PWReset Activitiy’s MIIS Password Set call failed with ma-access-denied

A user of Forefront Identity Manager 2010 Self-Service Password Reset successfully authenticates the question and answer (Q&A) gate, inputs a new password and fails to successfully reset with the generic error “An error occurred when attempting to reset password, please try again”.

Upon inspection of the Forefront Identity Manager log in Event Viewer the following error has been recorded:

image

Textually, that’s an event ID 3 from Microsoft.ResourceManagement with a description of “PWReset Activity’s MIIS Password Set call failed with ma-access-denied”.

As the error suggests the issue is that the AD MA account does not have permissions to reset the password of the user in question.

Microsoft help and support knowledgebase article kb2028194 also describes this issue but instead focuses on “protected users”, i.e. those who’s security descriptor (SD) is managed by the Active Directory Domain Services (AD DS) adminSDHolder object.  Probably because the SSPR deployment guide does state what permissions are required.

The purpose of this post is to provide instructions on what permissions are required and how to deploy them.  I’ve already posted this information in the form of a CMD script at the bottom of this post.  In this post I’ll provide a PowerShell script to set the permissions.

The discussion of protected users is outside of the scope of this blog post.  The aforementioned KB describes this quite well.  In my experience I’ve kept them out of the scope of FIM 65% of the time and modified adminSDHolder the other 35% of the time.  Here’s an example script.

# SsprPermissions.ps1 v1.0 Paul Williams (pawill@microsoft.com) Microsoft Services Feb. 2012
# Simple script that grants an account (ideally a domain local group) the necessary permissions
# for the AD MA to perform a password set operation.

PARAM
(
    [Parameter(Mandatory = $false)]
    [String]$Target = "OU=People,DC=corp,DC=contoso,DC=com",
    
    [Parameter(Mandatory = $false)]
    [String]$Trustee = "CORP\FimSyncAdmaResetPasswordAccess"
);

Write-Host "`nSsprPermissions.ps1 v1.0 Paul Williams (pawill@microsoft.com) Microsoft Services Feb. 2012`n";
Write-Host "`nTarget:  $Target`nTrustee: $Trustee`n";
Write-Host "Granting the following permissions...";
Write-Host '"Reset Password" Control Access Right (CAS) on descendent user objects';
[String]$cmd = "dsacls '$Target' /I:S /G '`"$Trustee`":CA;`"Reset Password`";user'";
Invoke-Expression $cmd |Out-Null;

Write-Host "Write Property (WP) lockoutTime on descendent user objects";
[String]$cmd = "dsacls '$Target' /I:S /G '`"$Trustee`":WP;lockoutTime;user'";
Invoke-Expression $cmd |Out-Null;

Write-Host "`nScript complete.`n`n";

In summary, the ADMA account needs the following permissions on users in scope of the SSPR solution:

  • Reset Password extended right.  This controls the ability to actually set (not change) a password.
  • Write Property lockoutTime.  This attribute is written to unlock the account.
About these ads

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010, Self Service Password Reset, Troubleshooting and tagged , , , , , , , , . Bookmark the permalink.

One Response to PWReset Activitiy’s MIIS Password Set call failed with ma-access-denied

  1. Hi Paul!

    If you want to also grant the ability to force a password change at next logon, you’ll also need to grant ReadProperty and WriteProperty to pwdLastSet.

    Have a good day sir!
    Robert Williams

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s