Posts Tagged ‘Forefront Password Reset’

FIM 2010 Self-Service Password Reset Minimum Account Permissions

June 17, 2012

We are just implementing FIM Password Reset at a client’s site and needed to set the minimum permissions required to enable password reset. We used the following steps:

  1. Open Active Directory Users and Computers snap-in
  2. In “View”, click “Advanced Features”
  3. Right-click on the parent OU that you want to enable self service password reset for and select “Properties” (child OUs will inherit these permissions)
  4. Click the “Security” tab
  5. Click the “Advanced” button
  6. Click the “Add” button
  7. Enter the FIM account that is being used for password reset (the FIM service account)

From this point you need to select the following options:

  • In the “Object” tab set “Apply to:” to “Descendant user objects”, then tick “Change password” and “Reset password”
  • In the “Properties” tab set “Apply to:” to “Descendant user objects”, then tick “Change password” and “Reset password” then tick “Read lockoutTime”, “Write lockoutTime”, “Read userAccountControl”, “Write userAccountControl”

NOTE: When selecting the “Properties” tab it does keep the previously selected “Apply to” setting – so you won’t be able to see the properties.

 

Advertisements