SSPR - Password reset fails for AD MA without Domain Admins membership in one domain, works OK in others
ADMA account from domainA is setup with permissions specified at
http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx
Same ADMA account is used in domainB, and domainC with identical permissions in the two sibling domains.
Problem: While password change over /passwordportal works correctly in domainB and domainC, in domainA it generates a ma-access-denied error in the FIM eventlog & on the password entry screen shows an error '...contact the administrator'
and the Reset button grays out. If the ADMA account is made a member of domain admins, SSPR works correctly.
Thanks - AB
June 4th, 2010 8:48am
Could be an issue with the AdminSDHolder permissions in the domains where the ADMA account is not a domain admin. Try doing a password reset on someone that is in no way special (not in domain admins, account operators etc).David Lundell www.ilmBestPractices.com
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 9:39am
do u have the callstack as well?The FIM Password Reset Blog http://blogs.technet.com/aho/
June 4th, 2010 1:25pm
Thanks for this suggestion David,
Will test with different types of users.
AB
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 5:55pm
As David indicates, you are probably being squashed by AdminSDHolder. Delegating Password Reset permissions to this object is not easy as you cannot do it through the GUI or through the Delegation Wizard. There is a KB article that talks about this
here:
http://support.microsoft.com/kb/2028194
...however, it currently does not tell you how to fix it (working on that). To fix it, you'll need to use DSACLS to add the two permissions to the service account you are using for the AD MA. If you are using a group to delegate to (as you should) then substitute
that.
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Reset Password"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Change Password"
Here are some other articles to review:
http://support.microsoft.com/kb/301188
http://support.microsoft.com/kb/232199/Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
June 4th, 2010 7:34pm
And to close the loop - the minimum rights you need to unlock the account:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;userAccountControl;"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;lockoutTime;"
You will also need to delegate other permissions "to this object only" for FIM to update these same objects when Sync is trying to update them. To delegate Read/Write
All Properties:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:RPWP;;"
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 8:56pm
Thanks Brad,
You and David are spot on! By changing the AdminSDHolder related permission the password could be reset. Thanks for the detailed info on dsacls.
Cheers,
AB
June 5th, 2010 12:25am