Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-03-30) Querying The FIM Service Using PowerShell

Posted by Jorge on 2015-03-30

Have you ever needed to query the FIM service for objects based upon an Xpath definition and display the information on screen and if needed also export it to CSV?. Look no further, here’s a PowerShell script just doing that for you!

In the blog post (2012-11-11) Finding All Users Within FIM That Have (Not) Registered For SSPR I demonstrate how to query the FIM service using the FIM Portal for users that have registered for SSPR and for users that have not registered for SSPR. This is all done through search scopes. Once I got the question: "can you export that information?". It is by default not possible to export that information through the FIM Portal. However, nothing or nobody stops you from using PowerShell and achieve your goal!

Against using that blog post as an example, let’s do this through PowerShell. From that blog post I’m using the specified search scope filters to find both lists of users.

Finding Users That Have Registered For SSPR:

  • Search Scope Filter (XPath) In that Blog Post (Old Test Environment) –> "/Person[AuthNWFRegistered = /Set[ObjectID = ‘f6a599be-a292-40a7-8720-6bb445e47ad8’]/ComputerMember]"
  • Search Scope Filter (XPath) In My Current Test Environment –> "/Person[AuthNWFRegistered = /Set[ObjectID = ‘214ab7c5-afd8-4d57-bfe8-9c5b73ddc7e9’]/ComputedMember]"

.\Query-For-FIM-Service-Using-XPath.ps1 -xPath "/Person[AuthNWFRegistered = /Set[ObjectID = ‘214ab7c5-afd8-4d57-bfe8-9c5b73ddc7e9’]/ComputedMember]" -baseonly -exporttocsv -csvfilepath D:\TEMP\UsersThatHaveRegisteredForSSPR.CSV -attributelist IDtype,DisplayName,FirstName,LastName,EmployeeID,Email


Figure 1a: Output To Screen


Figure 1b: Output To CSV

Finding Users That Have NOT Registered For SSPR:

  • Search Scope Filter (XPath) In that Blog Post (Old Test Environment) –> "/Person[not(AuthNWFRegistered = /Set[ObjectID = ‘f6a599be-a292-40a7-8720-6bb445e47ad8’]/ComputerMember)]"
  • Search Scope Filter (XPath) In My Current Test Environment –> "/Person[not(AuthNWFRegistered = /Set[ObjectID = ‘214ab7c5-afd8-4d57-bfe8-9c5b73ddc7e9’]/ComputedMember)]"

.\Query-For-FIM-Service-Using-XPath.ps1 -xPath "/Person[not(AuthNWFRegistered = /Set[ObjectID = ‘214ab7c5-afd8-4d57-bfe8-9c5b73ddc7e9’]/ComputedMember)]" -baseonly -exporttocsv -csvfilepath D:\TEMP\UsersThatHaveNOTRegisteredForSSPR.CSV -attributelist IDtype,DisplayName,FirstName,LastName,EmployeeID,Email


Figure 2a: Output To Screen


Figure 2b: Output To CSV

And this is the PowerShell script….

# Abstract: This PoSH Script Exports Objects From The FIM Based Upon An XPath Definition, Converts It To PSObjects And Displays On Screen And Optionally Exports To CSV # Written by: Jorge de Almeida Pinto [MVP-DS] # Blog: # # 2015-03-30: Initial version of the script # # Additional Information # * # * # Example Syntaxes: # * <PoSH Script File> -xPath "/Person[AccountName='JohnDoe']" -baseonly # * <PoSH Script File> -xPath "/Person[AccountName='JohnDoe']" -baseonly -attributelist ObjectID,AccountName # * <PoSH Script File> -xPath "/Person[AccountName='JohnDoe']" -baseonly -exporttocsv -csvfilepath D:\TEMP\TEST.CSV # * <PoSH Script File> -xPath "/Person[AccountName='JohnDoe']" -baseonly -attributelist ObjectID,AccountName -exporttocsv -csvfilepath D:\TEMP\TEST.CSV Param ( # XPath Definition As Accepted By The FIM Service (e.g. "/Person[Account = 'JohnDoe']") [Parameter(Mandatory=$true)] [string]$xPath, # Comma-Separated List Of Attributes To Display/Export. When Nothing is Specified All Attributes Are Displayed/Exported [Parameter(Mandatory=$false)] [string[]]$attributelist, # The Full Path To The CSV File When Exporting To A CSV [Parameter(Mandatory=$false)] [string]$csvfilepath, # Export Only Based Objects (Recommended), Otherwise Also Export All Referred Objects [Parameter(Mandatory=$false)] [switch]$baseonly, # Also Export To CSV [Parameter(Mandatory=$false)] [switch]$exporttocsv ) Clear-Host Write-Host " ****************************************************" -ForeGroundColor Yellow Write-Host " ** Jorge de Almeida Pinto [MVP-DS] **" -ForeGroundColor Yellow Write-Host " ** BLOG: 'Jorge's Quest For Knowledge' **" -ForeGroundColor Yellow Write-Host " ** **" -ForeGroundColor Yellow Write-Host " ** March 2015 **" -ForeGroundColor Yellow Write-Host " ****************************************************" -ForeGroundColor Yellow # MSFT PowerShell CMDlets For FIM 2010 R2 [array] $SnapInListToLoad = "FIMAutomation" foreach ($SnapIn In $SnapInListToLoad) { If(@(Get-PSSnapin | Where-Object {$_.Name -eq $SnapIn} ).count -eq 0) { If(@(Get-PSSnapin -Registered | Where-Object {$_.Name -eq $SnapIn} ).count -ne 0) { Add-PSSnapin $SnapIn Write-Host "" Write-Host "Snap-In '$SnapIn' has been loaded..." -ForeGroundColor Green Write-Host "" } Else { Write-Host "" Write-Host "Snap-In '$SnapIn' is not available to load..." -ForeGroundColor Red Write-Host "" } } Else { Write-Host "" Write-Host "Snap-In '$SnapIn' already loaded..." -ForeGroundColor Yellow Write-Host "" } } # Taken From Function Convert-FimExportToPSObject { Param ( [parameter(Mandatory=$true, ValueFromPipeline = $true)] [Microsoft.ResourceManagement.Automation.ObjectModel.ExportObject] $ExportObject ) Process { $psObject = New-Object PSObject $ExportObject.ResourceManagementObject.ResourceManagementAttributes | %{ If ($_.Value -ne $null) { $value = $_.Value } Elseif ($_.Values -ne $null) { $value = $_.Values } Else { $value = $null } $psObject | Add-Member -MemberType NoteProperty -Name $_.AttributeName -Value $value } Write-Output $psObject } } # If The BaseOnly Parameter Has Been Specified Then Only Export The Base Resources As Defined By The XPath Definition # Otherwise ALSO Export Referred Objects In Linked Attributes If ($baseonly) { $ObjectsInFIM = Export-FIMConfig -CustomConfig $xPath -OnlyBaseResources } Else { $ObjectsInFIM = Export-FIMConfig -CustomConfig $xPath } # If Additional Filtering Is Required Which Is Not Possible Through The Xpath Then Use: # # Example: $ObjectsInFIM | Convert-FimExportToPSObject | ?{$_.Filter -like "*myAttribute*"} # Example: $ObjectsInFIM | Convert-FimExportToPSObject | ?{$_.XOML -like "*myValue*"} # !!! ==> ADJUST THE POWERSHELL MANUALLY TO BE ABLE TO USE THIS <== !!! # If The ExportCsv Parameter Has Been Specified Then ALSO Export To The CSV File Defined # Otherwise Just Show Information On Screen If ($exporttocsv) { $ObjectsInFIM | Convert-FimExportToPSObject | Select $attributelist | Export-CSV $csvfilepath -NoTypeInformation } $ObjectsInFIM | Convert-FimExportToPSObject | FT $attributelist -Autosize # Count The Number Of Objects $NumberOfObjectsInFIM = ($ObjectsInFIM | Measure-Object).Count Write-Host "Number Of Objects......: $NumberOfObjectsInFIM" Write-Host ""

Or get the PowerShell script from HERE




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########


2 Responses to “(2015-03-30) Querying The FIM Service Using PowerShell”

  1. Mark said

    Works a treat, except I only get ‘DisplayName’, The other values under FirstName, LastName, Email are coming up as black.


    • Jorge said

      This can mean 2 things…
      Or there is no data in those attributes (not likely)
      Or the account that is running the script does not have the permissions to retrieve the specified data from the targeted objects (more likely)

      for the last you need to have a request MPR that grants permissions to the running account to retrieve the specified data from the targeted objects

      a simple test to see if the account has the permissions or not, it to logon to windows with that account, open the FIM/MIM portal and open one of the targeted objects and see what data is displayed to you


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: