One of the lacking features of the FIM Self Service Password Reset functionality was the enforcement of some of domain password policy settings. More in particular the password history was not enforced. Users could use SSPR to avoid the “maximum password age” policy setting so they can use the same password over and over again. Now we don’t want that huh!
As announced on the FIM TechNet forums: FIM 2010 Self-Service Password Reset Now Supports All Domain Password Policies we can now actually configure FIM to enforce the password history. There are several requirements though, check KB2443871 (FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies):
For the PDC domain controller
- Hotfix KB2386717: The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based computer
- Windows 2008 R2
- Certificate to enable LDAP over SSL
These are only required for the PDC. But I would definitely make sure all my DC’s, or at least at the main site where the FIM solution resides, meet these requirements. After all the FSMO PDC role can be transferred for various reasons.
For the FIM solution components
- FIM Update ?: KB2417774: the article is not there yet, but the hotfix can be downloaded at http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2417774
There seems to be an error in the explanation as mentioned by Steve on the forums:
Please note that there is an error in the document. The registry value name required for enabling this functionality is incorrect.
Incorrect Version: ADMAEnforcePasswordPolicyHistory
Correct Version: ADMAEnforcePasswordPolicy
Besides the SSPR enhancement, FIM Update ? (Build 4.0.3561.2) will be a very good one. I can confirm from tests in my FIM environments it fixes the following items:
- FIM MA Attribute precedence issue: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/1256bf10-3b91-4358-aa2f-32894964e1dc
- Attribute recall issue: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/941b44f2-de41-4ec3-9686-f78f1178ac69
- Synchronization Service CPU usage: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/0456bce2-7f5f-45eb-aa0a-c1945d2b7065
I think most people now that hotfixes should be installed in a test environment first. Do not let a manager force you to install/configure the enforcement of the password history ASAP. Knowing that FIM update 2 will fix the behavior of the FIM MA, that could alter how your implementation behaves. Especially the precedence change could “break” stuff for you. Test Test Test!
I’m referencing Build 4.0.3561.2 as FIM Update ? But odds are it will be FIM Update 2. Just like KB978864 was FIM Update 1.
Thomas, I want my old password!, Vuylsteke