Introduction to Distribution Group Management

Applies To: Forefront Identity Manager 2010

In a typical enterprise environment, managing Distribution Groups (DGs) represents a common task that has an impact on operational costs. Because end users do not have tools to manage DGs themselves, to create, update, or delete a DG, end users need to contact a department that has appropriate rights and tools to manage DGs. Other considerations include costs of the operational staff; the required interactions with another department, which has an impact on the productivity of the end users; and compliance with organizational policies. To address these issues, Microsoft Forefront™ Identity Manager 2010 (FIM 2010) includes a key functionality to reduce help desk calls and improve productivity by empowering end users to perform tasks in a framework with delegated self-service.

One aspect of this empowerment is the ability for an end user to fully manage groups themselves by using the FIM 2010 Portal. The following concepts play an important role in this management:

  • Manually managed and criteria-based membership

  • Owner approval

  • Displayed owner

Manually managed and criteria-based membership: Today, the most common way to specify members of a group is to manually select them from a list. This is referred to as manually managed membership. In FIM 2010 by default, you can also define memberships based on the object properties. This implementation is also known as criteria-based membership. With criteria-based membership, the members of a group are determined based on a set of specified conditions. For example, you can specify that all users that have a specific title or are part of a specific department are added to a group. Criteria-based membership represents a convenient way to let the system add and remove the right members from a group based on the changing properties of users and other resources in FIM 2010.

Owner approval: In FIM 2010, a group with manually managed membership can be open for anyone to join, or it can require the owner’s approval. For a group that requires owner approval to join, others can submit a request for membership in a group, which has to be approved by one of the owners. This increases the usability of a group while still maintaining the membership in a controlled manner.

Owner and displayed owner: In FIM 2010, the owners of a group have the rights to make changes to the group; to delete it; and, if the group requires owner approval for joining, to approve requests to join the group. You can load-balance the management of distribution lists by assigning multiple owners, and, more importantly, you can ensure continuity in the management of the group if one of the owners leaves the organization or otherwise happens to no longer be an owner. However, because some external systems only support ownership of a group as single-valued, each group must have one of the owners designated as the Displayed owner so that ownership can be indicated correctly in those connected data sources that require Owner to be single-valued.

What This Document Covers

This document demonstrates and highlights the option to enable nonadministrators to manage DGs and shows how the joining of a DG based on owner approval works.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of DGs in Active Directory® Domain Services (AD DS).

While it is not required, we highly recommend that you familiarize yourself with the concept of inbound synchronization rules and how they work, as outlined in the Introduction to Inbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=165858).

Audience

This document is intended for information technology (IT) pros who are interested in learning about the new DG features in FIM 2010.

Time requirements

The completion time for the procedures in this document is approximately 120 minutes.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Microsoft Forefront Identity Manager Discussion Forum (https://go.microsoft.com/fwlink/?LinkId=163230).

Scenario Description

Reducing help desk calls and improving productivity by empowering IT pros to perform administrative tasks is a key concept in FIM 2010. In FIM 2010, you can enable nonadministrators to manage their own DGs. Besides the basic management tasks, such as the creation of a DG, you can enable the users in your organization to implement membership management. This includes approving or rejecting requests from others to join a managed DG.

Fabrikam, a fictitious corporation, is in the process of evaluating these new features based on a common scenario. Fabrikam’s goal is to empower full-time employees to manage their own DGs. To evaluate the new features, Fabrikam decided to set up a lab environment with a simplified implementation of the corporate network. In this lab environment, Fabrikam verifies whether an attempt by contractors to create a DG is rejected and whether full-time employees can manage DGs based on owner-approved membership.

Testing environment

The scenario that is described in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration shows the forest configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

So that the procedures in this document can be performed, the domain controller has been configured with the software components:

  • Windows Server® 2008 64-Bit Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • Microsoft SQL Server® 2008 64-Bit Enterprise SP1

  • Windows® SharePoint® Services 3.0 (SP1), 64-bit

  • Windows Powershell™ 1.0

  • FIM 2010

Note

A description of the installation of FIM 2010 and the required software components is out of scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide.

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

  1. Configuring the scenario – In this section, you create all required scenario components, including the required sample users, management agents, run profiles, and an inbound synchronization rule.

  2. Initializing the scenario – In this section, you deploy your initial configuration inside FIM 2010.

  3. Testing the scenario – In this section, you verify that the scenario works according to the scenario specification.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  1. Configuring the connected data sources

  2. Configuring the FIM 2010 R2 Synchronization Service

  3. Configuring the FIM 2010 R2 Service

The following sections provide detailed instructions for each configuration building block.

Configuring the connected data source

To configure the connected data source, you must create a new organizational unit (OU) and three sample users in your Active Directory environment. Because the scenario is designed to be completed on a single computer, the sample users should be members of the Server Operators security group, which has the right to log on to a domain controller. As an alternative, you can also add a workstation to your environment, which eliminates the need for the membership update.

Creating the OU

For the scenario in this document, you create an OU that receives the newly created sample object.

To create the OU

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. In the console tree, right-click fabrikam.com, click New, and then click Organizational Unit.

  3. In Name, type FIMObjects.

  4. To create the OU, click OK.

Creating the Active Directory sample users

For the scenario in this document, you must create some sample users in AD DS. The following table lists the initial attributes to set when you create the sample users.

First name Last name Full name User logon name:

Britta

Simon

Britta Simon

bsimon

Terry

Adams

Terry Adams

tadams

Jimmy

Bischoff

Jimmy Bischoff

jbischoff

To create the Active Directory sample users

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. Expand the console tree, and then select the newly created FIMObjects OU.

  3. To open the New Object – User dialog box, on the Action menu, click New, and then click User.

  4. Enter the data shown in the previous table for the current user, and then click Next.

  5. In the Password and the Confirm password text boxes, type P@$$w0rd.

  6. Clear the User must change password at next logon check box, and then click Next.

  7. To create the user, click Finish.

Repeat these steps for the remaining users.

At this point, you have created three new users in the FIM Objects OU. For each user, you must set additional attributes.

The following table lists the required attributes.

Name Employee ID Employee type

Britta Simon

10

Full-time employee

Terry Adams

11

Full-time employee

Jimmy Bischoff

12

Contractor

To set the additional attributes

  1. In the FIMObjects OU, select the name of the user in the previous table.

  2. To display the properties dialog box for the selected user, on the Action menu, click Properties.

  3. Click the Attribute Editor tab.

  4. Set each attribute shown for the current row in the previous table.

Repeat these steps for all sample users.

Assigning group membership

This task is required to grant your sample users the right to interactively log on to your server running FIM 2010 R2.

To assign group membership

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. In the console tree, select the Builtin container of the Fabrikam.com domain.

  3. In the list of objects, select the Server Operators security group.

  4. To open the Server Operators Properties dialog box, on the Actions menu, click Properties.

  5. Select the Members tab, and then click Add.

  6. In the Object Names text box, type Britta Simon;Terry Adams;Jimmy Bischoff.

  7. Click OK to update the group membership.

Configuring the FIM Synchronization Service

This section contains the instructions for configuring the FIM 2010 R2 Synchronization Service. Your sample users must be synchronized into FIM 2010 R2 because, for security purposes, FIM 2010 needs membership next to the domain as well as a user’s security identifier (SID) to make access decisions. The implementation of the synchronization scenario in this document is simplified and designed to enable only the scenario that is outlined in this document.

The configuration of the FIM 2010 R2 Synchronization Service consists of the following tasks:

  1. Enabling synchronization rule provisioning

  2. Creating the Fabrikam Active Directory Management Agent (ADMA)

  3. Creating the Fabrikam FIMMA

  4. Creating run profiles

Enabling synchronization rule provisioning

To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule provisioning in the Synchronization Service Manager.

To enable synchronization rule provisioning

  1. Open the Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Creating management agents

The objective of the synchronization scenario is to publish the three Active Directory sample users into the FIM 2010 data store. To accomplish this, two management agents are required:

  1. Fabrikam ADMA

  2. Fabrikam FIMMA

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, you use the Create Management Agent Wizard.

To create the Fabrikam ADMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Active Directory Domain Services

    • Name: Fabrikam ADMA

  4. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

    • Forest name: fabrikam.com

    • User name: administrator

    • Password: the administrator’s password

    • Domain: fabrikam

  5. On the Configure Directory Partitions page, perform the following steps, and then click Next:

    1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

    2. To open the Select Containers dialog box, click Containers.

    3. To clear all selected nodes, click the DC=Fabrikam,DC=com node.

    4. Click the FIMObjects node.

    5. To close the Select Containers dialog box, click OK.

  6. On the Configure Provisioning Hierarchy page, click Next.

  7. On the Select Object Types page, perform the following steps, and then click Next:

    1. In the Object types list, select user.
  8. On the Select Attributes page, provide the following settings, and then click Next:

    1. Select Show All.

    2. In the Attributes list, select the following attributes:

      • displayname

      • employeeID

      • employeeType

      • givenName

      • objectSid

      • sAMAccountName

      • sn

  9. On the Configure Connector Filter page, click Next.

  10. On the Configure Join and Projection Rues page, click Next.

  11. On the Configure Attribute Flow page, click Next.

  12. On the Configure Deprovisioning page, click Next.

  13. On the Configure Extensions page, click Finish.

Creating the Fabrikam FIMMA

The Fabrikam FIMMA is a management agent for the FIM Service Management Agent. To create this management agent, you use the Create Management Agent Wizard.

Important

To create the FIM 2010 R2 management agent, you need a separate user account that is used to run it.

To create a user account for the Fabrikam FIMMA

  1. Open Active Directory Users and Computers.

  2. In the console tree, select the Users container.

  3. To open the New Object – User dialog box, on the Action menu, click New, and then point to Users.

  4. In the First name text box, type fimma.

  5. In the User logon name text box, type fimma, and then click Next.

  6. In the Password and the Confirm password text boxes, type a password of your choice.

  7. Clear the User must change password at next logon check box.

  8. Select Password never expires, and then click Next.

  9. To create the user account, click Finish.

To create the Fabrikam FIMMA

  1. In FIM 2010, open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service Management Agent

    • Name: Fabrikam FIMMA

  4. On the Connect to Database page, provide the following settings, and then click Next:

    • Server: .

    • Database: FIMService

    • FIM Service base address: https://localhost:5725

    • Authentication mode: Windows Integrated Authentication

    • User name: fimma

    • Password: <the account’s password>

    • Domain: fabrikam

  5. On the Selected Object Types page, verify that the following object types are selected, and then click Next:

    • ExpectedRuleEntry

    • DetectedRuleEntry

    • SynchronizationRule

    • Person

  6. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.

    2. To open the Mapping dialog box, click Add Mapping.

    3. In the Metaverse object type list, select person.

    4. To close the Mapping dialog box, click OK.

  9. On the Configure Attribute Flow page, apply the attribute flow mappings in the following table, and then click Next.

    Flow direction Data source attribute Metaverse attribute

    Export

    AccountName

    accountName

    Export

    DisplayName

    displayName

    Export

    Domain

    domain

    Export

    EmployeeID

    employeeID

    Export

    EmployeeType

    employeeType

    Export

    FirstName

    firstName

    Export

    LastName

    lastName

    Export

    ObjectSID

    objectSid

    1. In Data source object type, select Person.

    2. In Metaverse object type, select person.

    3. In Mapping Type, select Direct.

    4. For each row in the previous table, complete the following steps:

      1. Select the Flow direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

  10. On the Configure Deprovisioning page, click Next.

  11. To create the management agent, on the Configure Extensions page, click Finish.

Configuring run profiles

The following section provides instructions for creating run profiles. For the scenario in this document, you create run profiles for the Fabrikam ADMA and the Fabrikam FIMMA.

Creating run profiles for the Fabrikam ADMA

The following table lists the run profiles that you create for the Fabrikam ADMA.

Profile Run profile name Step type

Profile1

Full import

Full import (Stage only)

Profile2

Full synchronization

Full synchronization

Profile3

Delta import

Delta import (Stage only)

Profile4

Delta synchronization

Delta synchronization

To create run profiles for the Fabrikam ADMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agents list, click Fabrikam ADMA.

  3. To open the Configure Run Profiles dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous table, complete the following steps:

    1. To open the Configure Run Profile Wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam FIMMA

The following table lists the run profiles that you create for the Fabrikam FIMMA.

Profile Run profile name Step type

Profile1

Full Import

Full Import (Stage Only)

Profile2

Full Synchronization

Full Synchronization

Profile3

Delta Import

Delta Import (Stage Only)

Profile4

Delta Synchronization

Delta Synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam FIMMA

  1. In FIM 2010, open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the management agent list, select Fabrikam FIMMA.

  3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous table, complete the following steps:

    1. To open the Configure Run Profile Wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, click the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Configuring the FIM Service

This section contains the instructions for configuring the FIM 2010 R2 Service.

The configuration of the FIM 2010 R2 Service consists of the following tasks:

  1. Enabling required Management Policy Rules

  2. Creating the Fabrikam inbound synchronization rule

  3. Enabling full-time employees to manage DGs

Enabling required Management Policy Rules

For the scenario in this document, you enable some of the preconfigured Management Policy Rules (MPRs) in FIM 2010.

To enable the required MPRs

  1. To open the FIM Portal, start Windows Internet Explorer®, and then navigate to https://localhost/identitymanagement/default.aspx.

  2. To open the Management Policy Rules page, on the FIM portal home page, in the navigation bar, click Management Policy Rules.

  3. In the Search for text box, type Synchronization account, and then click the Search for button.

  4. For each MPR that is listed as disabled, perform the following steps:

    1. To open the Configuration dialog box, click the Display Name of the disabled MPR.

    2. Clear the Policy is disabled check box.

    3. Click OK.

    4. On the Summary page, click Submit.

Creating the Active Directory inbound synchronization rule

To configure the Active Directory inbound synchronization rule, you use the related wizard pages.

To create the Active Directory inbound synchronization rule

  1. To open the Administration page, in the FIM Portal navigation bar, click Administration.

  2. To open the Synchronization Rules page, click Synchronization Rules.

  3. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory inbound synchronization rule

    • Data Flow Direction: Inbound

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: user

  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

    2. Create Resource In FIM: Selected

  7. On the Inbound Attribute Flow tab, provide the information in the following table, and then click Finish.

    Source Destination

    displayName

    displayName

    employeeID

    employeeID

    employeeType

    employeeType

    givenName

    firstName

    objectSid

    objectSid

    sAMAccountName

    accountName

    sn

    lastName

    1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To open the Flow Definition dialog box, click New Attribute Flow.

    3. On the Source tab, in the attributes list, select String, and then type FABRIKAM in the text box.

    4. On the Destination tab, select domain in the attributes list.

    5. To apply the attribute flow configuration, click OK.

  8. On the Summary tab, click Submit.

Enabling full-time employees to manage DGs

To enable full-time employees to create DGs, you must modify some of the built-in MPRs. The following table provides an overview of the required changes.

Step Display name Action

1

DL management: Owners can read attributes of group resources.

Enable MPR

2

DL management: Owners can update and delete groups that they own.

  1. Enable MPR

  2. Remove the MembershipLocked attribute from the list of the specific resources attributes on the Target Resources tab.

3

DL management: Users can add or remove any members of groups subject to owner approval.

Enable MPR

4

DL management: Users can add or remove any members of groups that do not require owner approval.

Enable MPR

5

DL management: Users can create group resources.

  1. Enable MPR

  2. Set Requestor to All Full Time Employees.

6

DL management: Users can read selected attributes of group resources.

Enable MPR

To enable full-time employees to manage DGs

  1. On the FIM 2010 home page, on the navigation bar, click Management Policy Rules.

  2. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  3. For each row in the previous table, perform the following steps:

    1. Type the Display Name of the MPR shown for that row in the table into the Search for text box, and then click Search.

    2. To open the Management Policy Rule dialog box, in the search results list, click the Display Name of the MPR shown for that row in the table.

    3. Apply the changes listed in the Action box for that row in the table.

    4. On the Summary page, click Submit.

Initializing the Testing Environment

Before you can test your configuration with test data, you must initialize your configuration. The following steps are part of this process:

  • Initializing the Fabrikam FIMMA

  • Initializing the Fabrikam ADMA

Initializing the Fabrikam FIMMA

To initialize the Fabrikam FIMMA, you must run a complete synchronization cycle on this management agent. The complete cycle consists of the run profile runs in the following table.

Step Run profile name

1

Full import

2

Full synchronization

3

Export

4

Delta import

To initialize the Fabrikam FIMMA

  1. Open Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the table immediately preceding this procedure, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  5. To start the run profile, click OK.

Initializing the Fabrikam ADMA

To initialize the ADMA, you must run a full import and a full synchronization on it. In this sequence, the sample users are brought into the metaverse and also staged in the connector space of the FIMMA. To complete the initialization of the Fabrikam ADMA, you must also run an export and a confirming import on the Fabrikam FIMMA.

Step Management agent Run profile name

1

Fabrikam ADMA

Full import

2

Fabrikam ADMA

Full synchronization

3

Fabrikam FIMMA

Export

3

Fabrikam FIMMA

Delta import

Important

After running the export run profile on the Fabrikam FIMMA, you should wait a minute or two before running the confirming delta import.

To initialize the Fabrikam ADMA

  1. Open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. For each row in the previous table, complete the following steps:

    1. In the Management Agents list, select the management agent shown for that row in the table.

    2. To open the Run Management Agent dialog box, on the Action menu, click Run.

    3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

Tip

You should verify at this point whether all sample users have been successfully populated in the FIM Portal.

Testing the Configuration

To test the configuration, you perform the following steps:

  1. Create a DG in the context of a full-time employee

  2. Create a DG in the context of a contractor

  3. Manage owner approval-based membership

Creating a DG in the context of a full-time employee

In this section, you create a new DG in the context of Britta Simon. Because Britta is a full-time employee, her request to create a new DG is accepted.

To create a DG in the context of a full-time employee

  1. On your computer, log on as Britta Simon.

  2. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  3. To open the Create Distribution Group dialog box, on the home page, click Create a new DG.

  4. On the General tab, provide the following information, and then click Next:

    1. Display Name: Britta’s DG

    2. E-mail Alias: bdg

    3. Member Selection: Manual

  5. On the Members tab, click Next.

  6. On the Owners tab, perform the following steps, and then click Finish.

    1. In Join Restriction, verify that Owner approval is required is selected.
  7. On the Summary tab, click Submit.

Important

The creation attempt is accepted and the new DG is created.

You can now log off.

Creating a DG in the context of a contractor

In this section, you try to create a new DG in the context of Jimmy Bischoff. Because Jimmy is a contractor—and not a full-time employee—his request to create a new DG is declined.

To create a DG in the context of a contractor

  1. On your computer, log on as Jimmy Bischoff.

  2. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  3. To open the Create Distribution Group dialog box, on the home page, click Create a new DG.

  4. On the General tab, provide the following information, and then click Finish:

    1. Display Name: Jimmy’s Distribution Group

    2. E-mail Alias: jdg

    3. Member Selection: Manual

  5. On the Summary tab, click Submit.

Important

The creation attempt is declined and the Status of your request is Access denied.

You can now log off.

Managing owner approval-based membership

The objective of this section is to test the owner approval-based membership in a DG. To test this feature, your third sample user, Terry Adams, requests membership in Britta Simon’s DG. To become a member in Britta’s DG, Britta has to approve Terry’s request. Finally, Terry verifies that his join request has been approved by Britta.

To manage owner approval-based membership

  1. On your computer, log on as Terry Adams.

  2. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  3. To open the Distribution Groups page, on the home page, click Join DG.

  4. In the Search for box, type Britta’s DG, and then click the button.

  5. To open the Join Group dialog box, in the Distribution Groups list, select Britta’s DG, and then on the toolbar, click Join.

  6. To submit your request, click Submit.

    Note

    The status of your request is now Pending Approval.

  7. To close the Join Group dialog box, click OK.

  8. Log off your computer.

  9. On your computer, log on as Britta Simon.

    Note

    Britta has to approve the request before Terry can join Britta’s DG.

  10. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  11. To open the Approve Requests page, on the home page, click Approve Requests.

    Note

    There is one pending request for Britta’s DG.

  12. To open the Approve Request dialog box, select the request, and then, on the toolbar, click Approve.

  13. To approve the request, click Submit.

    Note

    The status of the request is now Completed.

  14. To close the Approve Request dialog box, click OK.

  15. Log off your computer.

  16. On your computer, log on as Terry Adams.

  17. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  18. To open the My Distribution Group Memberships page, click See my DG memberships.

  19. Verify that Britta’s DG is listed.

At this point, you have successfully completed an owner approval cycle.