AD security group as FIM Portal administrator

Similar Messages

• How to track changes made to a group owner for Distribution/Security Group in FIM 20101 R2?

  We have a requirement where we have to send a consolidated email to the new group owner which lists all the groups that are tagged to him/her.
  This requirement is needed so that the new group owner can be notified of the groups that he/she owns. Group owner information can be updated in AD which would then sync with FIM, Bulk updates for groups in FIM.
  So first we would have to basically track the group owner change in FIM, retrieve the owner information, then list all the groups listed under him, consolidate an email and trigger the notification.
  Can someone help me and let me know how this can be achieved?
  Thanks in advance!!

  Hello,
  you can not do with only OOB functions. You will need a custom activity to enumerate all group a specific persons owns.
  First part is easy, create a MPR which triggers a workflow activity on owner attribute changes.
  The custom activity should then search for all groups new owner owns in addition.
  Pass that information through the WorklowDictionary to a notification activity.
  If your are not familar with developing workflow activities you could use PowerShell Activity for example.
  /Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• Bhold attestation setup if FIM POrtal is already used for Group Membership

  Background - We had a FIM 2010 deployment in production deployment. Few
  months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.
  Problem Statement -  The requirement is to attest the existing and
  ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership.
  Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.
  From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing
  deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.
  Please suggest on how to attest the group memberships.
  Mayank Vaish

  I would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove
  users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem
  like overkill.
  However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and
  also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required,
  in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.
  Cheers,
  Dave

• FIM 2010 R2: Creating Security Groups in portal : OU

  Hi,
  We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
  Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
  Or perhaps someone has tried some other ideas for this scenario ?
  Thanks

  Hi,
  Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
  Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
  After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
  The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
  You can then use this ouStringAttr in your outbound symc rule.
  Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
  Regards
  Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• Custom FIM PORTAL to provide Special privilege to a Specefic User( eg. Sub-Administrator) or a Set of Users

  If an Organisation wants a User (lets Say- Paul Walker) to act as a Sub-Administrator, Who can see the Security Groups or My SGs or My SGs Membership in its Naigation Resource Bar in Fim Portal and the Search Scope as well to view
  that Data.
  Found a Solution.
   

  Hello,
  NavigationBar, HomepageResources and SearchScopes are also displayed via Permission MPRs.
  You have to deal with UsageKeywords also. You can get an overview of how this works if you take a look on how this is done with the BasicUI Keyword to display the default elements.
  As an example you can do the following:
  1. Add the Usage SubAdminUI to the Navigation, Homepage and Searchscope elements you need.
  2. Create a set for each of the 3 having a dynamic filter UsageKeyword = "SubAdminUI"
  3. Create a set to combine the 3 sets to one using filter ResourceID in "Name of the Sets"
  4. Create a Set "SubAdminUI Users" and add the Admin Users to them. (dynamic or static)
  5. Create an permission MPR and grant SubAdminUI Users read to the Objects in Set created in Step 3
  6. Perform an iisreset to clear cache
  You should now see the Portal elements as the SubAdmin. Next you need make sure that SubAdmin can read and edit group resources. Create permission MPRs as well for this. How to do this depends on if you use the owner attribute of the groups or not.
  Regards
  Peter
  Peter Stapf - Doeres AG - My blog:
  JustIDM.wordpress.com

• PowerShell Command / Script to add additional Global Administrator as an Owner to a Security Group In Office 365

  Hi There,
  I have a requirement as the Office 365 Administrator with the following:
  Anyone, know if there is a command in Power Shell (Script) for Office 365 to add an additional Global Administrator as an Owner to a particular
  Security Group or all Security Groups or to a Security Group that contains a certain word or phrase.
  1. Add a Global Administrator to ALL Security Groups:
  2. Add a Global Administrator to a Specific Security Group:
  3. Add a Global Administrator to ALL Security Groups that contain a specific Word / Phrase:
  Any suggestions would be helpful.  This has become a necessity for my organisation.
  Thank You in advance.
  Shenil

  #Add a Global Administrator to ALL Security Groups:
  $GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
  #$GlobalAdminID
  foreach($id in $GlobalAdminID.EmailAddress)
  Get-DistributionGroup | ? {$_.GroupType -eq "Security"}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
  #Add a Global Administrator to a Specific Security Group:
  $GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
  foreach($id in $GlobalAdminID.ObjectId)
  Get-DistributionGroup | ? {$_.GroupType -eq "Security" -and $_.DisplayName -eq 'Name1'}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
  #Add a Global Administrator to ALL Security Groups that contain a specific Word / Phrase:
  $GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
  foreach($id in $GlobalAdminID.ObjectId)
  Get-DistributionGroup | ? {$_.GroupType -eq "Security" -and $_.DisplayName -like '*Some Phrase*'}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
  Note: I didn't test this - Please test or use -Whatif
  Change RoleObjectID as applicable
  Get-MSOLRole will give company administrator GUID that;s Global Admin ID
  Regards Chen V [MCTS SharePoint 2010]

• FIM 2010 R2: Security group management by non-administrators

  Hi All,
  We have a small set of users (belonging to a particular department) who should be able to login to the portal and manage a select set of groups - the users should be able to add and remove members from these said groups. In most of the cases, the groups
  already exist in Active Directory and we bring them into FIM Portal.
  I have done the following so far:
  a) Created a set of users based on their departments - works fine
  b) Created a set of groups that the users in (a) should be managing - works fine
  c) Created 3 MPRs (resembling the MPRs that already exist for Group Management by administrators). 1 of these MPRs allows the set of users to read the attributes of the groups in the set in (b). The second allows the set of users to create and delete groups
  in the set. The third allows the set of users to "add a value to a multi-valued attribute", "remove a value from a multi-valued attribute", and "modify a single-valued attribute". In the list of attributes, I have included most
  of the attributes including "Manually-managed membership". All these 3 MPRs have the grant permission box checked.
  I (as a member of the set of users in (a)), can login to the portal, view the groups in set (b), modify the description, add an owner, remove an owner etc. When I try to add or remove a member from a group where I am one of the owners, everything is fine.
  BUT, when I try to add or remove a member from a group where I am not listed as an owner, it gives me an "Access denied" error with these details: "The request included members which the requestor is not authorized to add and/or remove from
  this group"
  I am a member of the set in (a) and can remove/add members from the groups that I am the owner of. My questions are:
  A) What else do I need to do to add/remove members from a group that I am not the owner of but this group still belongs to the set (b).
  B) Why does the Portal force me to add an owner to every group that of set (b) that I click to view/edit. Isn't there a way around that i.e. not having to put any owner and still be able to add/remove members. For all the groups in set (b), the Join Instruction
  is set to "None" (i.e. any user can become a member of the group).
  I hope someone can shed some light on this. I have seen similar questions on the forum from a few years ago but they hadn't been answered (completely).
  Thanks

  Hello,
  this is because there are to MPRs which Trigger a Group Validation Workflow (Requestor Validation).
  These 2 MPRs are responsible:
  - Group management workflow: Validate requestor on add member to open group
  - Group management workflow: Validate requestor on remove member
  The MPR Triggers this workflow for "All Non-Administrators".
  So you should edit the All Non-Administrators" Set and add the following to it:
  ResourceID not in (your set in a).
  So the Requestor Validation workflow will no longer be triggerd for your users in Set (A)
  Regards
  Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• Security groups naming convention in FIM 2010 R2

  Hi,
  I am using five security groups for Installing FIM Synchronization Service Manager the automatically pick these groups when installed the FIM Synchronization Service Manager
  FIMSyncAdmins,
  FIMSyncJoiners,
  FIMSynchOperators,
  FIMSyncBrowse,
  FIMSyncPasswordSet
  Everything is  working  fine bot now for naming Convention clients wants to change these securities groups name.
  So I want know that five security groups name should be same as above name or can we change  these security groups name for naming convention.
  For this what steps should be follow in running Environment.
  Regards
  Anil Kumar

  Anil,
  I believe you should not think of renaming any of these mentioned groups. If you make any change to any of these groups, there is a possibility that you end up with doing installation of FIM again.
  For details of these groups please refer to the link :
  http://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
  Regards,
  Manuj Khurana

• Rename of FIM Security Groups

  Hi,
  While installing the FIM, 5  security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents
  FIMSyncAdmins
  FIMSyncOperators
  FIMSyncJoiners
  FIMSyncBrowse
  FIMSyncPasswordSet
  Can we add prefix or suffix any word in the above groups to follow the naming convention.
  Like FIMGroup-FIMSyncAdmins-abc. Will it impact if  rename the 5 security groups name before installation  of FIM?
  Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?
  Thanks
  Harry

  Hello Harry,
  Of course you can rename this group before installing FIM, with no impacts.
  And yes you can rename it after installation: you MUST run the install again.Ensure that you will backup the FIM encryption key before doing any actions!
  Regards,
  Sylvain

• New security group then added into either built in administrator or domain admin group

  I am having windows 2012 R2 DC so i need to create administrator group please let me know if we create new security group then added into either built in administrator or domain admin group it will work? i have tried but not working any other alternative
  methods to get admin access

  Controlling local group membership could be done by GPOs:
  Using Group Policy Restricted Groups: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
  Using a startup script that adds a domain group as member of a local group: http://technet.microsoft.com/en-us/library/bb490706.aspx
  If you have manually added a domain security group to local Administrators group of a computer and you still see that the members are not admins then you can do the following:
  Logoff and logon again and see if that helps
  If you are using a universal group then you be having a problem with the membership. More details here: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html. You can try converting the group to a global one for testing.
  Adding a user to Domain Admins group will make you, by default, a local administrator on domain-joined Windows Systems. This is because, domain admins are, by default, members of local Administrators group. However, you should make the membership of Domain
  Admins group very limited and only for users who do global domain administration.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Memebers of group not appear to Group Owner at FIM portal

  In my distribution groups I have added some member via owner approval and that member appears added to me when i view that group from FIM admin portal but when i look at the same DG from Owner's FIM portal then user does not appear! strange ! 
  Any suggestion pls why is this happening?

  Some MPRs are not enabled or they have non-default configuration.
  Check if you have the following MPRs enabled:
  Distribution list management: Users can read selected attributes of group resources
  Distribution list management: Owners can read attributes of group resources
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• FIM Portal - FIM service could not be contacted. Please contact your administrator.

  Hello,
  I have an issue with FIM where I can access the fim portal in it's entirety on the fim server itself using my domain admin credentials, but if I try to connect in from another server I can get the FIM homepage, but clicking through various menus I receive
  a "service  could not be contacted error".
  I've setup fim as shown below:
  http://technet.microsoft.com/en-us/library/ff512685(v=ws.10).aspx
  vm-fim08-01 --- fim service + portal (uses SharePoint foundation 2010)
  DNS Alias "fimportal" for vm-fim08-01
  SharePoint - 80 application account: service.spportal
  FIM service account - service.fim
  vm-fim-sync -- fim sync service + sql 2008 R2
  vm-fim-sql08 -- contains SQL 2008 R2 DB for fim service
  SPNs configured as shown below (setspn -l):
  service.fim
  FIMService/fimportal
  FIMService/fimportal.domaina.local
  mssqlsvc/vm-fim-sql-01:1433
  service.spportal
  HTTP/fimportal.domaina.local
  HTTP/fimportal
  Delegation setup as shown in the pics on the two service accounts only.
  http://fimportal/IdentityManagement/default.aspxfrom the
  fim portal server (vm-fim08-01) works OK without  a login prompt for full portal access (I don't received the service could not be contacted message). Using the fqdn fimportal.domaina.local from the same server this time asks for a login prompt,
  I enter my current Windows credentials, get the home page, but I soon receive "The FIM service could not be contacted".
  Using a different server with the fqdn I'm prompted for a login (using the alias logs me in immediately). Either way, whenever I use a different server other than the fim portal server I soon receive "The FIM service could not be contacted".
  On the fim portal server's application event logs I see
  The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly. The cause may be
  due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service."
  I'm pretty sure this is down to an authentication failure, but changing delegation settings have not helped (I've tried setting my service accounts and computer accounts to delegate for any service, but it didn't help). I've checked my SPNs which
  look right to me. Any advice is much appreciated.
  Thanks in advance

  You did setup an alias for the DNS name. Kerberos delegation needs A records. If you use an Alias you get the type of errors you describe.
  Locally this works as the kerberos ticket is available on the local server. If you access the portal from another computer the FIM service has to request a ticket with delegation, that service needs a records as it uses the hostname in the request.

• Error when loading FIM portal in new installation: The requestor's identity was not found.

  I have just installed the FIM portal into my test environment.  The synchronisation service was already working perfectly (can provision users from a .csv file).
  The FIM Service and Portal are installed on a server (we'll call it SPF1), and the FIM sync service on another server (SYNC1)
  Whenever I try to log on to the fim portal with my standard user account (it has never worked), I get the following error:
  Unable to process your request.
  Please contact your help desk or system administrator.
  Error processing your request: The server was unwilling to perform the requested operation.
  Reason: The requester of this operation is invalid.
  Correlation Id: 7da76fce-5c9a-4596-90f7-8d7243c21de8
  Details: The requestor's identity was not found.
  >Go to Forefront Identity Manager home page
  (The web page header does show the FIM logo, so the portal itself is there).
  In the ForeFront logs on SPF1, I get the following:
  Log Name:      Forefront Identity Manager
  Source:        Microsoft.ResourceManagement
  Date:          1/13/2015 5:48:08 PM
  Event ID:      3
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SPF1.testdomain.internal
  Description:
  GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft.ResourceManagement" />
      <EventID Qualifiers="0">3</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
      <EventRecordID>523</EventRecordID>
      <Channel>Forefront Identity Manager</Channel>
      <Computer>SPF1.testdomain.internal</Computer>
      <Security />
    </System>
    <EventData>
      <Data>GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)</Data>
    </EventData>
  </Event>
  Log Name:      Forefront Identity Manager
  Source:        Microsoft.ResourceManagement
  Date:          1/13/2015 5:48:08 PM
  Event ID:      3
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SPF1.testdomain.internal
  Description:
  Requestor: Internal Service
  Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
  Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft.ResourceManagement" />
      <EventID Qualifiers="0">3</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
      <EventRecordID>522</EventRecordID>
      <Channel>Forefront Identity Manager</Channel>
      <Computer>SPF1.testdomain.internal</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Requestor: Internal Service
  Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
  Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
    </EventData>
  </Event>
  Further, I note that it has trouble connecting to the web exchange connector.  I wonder if this is because I used an alias (for easy migration in the future) for which the certificate does not match the name for?  I'm connecting to "mail.testdomain.internal",
  although that's actually a NLB group between two CAS/HUB servers.
  Log Name:      Application
  Source:        Microsoft.ResourceManagement.ServiceHealthSource
  Date:          1/13/2015 7:43:49 PM
  Event ID:      12
  Task Category: None
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:     SPF1.testdomain.internal
  Description:
  The Forefront Identity Manager Service cannot connect to the Exchange Web Service.
  The connection failure may be due to a network failure, firewall configuration error, or other connection issue.  Additionally, the failure may be due to incorrect Exchange Web Service configuration.
  Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer.  Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly.  Last, ensure that the
  Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft.ResourceManagement.ServiceHealthSource" />
      <EventID Qualifiers="0">12</EventID>
      <Level>3</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-01-14T03:43:49.000000000Z" />
      <EventRecordID>7581</EventRecordID>
      <Channel>Application</Channel>
      <Computer>SPF1.testdomain.internal</Computer>
      <Security />
    </System>
    <EventData>
      <Data>The Forefront Identity Manager Service cannot connect to the Exchange Web Service.
  The connection failure may be due to a network failure, firewall configuration error, or other connection issue.  Additionally, the failure may be due to incorrect Exchange Web Service configuration.
  Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer.  Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly.  Last, ensure that the
  Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.</Data>
    </EventData>
  </Event>
  I'm not really sure where to start investigating at this point.  The only other thing to note is that after installing the portal, I didn't see a new management agent in the synchronization service (I thought one was supposed to appear, though I could
  be mistaken).

  I eventually figured this out - it was that the portal management agent hadn't been created yet, I had to create it.

• Grant access to help desk users to add members to distribution and security groups

  Hello,
  I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users.  We want it to bypass owner approval and essentially allow this group to add or remove members
  in the FIM Portal and flow it down to ADS.
  This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins.  We have added the help desk team to the  Security Group Users and Group Users set as
  well as MPR "Security group management: Users can read selected attributes of group resources".
  The help desk users can update users in the Portal with no issue.  The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
  Any help is greatly appreciated.
  Thanks!

  I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
  which was added a minute ago) he gets Access Denied:
  The
  request included members which the requestor is not authorized
  to add and/or remove from this group."
  It is caused by default MPR:
  Group management workflow: Validate requestor on remove member
  Question is how this activity validates this request - any insight?

• Can users in AD DS be in a group for FIM password registration?

  Hi guys,
  Just a quick question. I've set up FIM to create users in AD and they can all log on and have the password registration portal appear as normal. Great! The question is, I have several hundred users in my AD and instead of importing them all into FIM (because
  I don't need to manage them all in there) can I simply add them to a group and then have any member of that group have to register their security questions? Or will it simply ask them every time they log on? If it can be done does anyone know how?
  Thanks guys!

  To provide them availability to reset own password, each user has to have responses for questions stored somewhere. So you have to import them to FIM (at least their AccountName, ObjectSID and Domain) to store their Password Reset answers in one of FIM attributes.
  Once they would be created in FIM Portal and you have "FIM Rich Client" on workstations in environment, users would be asked to register for password reset.
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.