How can we force a single user to re-register to Self service password reset?
In my scenario, I trying to figure out how I can force a user to re-register if he forgets his answers for his pwd reset questions? I tried to force it by checking the re-register check box on Password reset set, but it enforces it on every user.
Thanks
September 9th, 2010 5:45pm
side question: how do u know if a user has forgotten the answers?
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2010 8:43pm
short answer, there is no way to do that.
That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk.
At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-registerThe FIM Password Reset Blog http://blogs.technet.com/aho/
September 10th, 2010 12:27am
I don't have my FIM environment nearby, but I do have some course book laying around:
As an admin log on to the portal Choose administration -> unlock users Search for your user, click it Click "password reset authN workflow" and select "require re-registration" OK and submit Let the user log on, it should be asked to re-register
This seems quit similiar to what you said, allthough It's unclear to me wheter you selected "require re-registration" on the workflow in the workflow section or for your specific user.http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 9:42pm
That's a big NO. That will un-register EVERYONE for that workflow, not just one user.
Is the course book from OCG? If yes, i have already talked to Hugh about that. If not, please notify your source.
"Per user un-registration" is a feature that we've cut very very early on (before RC)The FIM Password Reset Blog http://blogs.technet.com/aho/
September 21st, 2010 12:36am
Ahah, lucky you are awake and watching us! I guess it's because in the portal everything is all linked up. So when clicking the workflow on the user, your actually opening the workflow who applies for all.
The source is indeed the OCG book. Gonna get my pen and correct that.
Well if that way is a no go, Id sugest assisting the user by phone and perform one of the following:
start - run - cmd - "MsPwdRegistration -all" Go to the FIM portal and let the user click the link to register his questions again
Ofcousre if you have to do this for a lot of users...
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2010 12:42am
We envision the scenario as the following
>>That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk.
>>At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-register
If you see a core scenario that requires per user un-registration, do contact PSS and let us knowThe FIM Password Reset Blog http://blogs.technet.com/aho/
September 21st, 2010 1:34am
I tested the scenario as you describe it:
Users enters wrong answers to many times, is locked out from SSPR and "helpdesk" resets PW in AD. At succesfull logon the user is notified that someone tried to answer too many times and he can re-register his answers.
Makes perfect sense.http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2010 9:52am
Is it possible to search for the GateRegistration objects for that user (in my environment I find three) and delete the registration objects?
-Jeremy
November 5th, 2010 3:51pm
registration status flag is stored under User.AuthNWFRegistered. Modifying that directly is NOT supportedThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
November 5th, 2010 6:20pm
Remove the workflow IDs from User.AuthNWFRegistered. His registration data will still be in the system but it will mark that user as unregistered.
There's no portal UI to do this, but you can do this manually (through Powershell or webservice calls, or if you have admin access in the portal and go to the extended attributes and clear that attribute).ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
November 18th, 2010 3:52am
Remove the workflow IDs from User.AuthNWFRegistered. His registration data will still be in the system but it will mark that user as unregistered.
There's no portal UI to do this, but you can do this manually (through Powershell or webservice calls, or if you have admin access in the portal and go to the extended attributes and clear that attribute).ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2010 3:52am
If one were to do that using PowerShell it might look like this:
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
###
### Get the User object
###
$xPathFilter = "/Person[AccountName='HoofHearted']"
$queryResult = Export-FIMConfig -OnlyBaseResources -CustomConfig $xPathFilter
### Display the object
$queryResult | foreach{$_.resourcemanagementobject.ResourceManagementAttributes
| ft -AutoSize}
###
### Get the object ID and the AuthNWFRegistered attributes
###
$objectId = $queryResult.ResourceManagementObject.ResourceManagementAttributes
| where{$_.AttributeName
-eq 'ObjectID'}
$AuthNWFRegistered = $queryResult.ResourceManagementObject.ResourceManagementAttributes
| where{$_.AttributeName
-eq 'AuthNWFRegistered'}
###
### Create a new ImportObject for the User
###
$update = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$update.ObjectType
= "Person"
$update.SourceObjectIdentifier
= $objectId.Value
$update.TargetObjectIdentifier
= $objectId.Value
$update.State
= 1 ## Put
###
### AuthNWFRegistered is multivalued
###
foreach($AuthNWFRegisteredValue in $AuthNWFRegistered.Values)
{
###
### Create an ImportChange for each value in AuthNWFRegistered
###
$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation
= 2 ## Delete
$importChange.AttributeName
= "AuthNWFRegistered"
$importChange.AttributeValue
= $AuthNWFRegisteredValue
$importChange.FullyResolved
= 2
$importChange.Locale
= "Invariant"
$update.Changes
+= $importChange
}
###
### Finally, import the change to FIM
###
Import-FIMConfig $update
CraigMartin Edgile, Inc. http://identitytrench.com
January 7th, 2011 9:17pm