The situation:

I want to add an account to the FIM portal manually, and make that account a FIM Administrator.

Of course, for this to work, the FIM portal needs to have the account name, domain, and objectSID of my new FIM administrator. Account name and domain are not a problem, but how to get SID in there? Yes, the account exists in AD, but it is stuck off in an OU that will never be discovered, so I can’t just flow it through an AD MA. If you look at the existing administrator object in Advanced view, you see the objectSID and can even export it to a file. There’s a browse button too, so to import a SID, you just need to point to a 28 byte binary file that holds the SID. But how to create this file?

Turns out to be dead simple in Server 2008 R2. The following few lines will do it (assuming you’ve already imported the ActiveDirectory module).

$b = New-Object byte[] 28
$u = Get-ADUser squeebo
$u.SID.GetBinaryForm($b,0)
$b | Set-Content ($u.SamAccountName + '.dat') -Encoding byte

I’ve been discovering lots of little things like this as I’ve been using FIM more, and I’ll blog about them as soon as I can organize my thoughts a bit. Most of them are a little more complicated than this, and were the result of a lot of iterations and head-scratching, so I need to distill them down before I post.