FIM SSPR: Fun Facts

Published on Friday, September 24, 2010 in ,

How does FIM SSPR handles multi-domain environments?

The FIM's Password Reset Activity (Action Activity) will:

  1. Try to find the CS object by matching domain + username
  2. Use WMI to make a SetPassword call

WQL from verbose trace is:
WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='domain' AND Account='fdagg001')
or (FullyQualifiedDomain='domain' AND Account='fdagg001')
or (Domain='domain' AND UserPrincipalName='fdagg001')
or (FullyQualifiedDomain='domain' AND UserPrincipalName='fdagg001')


What happens when a user resets his password?

In fact this action is very similar to an administrator right-clicking your account in ADUC and choosing reset password:


A FIM SSPR reset will:

  1. Reset your password
  2. “Uncheck” User must change at next logon
  3. “Check” unlock the user’s account

Especially the last one is very interesting, whenever a user locks his AD, he can unlock himself! So the SSPR feature can be used for more than just forgotten passwords. Maybe this is obvious, but I had no idea.

Related Posts

No Response to "FIM SSPR: Fun Facts"

Add Your Comment