Is there more detail as to how often registration to password reset is checked. In the Introduction to password reset document, it talks about modifying HKCU. In my lab I have the password reset working. After installing the Add-ins and extensions, the FIM password window shows at the bottom left of the task bar. It stay for quite a while even after I have registered. The path stated in the document does not exist in my registry, however, it is located in the HKLM. I know users will start to complain about that when it slows down their boot up process. So I would like to cache the password registration for 90 days and set the maxoffset to 10 days. Can someone help me understand the registry setting for this please? You help is greatly appreciated. Nathalie

i believe the documentation is accurate. Using Group Policy to update how often registration is checked By default, the FIM client checks the end user’s registration status every time he or she logs on to Windows. The frequency setting for how often registration is checked is located in the registry. If you are deploying password reset broadly in your organization, we recommend that you configure FIM 2010 to check periodically, not every time that the user logs on to Windows. There are two potential locations for the registry key: HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions The location under Policies takes precedence. However, the second key, in the second listing above, must be created. It can be an empty key. The settings are as indicated in the following table. Name Type Data description Registry location CacheInterval Int Registration status cache duration in days HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions MaxOffset Int Maximum random offset in days to be added or subtracted to cache interval HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions CacheInterval specifies the amount of time in days before the FIM client checks the user’s registration status again. MaxOffset adds or subtracts a random number of days to CacheInterval . The offset exists so that all FIM clients are not checking registration status on the same day. We recommend that you create these settings in the Policies folder. The FIM Password Reset Blog http://blogs.technet.com/aho/

i believe the documentation is still correct Using Group Policy to update how often registration is checked By default, the FIM client checks the end user’s registration status every time he or she logs on to Windows. The frequency setting for how often registration is checked is located in the registry. If you are deploying password reset broadly in your organization, we recommend that you configure FIM 2010 to check periodically, not every time that the user logs on to Windows. There are two potential locations for the registry key: HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions The location under Policies takes precedence. However, the second key, in the second listing above, must be created. It can be an empty key. The settings are as indicated in the following table. Name Type Data description Registry location CacheInterval Int Registration status cache duration in days HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions MaxOffset Int Maximum random offset in days to be added or subtracted to cache interval HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions CacheInterval specifies the amount of time in days before the FIM client checks the user’s registration status again. MaxOffset adds or subtracts a random number of days to CacheInterval . The offset exists so that all FIM clients are not checking registration status on the same day. We recommend that you create these settings in the Policies folder. The FIM Password Reset Blog http://blogs.technet.com/aho/

When I look at the registry for the client workstation I only have up to the available path HKCU\Software\Microsoft\. I do see however, HKLM\software\microsoft\forefront identity manager\2010\extensions. Do I need to create the Keys in the HKCU path? Will these settings actually remove the FIM Password pop up at the bottom of the taskbar until the cacheinterval is expired? If not...is there a way to do so, so that users will not see that pop up everytime they logon to their computer? Thanks, Nathalie

u need to create that HKCU path urself. If there is cached info, then user won't see it at the taskbar. Currently there is a known bug that if user cancels out registration, the registration time is still written in registry.The FIM Password Reset Blog http://blogs.technet.com/aho/

Here is what I did according to the document. I created the "key" CacheInterval and set the data to 10 days. I also created the "key" MaxOffset and set the data to 2 days. Please let me know if this is correct. When I reboot my machine, I still see the FIM Password popup on my taskbar, which to me seems like this is not working correctly. Thanks, Nathalie

those should be names,value under the Extension key alternatively, you can use the Group Policy Template we ship with FIM The FIM Password Reset Blog http://blogs.technet.com/aho/

I'm sorry. I must be missing something here. The documentation doesn't state anything about adding a value to the Extensions key in the registry. And if it is a value that needs to be added, it doesn't state what type of value, string value, Dword, Qword, multiple string value, or expandable string value. I think that information is critical to making this adjustment successful. Is the group policy template available with FIM 2010 RTM? Where can I find it? Can you also provide more information for this registry setting that needs to be made in order for the caching of the password registration to work? Is the value a Dword value? Thank you for your help, Nathalie

1. create the key HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions 2. under that key, create DWORD CacheInterval and MaxOffset 3. try to complete registration once and u should see an addition value LastQueryTime (a QWORD generated by code) The FIM Password Reset Blog http://blogs.technet.com/aho/

Thank you for the detailed setting for the registry. Unfortunately this is not working. I do see the Qword added after I registered a new user(on Vista machine). When I log off and back on the Fim Password window still shows up on the taskbar. On a window XP machine the same thing happens. However the registry is different, no QWord. How does this affect users when the cacheinterval is set after the user has registered? Will they need to registered before the caching starts. Nathalie

what if u try to re-register by C:\Windows\System32\MsPwdRegistration.exe -allThe FIM Password Reset Blog http://blogs.technet.com/aho/

I am able to register. However the window still shows up on the task bar. On the vista side the qword is created after I register. Still not sure what the problem is and why this is not working as it should. Any other suggestions? Nathalie

if u execute MsPwdRegistration.exe (without the -all flag) does the LastServerQuery time update itself?

sorry, i can't repro it inhouse, here is what i have Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Forefront Identity Manager\2010\Extensions] "LastServerQuery"=hex(b):09,bc,cc,4b,00,00,00,00 "CacheInterval"=dword:00000010 "MaxOffset"=dword:00000005 then everytime i launch MsPwdRegistration.exe (no -all flag), it's not going against the server and nothing is shown in task bar. Here is what i would try Launch MsPwdRegistration.exe complete the registration sequence once make sure the LastServerQuery entry is updated next time it shouldn't show up in the task bar The FIM Password Reset Blog http://blogs.technet.com/aho/

This is what I have: Two machines, Vista sp1 and Windows XP sp3. RTM version of Add-ins and extensions on both. I have tried your steps above(with the -all) on both boxes. The vista box has an entry for lastserverquery but the xp box does not. When I launch the MsPwdRegistion.exe (without the -all flag), the FIM Password popup is at the taskbar on both boxes. When I tried to click it nothing happens. In 5-10secs it disappears. I have tried moving my Xp box into an OU that is blocking all GPOs just to verify that a GPO is not effecting the results of the registry or window popup. Unfortunately this does not change anything. In that case that this works the way you describe it, when the cacheInterval is past the day you specified what is suppose to happen exactly? Regards, Nathalie

>>In that case that this works the way you describe it, when the cacheInterval is past the day you specified what is suppose to happen exactly? if it's still in the cache interval... mspwdregistration.exe will just quietly exit. u won't notice that in the task bar if it's outside the cache interval (the cache is not valid anymore)... mspwdregistration.exe will query the server again for updated registration status (i.e. need to register or not). if not, then it will exit; if yes, u will see the registration UI... in either case, when it queries the server for status, u will see something in the task bar... do u have live meeting?The FIM Password Reset Blog http://blogs.technet.com/aho/

Hi Anthony, I have webex. Please send me your contact info to my email account registered on this forum. I am available after 1pm CST today. Thanks, Nathalie

i can only do live meeting. i can send you the invite if u don't have live meeting server running, u will need to download the client The FIM Password Reset Blog http://blogs.technet.com/aho/

Taken offline and resolved Nathalie will post the findings once everything is confirmed and testedThe FIM Password Reset Blog http://blogs.technet.com/aho/

Anthony, Thanks again for working with me on this issue. I had a GPO in my environment that restricts users from modifying the registry. I created a logon script that adds the keys and values to the HKCU via GPO. It worked perfectly. The FIM Password pop disappeared from the taskbar as expected. Thank you so much for your help. Regards, Nathalie

Here is the logon script I used: const HKEY_CURRENT_USER = &H80000001 strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_ strComputer & "\root\default:StdRegProv") 'Create Keys KeyPath = "software\microsoft\forefront identity manager\2010\Extensions" Return = objReg.CreateKey(HKEY_CURRENT_USER, KeyPath) 'Create Values KeyPath = "software\Microsoft\Forefront Identity Manager\2010\Extensions" strValueName = "CacheInterval" dwValue = 10 objReg.SetDWORDValue HKEY_CURRENT_USER,KeyPath,strValueName,dwValue strValueName = "MaxOffset" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,KeyPath,strValueName,dwValue If (Return = 0) And (Err.Number = 0) Then 'Wscript.Echo "HKEY_CURRENT_USER\software\microsoft\forefront identity manager created" Else Wscript.Echo "CreateKey failed. Error = " & Err.Number End If

Anthony, Thanks again for working with me on this issue. I had a GPO in my environment that restricts users from modifying the registry. I created a logon script that adds the keys and values to the HKCU via GPO. It worked perfectly. The FIM Password pop disappeared from the taskbar as expected. Thank you so much for your help. Regards, Nathalie Natg89 - can you please expand on the offending GPO setting? I'd like to rule this out against an issue we're having with registration. We have intermittent password registration failures and even with successful registrations I don't see these keys being created.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com