Password reset by Administrator
I would like to use ILM2 password portal to let the administrator reset the user's passwords without using challenges and Q&A gates. The customer does not want the users to register for password resets nor let them reset their passwords by their own. The idea is to let the administrator reset the user password from the ILM portal just as the administrator does using AD users and computers MMC. Is this feasible in ILM2? i followed the procedure in http://technet.microsoft.com/en-us/library/cc561138(WS.10).aspxand i did not include a Q&A gate in the password_reset_workflow; however i got an error "we cannot reset the password at this time" and the event viewer indicated that the cause was that user authentication is missing. so is there a way to do this?MM
September 8th, 2009 10:46am

that's not possible. The password reset functionality is designed to be a self-service password reset solution. if you don't use the authN, i believe you can achieve this by calling into MIIS directory using WMI. May i ask why you don't like the idea of resetting the password in AD Users and Computers MMC?
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2009 1:42pm

I like the idea but our customer wants to move all user and group administration tasks from the AD MMC to the ILM portal and later he would sync to AD using outbound synchronization rules. the idea is to remove all delegations from AD and use the ILM portal with the workflows and permissions. what do you mean by: "if you don't use the authN, i believe you can achieve this by calling into MIIS directory using WMI."?ThanksMM
September 8th, 2009 1:49pm

The password reset activity, (running as the ILMService a/c) is just performing a WMI call to MIIS to reset your password. I believe you can do similar thing yourself. but if you are going this route, you will be completely by-passing ILM. i.e. u can't grant certain set of user permission to reset someone's password. btw, i see something being able to reset your password without your knowledge (instead of the system generating the pwd and email to the manager) is a huge security issue...
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2009 9:28pm

WMI stands for Windows Management Instrumentation which is a programming interface used to automate various things within the Windows environment. The synchronization engine exposes a WMI interface which means that you can write a program to cause the synchronization engine to do various things. The most common example is when you automate synchronization jobs (Management Agent run profiles). When you click on the "script" button in Identity Manager under "Configure Run Profiles" the sample script code that is written for you uses WMI. In addition to kicking off synchronization jobs, WMI can also be used to request the synchronization engine set a user's password. This is documented in the Developer's Reference which gets installed under "Program Files, Microsoft Identity Integration Server" when you install the synchronization engine. Search for "GetPassword". The article you want is titled "setpassword method of the miis_csobject class". The documentation has a code sample. Note however, that the code required to actually implement this is not trivial. Password sets are performed on connector space objects and it is up to the programmer to work out how to locate the correct objects and their relationships to the user as represented in the metaverse. This task will require a software developer that is familiar with the MIIS / ILM / FIM architecture. Since you want to do this from the FIM portal, you will need to have your programmer either develop a custom workflow step that makes the appropriate WMI calls, or develop some other user interface extension to the portal As was posted elsewhere in the thread, you will want to consider carefully if you really want to do this or not. Implementing a method to reset someone's password arbitrarily without an audit log or any sort of secondary credential (such as security questions) could have serious (negative) security impacts.
September 9th, 2009 5:32pm

in ILM, what is the alternative to reset a password if the user even forgets the answers to the challenge questions that he supplied when registering to password reset. you may find this a weird answer, but with users you can never know what happens. am thinking that in a way or another we might need the administrator intervention to reset the password in case the user does not remember what he answered for the challenge questions :)Thanks againMM
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2009 10:27am

at that point, it would result in a helpdesk call and fallback to your existing procedures to reset password without ILM
September 12th, 2009 11:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics