sean-m · February 21, 2018 01:32
diff --git a/Repair_Owner_DisplayOwner_Mismatch.ps1 b/Repair_Owner_DisplayOwner_Mismatch.ps1
 #Requires -Version 4 -Modules FIM\FimPowerShellModule.psm1

 <#  
    Queries for Group objects that have the Owner attribute set but who's DisplayedOwner
    is not in the Owner list. This can occur you have a FIM/MIM Sync Rule that maps
    managedBy => DisplayedOwner and msExchCoManagedByLink => Owner. Those attributes will
    flow directly because they match up being single => single, multivalue => multivalue but
    there is the caveat that the managedBy value never has a reason to exist in the msExchCoManagedByLink
    value. Setting the FIM Group Owner list by combining the two source attributes doesn't appear to work
    via declarative rule or rule extension but allowing the properties to Sync directly and then resolving
    them after the fact works great. 
    
    Method for modifying Group from here: https://espace.cern.ch/idm/Lists/Posts/Post.aspx?ID=32
    
    -Sean McArdle, 02/2018
 #>
  
 # Load FIMAutomation SnapIn and FIMPowershellModule (http://fimpowershellmodule.codeplex.com)
 if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
 Import-Module FIM\FimPowerShellModule.psm1

 # XPath for Groups with missmatching Owner/DisplayedOwner attributes
 $ownerWithoutDisplayed = "/Group[Owner = /* and not(Owner = /Group/DisplayedOwner)]"

 # Convenience enums
 $ImportState = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportState]
 $ImportOperation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]

 # Groups with issues
 $groups = @(Export-FIMConfig -CustomConfig $ownerWithoutDisplayed -OnlyBaseResources | Convert-FimExportToPSObject)
 if (-not $groups) { 
    return  # Nothing wrong
 }


 foreach ($g in $groups) {

    if (-not $g.DisplayedOwner) { continue }

    # Add an owner to a group
    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = "Group"
    $importObject.TargetObjectIdentifier = $g.ObjectID
    $importObject.SourceObjectIdentifier = $g.ObjectID
    $importObject.State = $ImportState::Put

    # Add an owner to a group
    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    $importChange.Operation = $ImportOperation::Add
    $importChange.AttributeName = "Owner"
    $importChange.AttributeValue = $g.DisplayedOwner
    $importChange.FullyResolved = 1
    $importChange.Locale = "Invariant" 

    $importObject.Changes = $importObject.Changes + $importChange

    $importObject | Import-FIMConfig
 }


 $groupsStillHosed = Export-FIMConfig -CustomConfig $ownerWithoutDisplayed -OnlyBaseResources | Convert-FimExportToPSObject
 if ($groupsStillHosed) {
    # Notify support
 }
	#Requires -Version 4 -Modules FIM\FimPowerShellModule.psm1

	<#
	Queries for Group objects that have the Owner attribute set but who's DisplayedOwner
	is not in the Owner list. This can occur you have a FIM/MIM Sync Rule that maps
	managedBy => DisplayedOwner and msExchCoManagedByLink => Owner. Those attributes will
	flow directly because they match up being single => single, multivalue => multivalue but
	there is the caveat that the managedBy value never has a reason to exist in the msExchCoManagedByLink
	value. Setting the FIM Group Owner list by combining the two source attributes doesn't appear to work
	via declarative rule or rule extension but allowing the properties to Sync directly and then resolving
	them after the fact works great.

	Method for modifying Group from here: https://espace.cern.ch/idm/Lists/Posts/Post.aspx?ID=32

	-Sean McArdle, 02/2018
	#>

	# Load FIMAutomation SnapIn and FIMPowershellModule (http://fimpowershellmodule.codeplex.com)
	if(@(get-pssnapin \| where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
	Import-Module FIM\FimPowerShellModule.psm1

	# XPath for Groups with missmatching Owner/DisplayedOwner attributes
	$ownerWithoutDisplayed = "/Group[Owner = /* and not(Owner = /Group/DisplayedOwner)]"

	# Convenience enums
	$ImportState = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportState]
	$ImportOperation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]

	# Groups with issues
	$groups = @(Export-FIMConfig -CustomConfig $ownerWithoutDisplayed -OnlyBaseResources \| Convert-FimExportToPSObject)
	if (-not $groups) {
	return # Nothing wrong
	}


	foreach ($g in $groups) {

	if (-not $g.DisplayedOwner) { continue }

	# Add an owner to a group
	$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
	$importObject.ObjectType = "Group"
	$importObject.TargetObjectIdentifier = $g.ObjectID
	$importObject.SourceObjectIdentifier = $g.ObjectID
	$importObject.State = $ImportState::Put

	# Add an owner to a group
	$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
	$importChange.Operation = $ImportOperation::Add
	$importChange.AttributeName = "Owner"
	$importChange.AttributeValue = $g.DisplayedOwner
	$importChange.FullyResolved = 1
	$importChange.Locale = "Invariant"

	$importObject.Changes = $importObject.Changes + $importChange

	$importObject \| Import-FIMConfig
	}


	$groupsStillHosed = Export-FIMConfig -CustomConfig $ownerWithoutDisplayed -OnlyBaseResources \| Convert-FimExportToPSObject
	if ($groupsStillHosed) {
	# Notify support
	}