FIM Powershell – Workflow

FIM Portal – Installing and configuring Codex Powershell

This post describes the installation and configuration of the FIM PowerShell Workflow Activity (v2.1) found on Codeplex. It took me some time to get it to work and I would like to share this. All credits for the PowerShell extensions go to the original authors.

Required:

Powershellwftest.zip download from http://www.anykeyonline.nl/blogdownloads/powershellwftest.zip

Download others from www.codeplex.com

FIM Powershell Workflow Activity (v2.1 used) http://fimpowershellwf.codeplex.com/

Activity Library

Installation Script

Sample Scripts

FIM Powershell Module (v2.1 used) http://fimpowershellmodule.codeplex.com/

Set Powershell: Set-ExecutionPolicy –ExecutionPolicy Unrestricted

Downloaded Files:

ExampleScripts.zip
FimExtensions.FimActivityLibrary.zip
Install-FIMPowerShellWF.zip
FIMPowerShellModuleV2-1.zip

Steps

Please create folder structure on FIM Portal server:

C:\Codeplex\FimPowerShellModule – Extract “FIMPowerShellModuleV2-1.zip” in this folder. Make sure to put the files from the ZIP in the path. No second subfolder.

C:\Codeplex\ FimExtensions.FimActivityLibrary – Extract ExampleScripts.zip, Install-FIMPowerShellWF.zip and FimExtensions.FimActivityLibrary.zip into this folder. Extract only the files, no subfolders.

C:\Codeplex\Powershellwftest – Extract “PowershellWFtest.zip” in this folder. Make sure to put the files from the ZIP in the path. No second subfolder.

C:\Codeplex\Powershellwftest\LOG – Just create this folder.

Please right click every extracted file en click “UNBLOCK”.

FIM Portal: Before FIM PowerShell WF

Installing FIM PowerShell WF

  • Open elevated Powershell
  • First we need to load the FIMPowerShellModule
  • Use the CD command to drive to the folder c:\codeplex\FIMPowerShellModule
    • CD c:\codeplex\FIMPowerShellModule
  • Import the module:
    • Import-Module .\FimPowerShellModule.psm1
  • Use the CD command to drive to the folder c:\codexplex\FimExtensions.FimActivityLibrary
    • CD c:\codeplex\FimExtensions.FimActivityLibrary
  • Install the DLL with the command:
    • .\Install-FimPowerShellWF.ps1
  • If the Service account “FIMSERVICE” is not yet imported into FIMPortal use this script to accomplish this.
    • .\Create-FimServiceAccountAsFimPerson.ps1 (Script might error on Export-FIMConfig, don’t worry about that, just check in FIMPortal if the service account is visible in the Users section)
  • After this you have to run the last script: Update-FimServiceConfigFile.ps1
    • .\Update-FimServiceConfigFile.ps1
  • After this run IISRESET to make the Workflow visible in FIM Portal.

After this the sa_fimservice account should be member of the default set: Administrators. If not make it a member.

Use PowerShell workflow to test PowerShell activity.

Creating Set/WF/MPR for the PowerShellWFTest


First create the Set.


Create the set “Criteria based”. In the first setting make sure nothing is true. My example will test if “Account Name” = “ksdfjoisdufiohsdf”. Press View Members to make sure nobody is targeted. We are going to use this mechanism to trigger the workflow when we want to test it.

Next, Next, Submit.


Then create the Workflow. Next.


In the Activity Picker select the PowerShell Activity and change the default Powershell script. In this example we run a PS1 file from our Codeplex folder. Press Save, then Press NEXT, SUBMIT.

Next create the MPR:

Select the Set we just created and choose Transition In.

Select the workflow we just created before: _WF: PowerShellWFTest. Next, Submit.

Testing the powershell script. The powershell script is written to test if the script has fired and if any useful information flows from FIM Portal into the Powershell script.

Next section explains how to fire the Powershell script

First open the SET again and go to the “Criteria-based Members”. In this screen you have to change the non existing Account Name to an existing Account Name.

Press the Account Name and change it into an existing one. For example “Administrator”.

Press the “View Members” button to verify only one account is listed. It is not recommend to run this script on multiple members at once when still in testing fase.

Press OK when changed to Administrator.

#

Wait a few moments and start Windows Explorer on the FIM Server. Browse to the c:\codeplex\powershellwftest folder and see if “pswf-test-00.txt” has been created. This file does not contain any useful information except it will tell you, if it is created that the “powershellwftest.ps1” actually fired.

If all goes well there should be a file called “pswf-test-04.txt” this should contain the useful information.

As you can read from the “powershellwftest.ps1” this line contains in order: AccountName, DisplayName, FirstName and LastName.

In the “powershellwftest.ps1” file I have added an example application for this script. It will allow you to reset a password for a user with the FIM Portal.

As you can see in the script this will reset the users password using standard dsquery and dsmod command. You have to make sure the FIMService account (this fires the Powershell) has the permissions to do the dsquery and dsmod commands. When doing LAB tests you could make the user Domain Admin temporarily to check if it works. Never do this in a production environment!!

When you have changed the permissions of FIMService you have to restart the FIMService.

After granting new permissions to the sa_fimservice user to do for example a password reset, like in the example file. Please restart the FIM Service.

End post.

Leave a Reply