Managing Primary Group using FIM 2010

When working with educational customers a typical AD group i Students. This group however might contain hundreds of thousands of users, making it hard to manage. One solution is to make the Students group the primary group for the students. In this post I will show you one way of managing this using FIM 2010 R2.

The Primary Group in AD is stored in the attribute primaryGroupID as an integer. The value is the RID (Relative Identifier) of the group in AD. When you create a new user in AD this value becomes 513, which correspond to the Domain Users group. We cannot set this to any other value during provisioning, so we need to change it after provisioning is completed. If you look at the group in AD you will find that the value we are looking for is the last part of the objectSID.
A thing to remember about the primary group is that if you look at the group itself the user is not listed in the members attribute once the group is configured as the primary group. But if you change the primaryGroupID the user is set as member in the previous primary group.

Now let’s see how we handle this in FIM.
We already have the Students group using some membership criteria.
The group needs to be created and provisioned to AD in order for us to be able to record the primaryGroupID for this particular group. In the picture below you can see my group got the ID 1204.
You can also get the value using PowerShell.

$group = Get-ADGroup "Students"
$groupSid = $group.SID
[int]$GroupID = $groupSid.Value.Substring($groupSid.Value.LastIndexOf("-")+1)

We need to add the primaryGroupID to the attributes in the AD MA.
Import the current value into a new MV attribute called, for example, primaryGroupID (Number).
If you are using dynamic groups like I always try to do, you also need to add the attribute to the FIM Service schema. Allowing Sync to manage it and allow it in Filters.

Once the primaryGroupID is set in Active Directory the user will no longer show up in the members attribute. So FIM will try to add them again, failing with an error about existing object.
We therefor need to modify the criteria so that it no longer contains the users which have been configured to have it as primary group.
The outbound synchronization rule could then look something like.
where “1204” is the primaryGroupID of the new group.

Once the account is created and the new primaryGroupID has been set we can run this clean-up activity to remove them from the Domain Users group, if that is desired.

Get-ADUser -SearchBase "OU=Students,DC=ad,DC=company,DC=com" -Filter {primaryGroupID -ne 513} | ForEach-Object{Remove-ADGroupMember "Domain Users" -Members $_}

Leave a Reply

Your email address will not be published. Required fields are marked *