In our FIM environment we want to retrieve the list of pending exports. This is typically accomplished with a “csexport.exe MAName /f:x” command. On my dev environment as a user with FIMSyncAdmins rights, the export is produced as expected.
When I ran the command as a scheduled task I would receive this error message in our log file
Microsoft Identity Integration Server Connector Space Export Utility v4.1.3419.0
c 2012 Microsoft Corporation. All rights reserved
Failed to export connector space.
Error: <error>The Synchronization Service Manager service has stopped.</error>
It’s an odd message in that the Sync service was absolutely running.
After making sure there was nothing wrong with the PowerShell script that was driving the command, I eventually tried elevating the service account to include local admin rights, and at that point it succeeded.
From there I took a leap of faith that the Sync service account really was running, but under a non-admin scheduled task, it couldn’t see that the service was running for some reason. Recalling the Service Control Manager hardening from Windows Server 2003 SP1, I was guessing the scheduled task couldn’t query the SCM.
Sure enough, reviewing the default ACLs
C:\Windows>sc sdshow FIMSynchronizationService
As an Interactive User (IU) you get read access to the service. But as a scheduled task you don’t get the IU SID. The solution is to grant the FIMSyncAdmins group read access to the service.
With a small PowerShell script to determine the local group’s SID, we can update the SDDL for the service
C:\Windows>sc sdset FIMSynchronizationService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;
[SC] SetServiceObjectSecurity SUCCESS
And now CSExport works from a scheduled task.