Account Lockout Self Service and Password reset
Why does FIM 2010 only providepassword reset self service and not support account lockout self service. Other products support both, I do understand how the use of various gates can be used to address the limitation but dont understand why account lockout is not provided OOB, suspect its security realated ??
April 30th, 2010 11:18pm

Hi Paul, Can you please explain your scenario a bit more? If an AD account is locked out, what behavior would you like to see? How do you envision the user interacting with the service during this condition? I recently showed a demo at The Experts Conference where the FIM server detected that a user's account was locked out, called the user on their mobile phone, and then asked them if they wanted to have their password reset. -Jeremy
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2010 12:02am

when you say "Lockout", do you mean "Lockout from the Authentication WF using the Lockout Gate (which is a FIM specific feature)" or "Lockout in AD"? If you perform an SSPR, it's automatically unlocked in ADThe FIM Password Reset Blog http://blogs.technet.com/aho/
May 1st, 2010 12:44am

Anthony Should have specified 'lockout in AD' rather than 'lockout as part of the Auth WF (using lockout gate)'. Really like the WF and tip An attacker might launch a denial-of-service attack on password reset by purposely failing password reset challenges for multiple users, causing many users to be locked out of password reset. To mitigate this type of attack, you should place the lockout gate after a Question and Answer gate. By configuring the activities in this way, the attacker would need to pass at least one gate before they could try and lock out other users. You could then place an additional Question and Answer gate after the lockout gate for additional security. The sequence would then be as follows: Password gate Question and Answer gate Lockout gate Question and Answer gate However by 'If you perform an SSPR, it's automatically unlocked in AD' do you mean if a user locks their account in AD they can peform an SSPR which reset their pssword AND unlock their account, or does an admin / help desk need to unlock account, either through FIM or directly in AD. The AD MA should be configured with rights for account lockout and pssword reset, but can account lockout be performed by end user. Thanks Paul
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2010 2:09am

Jeremey Thanks, I have added some more context below, but you do raise another point which we are looking at which is building an alerting capabilty to add notifications (email ) which would inform a user on events such as: Q/A profile set / updated Account locked/unlocked Password reset Appears as if you have some of that notification built to alert admins at any rate Paul
May 1st, 2010 2:14am

>> if a user locks their account in AD they can peform an SSPR which reset their pssword AND unlock their account yes... if i am drunk and have forgotten my password, after a few attempts, my account is locked in AD. 2 hrs later, i remember my password but i can't logon because my account is still locked in AD. I can perform a SSPR and my AD account will be unlock. We don't provide a pure "AD Unlock" feature, but SSPR does unlock the user from ADThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2010 3:02am

And you might want to checkout my latest blog post regarding "how does lockout gate work" and explains the tips in the deployment guide. http://blogs.technet.com/aho/archive/2010/04/29/how-does-lockout-gate-work.aspxThe FIM Password Reset Blog http://blogs.technet.com/aho/
May 1st, 2010 3:04am

Hi Paul, For notification, you should be able to do everything you want using built-in functionality. Using the sync engine, you can monitor the userAccountControl attribute in active directory. You can write an advanced inbound attribute flow from ad.userAccountControl->mv.userAccountLockedOut (a custom boolean attribute you can add to the metaverse schema in the synchronization engine and associate with the person object class). Then write an outbount attribute flow from mv.userAccountLockedOut to fimService.userAccountLockedOut (a cusom boolean attribute associated with the user object in the FIM Service). Next you can create a set in the FIM Portal called lockedOutusers that includes all users whose userAccountLockedOut attribute is true. Finally you can create a transition-in MPR in the FIM Portal based on users who transition into the lockedOutUsers set. Just add an email notification activity to the Action phase in the workflow settings for this MPR. It sounds like Anthony has the other part of your question answered. Good Luck! -jeremy
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2010 3:27am

Anthony, When you are sober I am sure you can remember the answers you input when you registered for the authentication challenge. Why couldn't we use the preset questions/answers to unlock the account in AD? It is a major inconvenience to have to reset the password in order to unlock an account. I hope this will be supported in a very near future. Thanks, Sam
May 21st, 2010 7:35am

what's your scenario? How would your account be locked out in AD in the first place? if you logon with an incorrect password for 10 times and get locked out in AD, shouldn't i be safe to assume that the user has already forgotten the password?The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2010 12:05am

Hi Anthony, In our environment AD accounts get locked after three unsuccessful attempts. Let's say that you have one desktop where you have network drives and one laptop. You are logged in on both. You change your password on your laptop because it is expiring soon. Then you go for lunch. Most likely when you come back from lunch you will be locked out of your desktop and your laptop because your AD is locked out due to the network drive. In this scenario you want to be able to unlock your account without having to reset your password since you just reset it. There are also clients that are not smart enough to detect password changes and will try to authenticate against AD using the stored password, leading to the account lockout. We currently use a third party password management software and I can tell you that the AD account unlock is very useful. Everyday we have many users unlocking their account using the challenge questions. I will not replace that software with FIM password management until that feature is implemented. Thanks, Sam
May 22nd, 2010 1:28am

what's the third party password management user experience like? i guess they would also provide a custom UI at the logon screen, user goes through a challenge/response and at the end, the account is unlocked?The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2010 10:46am

what's the third party password management user experience like? i guess they would also provide a custom UI at the logon screen, user goes through a challenge/response and at the end, the account is unlocked? The FIM Password Reset Blog http://blogs.technet.com/aho/ Yes, the product has an extended GINA so that you have a link on the Windows login screen. When the user clicks on that link it brings up a lock down web browser that opens a web interface where you can use a challenge/response to unlock your account. Anthony, are you working for MS? It would be truly useful if FIM 2010 had that feature. Thanks, Sam
May 24th, 2010 3:59am

that's valid scenario. Please file a design change request in Connect with the feature you want.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2010 9:25am

Those are very true-to-life scenarios among many others. I was also looking to implement any self-service application that provides not only a password change feature but also an account unlock without having to change the password. I thought Microsoft would have this as an option from the start. Without an option like this, I'll still have most of the users calling helpdesk because they do not want to change the password. We will be adding the cost of managing this application instead of reducing the costs associated to helpdesk operations. Sam, which software are you using? Alexis
May 31st, 2010 12:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics