Two things have to be in place for a user to be displayed on the Search Results page when the search operation is performed:
If either of these is missing or incomplete then the list of returned users will be filtered accordingly or an error message returned.
Installing and Configuring CLM 2007 on a Serverhttp://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx
A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1http://support.microsoft.com/kb/969742
I have never got this to work for FIM CM 2010 without having to give the Users managing the FIM CM direct read against the users participating.
Authenticated users doesn't seem to propogate through and I don't understand why.
This works for Authenticated Users by default in a freshly installed domain - in the case where it requires direct permissions then the default ACL's in AD have been modified.
One suspicion that I had was that this might be related to domains that have been upgraded all the way from NT 4 (if the ACL's haven't simply been modified at some point) - but I didn't investigate this beyond confirming it works this way for a vanilla W2k8 R2 domain.
Just to clarify.
My issue is that when I search for users in FIM CM I currently have to have the give the logged in user specific Read permissions against the AD users I wish to manage..
Are you stating that this should be picked up through Authenticated Users ?
I have installed fresh W2k8 R2 domains as test environments but I still seem to get this issue. I must be doing something potentially incorrect when I create the domain?
This should flow down via Authenticated Users being a member of the Pre-Windows 2000 Compatible Access group as this group by default has the required permissions - perhaps your user isn't properly authenticated and doesn't get the group SId for the contruscted AU group?
At any rate, I ran the forest setup with the defaults (a click-next installation) and it worked out of the box for a non-admin user.
In your testing, are your domain controller and FIM installation on the same server? If so, then Auth Users will work via the nesting in PreWindows 2000 Compat Access.
Good point, I typically use FIM and DC on the same server in test scenarios.