0 comments

FIM SSPR: Fun Facts

Published on Friday, September 24, 2010 in ,

How does FIM SSPR handles multi-domain environments?

The FIM's Password Reset Activity (Action Activity) will:

  1. Try to find the CS object by matching domain + username
  2. Use WMI to make a SetPassword call

WQL from verbose trace is:
WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='domain' AND Account='fdagg001')
or (FullyQualifiedDomain='domain' AND Account='fdagg001')
or (Domain='domain' AND UserPrincipalName='fdagg001')
or (FullyQualifiedDomain='domain' AND UserPrincipalName='fdagg001')

Source:http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/28fcfc43-54f6-4f8e-9602-21663d11a250

What happens when a user resets his password?

In fact this action is very similar to an administrator right-clicking your account in ADUC and choosing reset password:

image

A FIM SSPR reset will:

  1. Reset your password
  2. “Uncheck” User must change at next logon
  3. “Check” unlock the user’s account

Especially the last one is very interesting, whenever a user locks his AD, he can unlock himself! So the SSPR feature can be used for more than just forgotten passwords. Maybe this is obvious, but I had no idea.

Related Posts

Posted by Thomas at 5:36 PM
Labels: ,

No Response to "FIM SSPR: Fun Facts"

Add Your Comment

Subscribe to: Post Comments (Atom)