
Internal Enabled People without a specific attribute set
$filter = "/Person[Domain = 'CORP' and AccountStatus = 'Enabled' and not(Attribute1 != '&NotPresent&')]"
People synchronised to office 365 but without any licenses
$filter = "/Person[SyncTo365 = True and not(Office365ServicePlans = /Office365License)]"
People locked out for SSPR
$filter = "/Person[ObjectID = /Set[DisplayName = 'All People with Internal Accounts enabled']/ComputedMember and (AuthNWFLockedOut = '9c3aca59-a85c-437f-bb67-9ce5a70521d7')]"
Orphaned ERE's that don't have a parent
$filter = "/ExpectedRuleEntry[not(ResourceParent = /Set[DisplayName = 'All Objects']/ComputedMember)]"
Note that a few of these reference a custom object type of Office 365 license (see this post).
Wayne's World of IT (WWoIT).
3 comments:
Thank you so much for sharing such an informative blog with us.
The #1 Roof Coating Tucson Company
Roofing Company
Wall Coating
Driveways / Parking Lots
Water Sealers
Great post! You are sharing amazing information through your blog. I found your excellent writing skills. Our team of professionals is highly experienced in providing taxation law assignment help, visit today!
Great post. Thanks for the excellent example list. Saved me a lot of time.
Post a Comment