In my scenario, I trying to figure out how I can force a user to re-register if he forgets his answers for his pwd reset questions? I tried to force it by checking the re-register check box on Password reset set, but it enforces it on every user. Thanks

side question: how do u know if a user has forgotten the answers?

short answer, there is no way to do that. That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk. At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-registerThe FIM Password Reset Blog http://blogs.technet.com/aho/

I don't have my FIM environment nearby, but I do have some course book laying around: As an admin log on to the portal Choose administration -> unlock users Search for your user, click it Click "password reset authN workflow" and select "require re-registration" OK and submit Let the user log on, it should be asked to re-register This seems quit similiar to what you said, allthough It's unclear to me wheter you selected "require re-registration" on the workflow in the workflow section or for your specific user.http://setspn.blogspot.com

That's a big NO. That will un-register EVERYONE for that workflow, not just one user. Is the course book from OCG? If yes, i have already talked to Hugh about that. If not, please notify your source. "Per user un-registration" is a feature that we've cut very very early on (before RC)The FIM Password Reset Blog http://blogs.technet.com/aho/

Ahah, lucky you are awake and watching us! I guess it's because in the portal everything is all linked up. So when clicking the workflow on the user, your actually opening the workflow who applies for all. The source is indeed the OCG book. Gonna get my pen and correct that. Well if that way is a no go, Id sugest assisting the user by phone and perform one of the following: start - run - cmd - "MsPwdRegistration -all" Go to the FIM portal and let the user click the link to register his questions again Ofcousre if you have to do this for a lot of users... http://setspn.blogspot.com

We envision the scenario as the following >>That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk. >>At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-register If you see a core scenario that requires per user un-registration, do contact PSS and let us knowThe FIM Password Reset Blog http://blogs.technet.com/aho/

I tested the scenario as you describe it: Users enters wrong answers to many times, is locked out from SSPR and "helpdesk" resets PW in AD. At succesfull logon the user is notified that someone tried to answer too many times and he can re-register his answers. Makes perfect sense.http://setspn.blogspot.com

Is it possible to search for the GateRegistration objects for that user (in my environment I find three) and delete the registration objects? -Jeremy

registration status flag is stored under User.AuthNWFRegistered. Modifying that directly is NOT supportedThe FIM Password Reset Blog http://blogs.technet.com/aho/

Remove the workflow IDs from User.AuthNWFRegistered. His registration data will still be in the system but it will mark that user as unregistered. There's no portal UI to do this, but you can do this manually (through Powershell or webservice calls, or if you have admin access in the portal and go to the extended attributes and clear that attribute).ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/

Remove the workflow IDs from User.AuthNWFRegistered. His registration data will still be in the system but it will mark that user as unregistered. There's no portal UI to do this, but you can do this manually (through Powershell or webservice calls, or if you have admin access in the portal and go to the extended attributes and clear that attribute).ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/

If one were to do that using PowerShell it might look like this: 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 ### ### Get the User object ### $xPathFilter = "/Person[AccountName='HoofHearted']" $queryResult = Export-FIMConfig -OnlyBaseResources -CustomConfig $xPathFilter ### Display the object $queryResult | foreach{$_.resourcemanagementobject.ResourceManagementAttributes | ft -AutoSize} ### ### Get the object ID and the AuthNWFRegistered attributes ### $objectId = $queryResult.ResourceManagementObject.ResourceManagementAttributes | where{$_.AttributeName -eq 'ObjectID'} $AuthNWFRegistered = $queryResult.ResourceManagementObject.ResourceManagementAttributes | where{$_.AttributeName -eq 'AuthNWFRegistered'} ### ### Create a new ImportObject for the User ### $update = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject $update.ObjectType = "Person" $update.SourceObjectIdentifier = $objectId.Value $update.TargetObjectIdentifier = $objectId.Value $update.State = 1 ## Put ### ### AuthNWFRegistered is multivalued ### foreach($AuthNWFRegisteredValue in $AuthNWFRegistered.Values) { ### ### Create an ImportChange for each value in AuthNWFRegistered ### $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 2 ## Delete $importChange.AttributeName = "AuthNWFRegistered" $importChange.AttributeValue = $AuthNWFRegisteredValue $importChange.FullyResolved = 2 $importChange.Locale = "Invariant" $update.Changes += $importChange } ### ### Finally, import the change to FIM ### Import-FIMConfig $update CraigMartin Edgile, Inc. http://identitytrench.com