Had to do this a little differently than all of the blog posts I’d seen because using an Internal virtual switch and trying to allow it to share my local network resulted in an IP address conflict.

The fix was to create an External virtual switch with “Allow management operating system to share this network adapter” checked. Creating this takes a minute and Internet connectivity is dropped for a second while it applies changes.

Then, in the VM settings, select this new switch as the network adapter.

The VM might need to be turned off when making this setting change, but it worked for me while the VM was running.

There is a great write up on how to use the enumerate Resources Activity to update items in FIM here: http://www.fimspecialist.com/fim-portal/custom-workflow-examples/custom-workflow-example-enumerate-resources-activity/

I only had to do one thing differently to get it working in my environment. In the designer.cs file, I commented out the line:

this.Activities.Add(this.sequenceActivity1);

and instead add the activity on the enumerateResourcesActivity:

this.enumerateResourcesActivity1.Activities.Add(this.sequenceActivity1);

Unrelated to the post that explains updating objects with enumerateResourcesActivity, I got a rather misleading error when executing the update: “CompositeActivity cannot transition to ‘Closed’ status when there are active child context still exist for child activity.”

Apart from the confusing grammar, I assumed something was wrong with the sequence I was using to update the object. It turned out to be much simpler: I had a typo in one of the attribute names I was updating. I think this error is thrown if the update fails and the activity doesn’t get to close.

A web part I developed needed to access Active Directory. A lot of posts say to just set the site’s trust level to Full, but that is a security risk.

The solution I found was to use a wss_custom trust level.

First, I copied the wss_minimal.config file in the CONFIG file of the 14-hive and named it wss_custom.config.

I then modified it as described in this post: http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.security/2004-10/0240.html

I added this to <SecurityClasses>:

< SecurityClass Name=”DirectoryServicesPermission”  Description=”System.DirectoryServices.DirectoryServicesPermission,  System.DirectoryServices, Version=1.0.5000.0, Culture=neutral,  PublicKeyToken=b03f5f7f11d50a3a”/>

Then I added the “DirectoryServicesPermission” to the “NamedPermissionSet” of “ASP.NET”:
<PermissionSet class=”NamedPermissionSet” version=”1″  Name=”ASP.Net”>
<IPermission class=”DirectoryServicesPermission” version=”1″  Unrestricted=”true”/> 
</PermissionSet>

[Note: I didn’t remove the other entries in those two sections.]

In the web.config file, I added this to the <securityPolicy> settings:

<trustLevel name=”WSS_Custom” policyFile=”C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\config\wss_custom.config” />

Next, I changed the trust level in the web.config file to WSS_Custom.

<trust level=”WSS_Custom” originUrl=”” />

[In addition to the post referenced above, this post helped me understand the steps to use a customized Code Access Security policy: http://blog.tylerholmes.com/2008/11/creating-custom-cas-policy-file-for.html]

In my web part C# code, I used PrincipalContext with a user with appropriate AD permissions:

PrincipalContext cxt = new PrincipalContext(ContextType.Domain, sDomain, sUser, sPwd);

using (UserPrincipal user = UserPrincipal.FindByIdentity(cxt, sAccountName))

{

DirectoryEntry entry = user.GetUnderlyingObject() as DirectoryEntry;

DirectorySearcher searcher = new DirectorySearcher(entry);

searcher.PropertiesToLoad.Add(“proxyAddresses”);

searcher.Filter = “(&(objectClass=user)(|(sAMAccountName=” + sAccountName + “)))”;

SearchResult result = searcher.FindOne();

if (result == null)

{

litResult.Text += “Error: User not found.”;

}

else

{

//do something

}

}

entry.Close();

entry.Dispose();

searcher.Dispose();

cxt.Dispose();

This article is extremely useful when trying to get the EnumerateResourcesActivity to work in the FIM workflows: http://c–shark.blogspot.com/2009/04/how-to-use-enumerateresourcesactivity.html

I don’t use the activity too often and forget that the designer code behind needs to be modified to add a code activity (which isn’t add via the UI) to the EnumerateResourcesActivity.

Just a sample script. I forgot that the message body needed to be converted to a string format and, as this script was being called by a back end process, it took me a while to figure out what the error was.

Code:

Add-Type -Path ‘F:\Program Files\Microsoft\Exchange\Web Services\2.0\Microsoft.Exchange.WebServices.dll’

#Create the EWS service object
$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService -ArgumentList Exchange2010_SP1

#Set the credentials for Exchange Online
#$service.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials -ArgumentList `
#$Credential.UserName, $Credential.GetNetworkCredential().Password
$service.UseDefaultCredentials = $true
$service.AutoDiscoverUrl(“sender@domain.com”)

#Determine the EWS endpoint using autodiscover
#$service.AutodiscoverUrl($Credential.UserName, {$true})

#Get the email body
$body = Get-Content “C:\Files\EmailTemplate.htm”
$body = $body -replace “Placeholder”, $Placeholder

#Have to convert the object to a string to use in the mail body.
[string]$msgBody = $body

#Create the email message and set the Subject and Body
$message = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage -ArgumentList $service
$message.Body.BodyType = ‘HTML’
$message.From = “sender@domain.com”
$message.Subject = “A message for you”
$message.Body = $msgBody

$message.ToRecipients.Add($CreatorEmail)

#Send the message and save a copy in the users Sent Items folder (Alt is message.Send which will not save a copy.)
$message.SendAndSaveCopy()

Had to futz around with this for a little while to get a line break in the Telephone Info field in Active Directory. Environment.NewLine wasn’t working for me. Using “/r/n” did the trick though.

I needed a query to figure out which users in the metaverse were not connected to AD. With help from Carol Wapshere’s post on querying the metaverse (http://www.wapshere.com/missmiis/sql-query-find-metaverse-objects-with-n-connectors), I came up with this:

select EmployeeID from mms_metaverse where object_type =‘person’ and object_id not in

(select mv_object_id from dbo.mms_connectorspace cs

join dbo.mms_management_agent ma on

cs.ma_id = ma.ma_id

join dbo.mms_csmv_link mv on

mv.cs_object_id = cs.object_id

where ma.ma_name =‘ADMA’and object_type =‘user’)

I was working in a dev environment and noticed that the “All Users” search scope was no longer appearing in the drop down list.

This perplexed me because I had not changed any search scopes or permissions in a long time. All I had been doing was merrily cleaning up some attributes the schema no longer needed.

Turns out one of the attributes I deleted was referenced in the search scope in the list of attributes to search and the results to display. Removing the now no longer existent attribute allowed the search scope to be displayed again after a service restart.