How does FIM SSPR handles multi-domain environments?
The FIM's Password Reset Activity (Action Activity) will:
- Try to find the CS object by matching domain + username
- Use WMI to make a SetPassword call
WQL from verbose trace is:
WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='domain' AND Account='fdagg001')
or (FullyQualifiedDomain='domain' AND Account='fdagg001')
or (Domain='domain' AND UserPrincipalName='fdagg001')
or (FullyQualifiedDomain='domain' AND UserPrincipalName='fdagg001')
What happens when a user resets his password?
In fact this action is very similar to an administrator right-clicking your account in ADUC and choosing reset password:
A FIM SSPR reset will:
- Reset your password
- “Uncheck” User must change at next logon
- “Check” unlock the user’s account
Especially the last one is very interesting, whenever a user locks his AD, he can unlock himself! So the SSPR feature can be used for more than just forgotten passwords. Maybe this is obvious, but I had no idea.