When somebody tries to guess a user’s secret answers used for/in SSPR, FIM will lockout the user permanently in FIM if the thresholds are exceeded. You will never know WHO was sitting behind a certain computer and doing this. BUT… would it be possible to log from which computer this was being done (e.g. computer name or IP Address)???? If YES, which log would you need to check? (the FIM Event Log?)Jorge de Almeida Pinto [MVP-DS / AD DS TechNet Forums Moderator] [Sr. Technical Consultant @ Oxford Computer Group] (http://blogs.dirteam.com/blogs/jorge/default.aspx) (http://www.oxfordcomputergroup.com/)

Hey Jorge, That's an excellent question. Would be cool if the anonymous user was associated with the incoming IP address for the attempt in the request logs... Thanks B

i don't think FIM does that for you (as reporting/auditing isn't really a feature in FIM) a SSPR request is just like any other request. You can enable WCF tracing but you probably will have a hard time looking at the log

Hi, Thanks for the answer on this! To make it more complete, info about enabling WCF on the FIM service server(s): FIM 2010 uses Windows Communication Foundation (WCF) performance counters to monitor service usage. Monitoring service usage with WCF performance counters is an optional step to enable when diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see this MSDN article http://go.microsoft.com/fwlink/?LinkId=164848. Cheers, JorgeJorge de Almeida Pinto [MVP-DS / AD DS TechNet Forums Moderator] [Sr. Technical Consultant @ Oxford Computer Group] (http://blogs.dirteam.com/blogs/jorge/default.aspx) (http://www.oxfordcomputergroup.com/)