Requests submitted through FIM PowerShell Module fail; same requests work fine through Portal UI

May 15, 2014 at 1:36 PM
Edited May 15, 2014 at 5:52 PM
We've been using FIM to manage DLs and Shared mailboxes for 2 years now. I work in the Messaging team - a separate team actually supports the FIM backend infrastructure so I don't have access to see all of the Server logs, etc. Previously we've been able to successfully create and update SharedMailbox objects using the FIM cmdlets but all of a sudden it's stopped working. We can still read data from FIM using Export-FIMConfig but any attempt to change or create objects fails as follows.

Example command:
New-FimImportObject -uri $uri -ObjectType SharedMailbox -State Put -AnchorPairs @{Email = "test@test.com"} -Changes @(New-FimImportChange -uri $uri -Operation Replace -AttributeName 'DisplayName' -AttributeValue "Test2") -ApplyNow
This results in the following errors:
Import-FIMConfig : Failure when making web service call.
SourceObjectID = 00000000-0000-0000-0000-000000000000
Error = The web service client has encountered the following class of error: ManagementPolicyRule
Details: Failed Attributes: DisplayName
Additional Text Details: No policy grants the Requestor permission to complete all changes.
Correlation Identifier: 00a890d7-9f1c-434e-abb1-9d4cc9df24b6
Failure Message:
Request Identifier:
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\FimPowerShellModule\FimPowerShellModule.psm1:289 char:49 + $importObject | Import-FIMConfig <<<< -Uri $Uri + CategoryInfo : InvalidOperation: (:) [Import-FIMConfig], InvalidOperationException + FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automation.ImportConfig
We've tried multiple requests updating different objects and attributes and they all fail with the same error as above. The strange thing is that when I look at the request through the FIM UI in 'My Requests' it shows as status "Denied" and the summary is:Update to Resource: '' request as if I am trying to update a 'resource' rather than a 'SharedMailbox' and the name of the SharedMailbox is missing from the request details.

If I submit exactly the same request - to modify the same attribute of the same SharedMailbox - through the FIM Portal UI it works fine.

We've asked our FIM team to investigate but so far they haven't been able to determine what is causing the problem so I thought I'd post here in case anybody can help. It seems to be a permissions issue but, if that's the case, how come it works when we submit the request through the UI but fails when we use the cmdlets?

Note: The above error occurs using the 27699 changeset version of the FIM PowerShell Module. If we use the 2.1 release version (20464) the error does not occur and the request is processed successfully.

Many Thanks,
Stuart
May 16, 2014 at 9:41 AM
This issue seems to be resolved in build 28017. I downloaded and installed build 28017 and now the issue is not occurring. Very strange!
Marked as answer by stukey on 5/16/2014 at 1:41 AM