How to run FIM 2010 PowerShell Cmdlets from a remote machine?

  • Article

Technorati Tags: FIM,XPath,PowerShell,Cmdlet

Hi There,

I am Syam Pinnaka, Dev in Identity and Access Management (IAM) team at Microsoft. In this blog post lets see an interesting learning that I came across in my current project.

Did you ever wonder how to run the Forefront Identity Manager (FIM) 2010 PowerShell Cmdlet(s) from a remote machine? i.e. from the machine other than on which FIM Service is installed? Its absolutely possible and continue reading through this blog post to know how.

FIM 2010 provides PowerShell Cmdlets as a mechanism to to work with FIM 2010 resources. The mechanics of working with FIM Cmdlets is a good discussion subject however I will limit this blog post to “How to work with Cmdlets from remote machine?”. As part of FIM 2010 service installation, FIM installs a PowerShell addin assembly which is what is required to run the FIM 2010 Cmdlets from any machine. In addition to the addin assembly file, some registry changes are required to register the FIM addin. Registration is a required step for windows PowerShell to correctly identify and load the FIM addin into its run space. Once loaded, any FIM 2010 Cmdlet can be executed by specifying the correct target server (-uri) and other valid import/export parameters.

Here are the steps to get this working on a remote machine.

  1. Locate and copy the “Microsoft.ResourceManagement.ObjectModel.dll” on to the remote machine. This assembly can be found at FIM 2010 service install location on FIM 2010 service installed machine.

  2. Register the above assembly using InstallUtil.exe. Note: Based on your computer architecture, you will need to use the correct InstallUtil.exe version.

  3. Create the following registry entries either manually or using a script.

     Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\FIMAutomation]
"PowerShellVersion"="2.0"
"Vendor"="Microsoft"
"Description"="Registers the CmdLets and Providers in this assembly"
"VendorIndirect"="FIMAutomation,Microsoft"
"DescriptionIndirect"="ConfigMigration,Registers the CmdLets and Providers in this assembly"
"Version"="4.0.3576.2"
"ApplicationBase"="D:\\FIM_SharedAssemblies"
"AssemblyName"="Microsoft.ResourceManagement.Automation, Version=4.0.3576.2, Culture=neutral, 

     PublicKeyToken=31bf3856ad364e35"
"ModuleName"="D:\\FIM_SharedAssemblies\\Microsoft.ResourceManagement.Automation.dll"

  4. Alternatively above script can be exported as .reg file from the FIM 2010 service machine and imported into remote machine.

  5. Modify the "ApplicationBase", "ModuleName" values to point to the correct location on the remote machine

  6. That’s it.

To test if FIM addin is working as desired, Open windows PowerShell console, load FIM addin by executing “add-PSSnapin ‘FIMAutomation’” and run a FIM Cmdlet. Note here that in addition normal parameters, server “uri” parameter value has to be explicitly specified in order to point to the FIM 2010 Service machine while executing the Cmdlet. If everything works fine, you will see the result set returned from the executed Cmdlet.

Even though this is not complicated, nothing beats the convenience of running the scripts from my local machine and thus avoid the need to log in to FIM Service machine all the time. Hopefully you would find this tip useful as well.

Happy coding!