SSPR - Password reset fails for AD MA without Domain Admins membership in one domain, works OK in others
ADMA account from domainA is setup with permissions specified at http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx Same ADMA account is used in domainB, and domainC with identical permissions in the two sibling domains. Problem: While password change over /passwordportal works correctly in domainB and domainC, in domainA it generates a ma-access-denied error in the FIM eventlog & on the password entry screen shows an error '...contact the administrator' and the Reset button grays out. If the ADMA account is made a member of domain admins, SSPR works correctly. Thanks - AB
June 4th, 2010 8:48am

Could be an issue with the AdminSDHolder permissions in the domains where the ADMA account is not a domain admin. Try doing a password reset on someone that is in no way special (not in domain admins, account operators etc).David Lundell www.ilmBestPractices.com
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 9:39am

do u have the callstack as well?The FIM Password Reset Blog http://blogs.technet.com/aho/
June 4th, 2010 1:25pm

Thanks for this suggestion David, Will test with different types of users. AB
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 5:55pm

As David indicates, you are probably being squashed by AdminSDHolder. Delegating Password Reset permissions to this object is not easy as you cannot do it through the GUI or through the Delegation Wizard. There is a KB article that talks about this here: http://support.microsoft.com/kb/2028194 ...however, it currently does not tell you how to fix it (working on that). To fix it, you'll need to use DSACLS to add the two permissions to the service account you are using for the AD MA. If you are using a group to delegate to (as you should) then substitute that. dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Reset Password" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Change Password" Here are some other articles to review: http://support.microsoft.com/kb/301188 http://support.microsoft.com/kb/232199/Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
June 4th, 2010 7:34pm

And to close the loop - the minimum rights you need to unlock the account: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;userAccountControl;" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;lockoutTime;" You will also need to delegate other permissions "to this object only" for FIM to update these same objects when Sync is trying to update them. To delegate Read/Write All Properties: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;;" Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 8:56pm

Thanks Brad, You and David are spot on! By changing the AdminSDHolder related permission the password could be reset. Thanks for the detailed info on dsacls. Cheers, AB
June 5th, 2010 12:25am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics