A user of Forefront Identity Manager 2010 Self-Service Password Reset successfully authenticates the question and answer (Q&A) gate, inputs a new password and fails to successfully reset with the generic error “An error occurred when attempting to reset password, please try again”.
Upon inspection of the Forefront Identity Manager log in Event Viewer the following error has been recorded:
Textually, that’s an event ID 3 from Microsoft.ResourceManagement with a description of “PWReset Activity’s MIIS Password Set call failed with ma-access-denied”.
As the error suggests the issue is that the AD MA account does not have permissions to reset the password of the user in question.
Microsoft help and support knowledgebase article kb2028194 also describes this issue but instead focuses on “protected users”, i.e. those who’s security descriptor (SD) is managed by the Active Directory Domain Services (AD DS) adminSDHolder object. Probably because the SSPR deployment guide does state what permissions are required.
The purpose of this post is to provide instructions on what permissions are required and how to deploy them. I’ve already posted this information in the form of a CMD script at the bottom of this post. In this post I’ll provide a PowerShell script to set the permissions.
The discussion of protected users is outside of the scope of this blog post. The aforementioned KB describes this quite well. In my experience I’ve kept them out of the scope of FIM 65% of the time and modified adminSDHolder the other 35% of the time. Here’s an example script.
# SsprPermissions.ps1 v1.0 Paul Williams (firstname.lastname@example.org) Microsoft Services Feb. 2012 # Simple script that grants an account (ideally a domain local group) the necessary permissions # for the AD MA to perform a password set operation. PARAM ( [Parameter(Mandatory = $false)] [String]$Target = "OU=People,DC=corp,DC=contoso,DC=com", [Parameter(Mandatory = $false)] [String]$Trustee = "CORP\FimSyncAdmaResetPasswordAccess" ); Write-Host "`nSsprPermissions.ps1 v1.0 Paul Williams (email@example.com) Microsoft Services Feb. 2012`n"; Write-Host "`nTarget: $Target`nTrustee: $Trustee`n"; Write-Host "Granting the following permissions..."; Write-Host '"Reset Password" Control Access Right (CAS) on descendent user objects'; [String]$cmd = "dsacls '$Target' /I:S /G '`"$Trustee`":CA;`"Reset Password`";user'"; Invoke-Expression $cmd |Out-Null; Write-Host "Write Property (WP) lockoutTime on descendent user objects"; [String]$cmd = "dsacls '$Target' /I:S /G '`"$Trustee`":WP;lockoutTime;user'"; Invoke-Expression $cmd |Out-Null; Write-Host "`nScript complete.`n`n";
In summary, the ADMA account needs the following permissions on users in scope of the SSPR solution:
- Reset Password extended right. This controls the ability to actually set (not change) a password.
- Write Property lockoutTime. This attribute is written to unlock the account.