My manager has asked me to investigate a series of Identity Management solutions, he has a requirement that it must be possible to create a master password. Is this the case with Forefront Identity Manager? Thanks.

master password for what? to perform what operation? The FIM Password Reset Blog http://blogs.technet.com/aho/

Recover passwords if, for example, an administrator leaves the organization or is on vacation and access to his passwords are needed for some critical function.

i don't think you can do password recovery in any system. all production systems i have come across have the password hashedThe FIM Password Reset Blog http://blogs.technet.com/aho/

As Anthony explained, most systems hash passwords - this is a one-way transofrmation of the data that cannot be reversed. I am not aware of any systems that have a primary password and a "master" password. The correct way to do this is to have an administrator change the passwords in each system to a known system so the application can be accessed. If you establish password synchronization with FIM then this new password will only need to be set in Active Directory and they it will be pushed by FIM to all other systems that are enabled for password synchronization. Please let us know what you decide to do! -Jeremy

Okay, let me see if I understand this correctly. It's not possible to configure a "master" password with FIM, however, if you need access to a privileged account which is accessible via FIM and the administrator who has access to said account is no longer with the organization, a different administrator can configure a new password for this account using FIM or AD (if password synchronization is enabled). Also, is it possible to log who performs this action? Is it possible to restrict which administrators are capable of performing this action? Thanks.

Hi Mat, FIM uses AD as the source of password changes. So, if you wanted to change someone's password and have the new password sent to all of the systems that FIM is connected to then the change would be made in AD. Access is granted to this by setting correct permissions in AD. The activity can be logged in AD. Alternately, you can change a user's password in the FIM portal using the helpdesk password reset scenario. This is the same scenario that is used when a user forgets their password and has not registered for self service password reset or does not have access to a domain-joined computer with the password reset client. In this scenario, and Administrator can reset the password via the FIM portal. Permissions are granted via MPR in FIM and are logged in the request log. Additional logging can be added via workflow. -Jeremy