Is it possible to create a master password?
My manager has asked me to investigate a series of Identity Management solutions, he has a requirement that it must be possible to create a master password. Is this the case with Forefront Identity Manager?
Thanks.
May 21st, 2010 10:23pm
master password for what? to perform what operation?
The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2010 11:59pm
Recover passwords if, for example, an administrator leaves the organization or is on vacation and access to his passwords are needed for some critical function.
May 22nd, 2010 12:06am
i don't think you can do password recovery in any system. all production systems i have come across have the password hashedThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2010 1:36am
As Anthony explained, most systems hash passwords - this is a one-way transofrmation of the data that cannot be reversed. I am not aware of any systems that have a primary password and a "master" password. The correct way to do this is to have an administrator
change the passwords in each system to a known system so the application can be accessed. If you establish password synchronization with FIM then this new password will only need to be set in Active Directory and they it will be pushed by FIM to all other
systems that are enabled for password synchronization.
Please let us know what you decide to do!
-Jeremy
May 24th, 2010 6:34pm
Okay, let me see if I understand this correctly. It's not possible to configure a "master" password with FIM, however, if you need access to a privileged account which is accessible via FIM and the administrator who has access to said account is no longer
with the organization, a different administrator can configure a new password for this account using FIM or AD (if password synchronization is enabled). Also, is it possible to log who performs this action? Is it possible to restrict which administrators are
capable of performing this action?
Thanks.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2010 4:16pm
Hi Mat,
FIM uses AD as the source of password changes. So, if you wanted to change someone's password and have the new password sent to all of the systems that FIM is connected to then the change would be made in AD. Access is granted to this by setting correct
permissions in AD. The activity can be logged in AD.
Alternately, you can change a user's password in the FIM portal using the helpdesk password reset scenario. This is the same scenario that is used when a user forgets their password and has not registered for self service password reset or does not have
access to a domain-joined computer with the password reset client. In this scenario, and Administrator can reset the password via the FIM portal. Permissions are granted via MPR in FIM and are logged in the request log. Additional logging can be added
via workflow.
-Jeremy
May 25th, 2010 7:03pm