Is your default password compliant to the AD password policy? Kind regards, Peter Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Also, as of this post on userAccountControl, did you check for the time sync settings? FIM server must be time synced with AD... HTH, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Hi Peter, it would seem so as I was able to reset a new users password to the default password using mmc. GPO says x characters min and must meet password complexity requirements,but at this point don't know how to check those complexity requirements.. Looking into it now. I also tried removing the pwdLastSet=0 attribute flow but there was no change.

Just FYI: Passwords must meet complexity requirements on Technet. HTH, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

The times are synchronised and after reading that document I can confirm the default password does meet complexity requirements. Hrm!

Are you really sure that was FIM is generating/setting for the unicodePwd attribute is complex enough? Whenever I have accounts which end up with 514 mostly that's because the PW isn't complex enough. If I'm not mistaken you can easily check this: go to Active Directory Users & Computers, right click such a provisioned disabled account and choose "enable". If it gives you an error regarding the password complexity you'll know what to look for.http://setspn.blogspot.com

A colleague of mine had exactly this scenario yesterday, and I went through all the above scenarios, including password complexity. In the end the problem was simply a missing permission for the management agent account to actually set the password. This problem has a habit of cropping up a lot because the error message that comes back isn't exactly helpful in pin-pointing the cause. Perhaps this is your issue too?Bob Bradley, www.unifysolutions.net (FIMBob?)

When creating new accounts, I'm setting the following (and others) attributes and the user provisions successfully but the uac comes back as 514, i.e. disabled: userAccountControl = 512 unicodePwd = some default password pwdLastSet = 0 My intention here is to allow them to log-in with the default password but be required to enter a new password on first login. I'm guessing the pwdLastSet attribute is throwing this out? How do other people approach this situation?

I had assigned what I thought was the correct permissions to the agent account in AD previously and tried a few more but couldn't get it to work. After setting the "Full control" permission to all descendent objects it worked. So there is a permission I'm missing, but I don't have the time to find the specific one. We're on an extremely tight deadline. This is far from ideal. I wish the required permissions for common ADMA actions were documented. Thanks Bob! This will do for now, or until the security team start complaining... Edit... JayAdair1 is me. For some reason I have two accounts depending on the browser I use, despite using the same email address.

I understand your frustration, but where does FIM documentation ends and where does the External Datasource documentation begins? As for AD it's explained in details in the following documents: Best Practices for Delegating Active Directory Administration Best Practices for Delegating Active Directory Administration Appendices Good luck! http://setspn.blogspot.com

Don't forget this very important resource: Management Agent Communication Ports, Rights, and Permissions ... maybe have a scour of this and see if it has the explicit permissions you're after.Bob Bradley, www.unifysolutions.net (FIMBob?)

Password complexity isn't the issue as I can enable the accounts in AD manually. Thanks Bob, that sounds quite possible. I'll have a look. Hopefully there's recommended permissions in the FIM documentation.. Will report back.