AD security group as FIM Portal administrator
Hi Gurus
i have a question. I want to add an AD Security group in FIM for the users of the group to be the FIM portal administrator. I believe to do that I need to sync the group using a management agent, and then add that group to the Sharepoint administrator group.
Is this correct? If it's not then where can I find a procedure to make the members of the security group which is in an OU to be the administrators of the FIM portal? I don't want to sync the whole OU but only one group within the OU as there are other groups
within the OU which I do not want to have admin rights to the portal.
Is there a way I can achieve what I am trying to do? I haven't found any documentation to do it. As I am very new to this I apologize if the question sounds silly.
Any help will be greatly appreciated. Thanks in advance.
Regards,
Hi Paul, Dave and Steve
Thank you all for all your valuable inputs. I have successfully resolved the issue. This is what I did.
I observed from the metaverse search in the Synchronization tool that after running the full synchronization on the ADMA following the synchronization order specified by Microsoft, the amount of objects was doubling. There were about 180 objects to begin
with and it doubled. I checked a number of solutions online which asked me to delete the object from the connector. However considering the number of objects that would have been a lot of work. So I decided to delete the users from the FIM portal and manually
run the sync again. I got this script from Carol Wapshere:
http://social.technet.microsoft.com/Forums/en-US/58796732-a605-4f22-8c27-17ea4f0968fe/using-powershell-to-delete-all-users-from-the-portal?forum=ilm2
The good thing about the script is that a few users can be added to the Administrator set in the portal and the script will not delete it. That way selective objects can be protected and not all access to the portal is lost. After that I ran the syncs in
order, added the users to the Admin set and it all worked fine. I know it is a bit of a sledgehammer approach but I believed that might be the best under current circumstances.
Thank you all again for taking your time out and answering my question. You have been great help!!
Regards,
Similar Messages
-
We have a requirement where we have to send a consolidated email to the new group owner which lists all the groups that are tagged to him/her.
This requirement is needed so that the new group owner can be notified of the groups that he/she owns. Group owner information can be updated in AD which would then sync with FIM, Bulk updates for groups in FIM.
So first we would have to basically track the group owner change in FIM, retrieve the owner information, then list all the groups listed under him, consolidate an email and trigger the notification.
Can someone help me and let me know how this can be achieved?
Thanks in advance!!Hello,
you can not do with only OOB functions. You will need a custom activity to enumerate all group a specific persons owns.
First part is easy, create a MPR which triggers a workflow activity on owner attribute changes.
The custom activity should then search for all groups new owner owns in addition.
Pass that information through the WorklowDictionary to a notification activity.
If your are not familar with developing workflow activities you could use PowerShell Activity for example.
/Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
Bhold attestation setup if FIM POrtal is already used for Group Membership
Background - We had a FIM 2010 deployment in production deployment. Few
months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.
Problem Statement - The requirement is to attest the existing and
ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership.
Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.
From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing
deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.
Please suggest on how to attest the group memberships.
Mayank VaishI would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove
users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem
like overkill.
However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and
also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required,
in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.
Cheers,
Dave -
FIM 2010 R2: Creating Security Groups in portal : OU
Hi,
We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
Or perhaps someone has tried some other ideas for this scenario ?
ThanksHi,
Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
You can then use this ouStringAttr in your outbound symc rule.
Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
If an Organisation wants a User (lets Say- Paul Walker) to act as a Sub-Administrator, Who can see the Security Groups or My SGs or My SGs Membership in its Naigation Resource Bar in Fim Portal and the Search Scope as well to view
that Data.
Found a Solution.
Hello,
NavigationBar, HomepageResources and SearchScopes are also displayed via Permission MPRs.
You have to deal with UsageKeywords also. You can get an overview of how this works if you take a look on how this is done with the BasicUI Keyword to display the default elements.
As an example you can do the following:
1. Add the Usage SubAdminUI to the Navigation, Homepage and Searchscope elements you need.
2. Create a set for each of the 3 having a dynamic filter UsageKeyword = "SubAdminUI"
3. Create a set to combine the 3 sets to one using filter ResourceID in "Name of the Sets"
4. Create a Set "SubAdminUI Users" and add the Admin Users to them. (dynamic or static)
5. Create an permission MPR and grant SubAdminUI Users read to the Objects in Set created in Step 3
6. Perform an iisreset to clear cache
You should now see the Portal elements as the SubAdmin. Next you need make sure that SubAdmin can read and edit group resources. Create permission MPRs as well for this. How to do this depends on if you use the owner attribute of the groups or not.
Regards
Peter
Peter Stapf - Doeres AG - My blog:
JustIDM.wordpress.com -
Hi There,
I have a requirement as the Office 365 Administrator with the following:
Anyone, know if there is a command in Power Shell (Script) for Office 365 to add an additional Global Administrator as an Owner to a particular
Security Group or all Security Groups or to a Security Group that contains a certain word or phrase.
1. Add a Global Administrator to ALL Security Groups:
2. Add a Global Administrator to a Specific Security Group:
3. Add a Global Administrator to ALL Security Groups that contain a specific Word / Phrase:
Any suggestions would be helpful. This has become a necessity for my organisation.
Thank You in advance.
Shenil#Add a Global Administrator to ALL Security Groups:
$GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
#$GlobalAdminID
foreach($id in $GlobalAdminID.EmailAddress)
Get-DistributionGroup | ? {$_.GroupType -eq "Security"}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
#Add a Global Administrator to a Specific Security Group:
$GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
foreach($id in $GlobalAdminID.ObjectId)
Get-DistributionGroup | ? {$_.GroupType -eq "Security" -and $_.DisplayName -eq 'Name1'}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
#Add a Global Administrator to ALL Security Groups that contain a specific Word / Phrase:
$GlobalAdminID = Get-MsolRoleMember -RoleObjectId "62e90394-69f5-4237-9190-012177145e10" | Select EmailAddress
foreach($id in $GlobalAdminID.ObjectId)
Get-DistributionGroup | ? {$_.GroupType -eq "Security" -and $_.DisplayName -like '*Some Phrase*'}| %{Add-DistributionGroupMember -Identity $_.DisplayName -Member $id }
Note: I didn't test this - Please test or use -Whatif
Change RoleObjectID as applicable
Get-MSOLRole will give company administrator GUID that;s Global Admin ID
Regards Chen V [MCTS SharePoint 2010] -
FIM 2010 R2: Security group management by non-administrators
Hi All,
We have a small set of users (belonging to a particular department) who should be able to login to the portal and manage a select set of groups - the users should be able to add and remove members from these said groups. In most of the cases, the groups
already exist in Active Directory and we bring them into FIM Portal.
I have done the following so far:
a) Created a set of users based on their departments - works fine
b) Created a set of groups that the users in (a) should be managing - works fine
c) Created 3 MPRs (resembling the MPRs that already exist for Group Management by administrators). 1 of these MPRs allows the set of users to read the attributes of the groups in the set in (b). The second allows the set of users to create and delete groups
in the set. The third allows the set of users to "add a value to a multi-valued attribute", "remove a value from a multi-valued attribute", and "modify a single-valued attribute". In the list of attributes, I have included most
of the attributes including "Manually-managed membership". All these 3 MPRs have the grant permission box checked.
I (as a member of the set of users in (a)), can login to the portal, view the groups in set (b), modify the description, add an owner, remove an owner etc. When I try to add or remove a member from a group where I am one of the owners, everything is fine.
BUT, when I try to add or remove a member from a group where I am not listed as an owner, it gives me an "Access denied" error with these details: "The request included members which the requestor is not authorized to add and/or remove from
this group"
I am a member of the set in (a) and can remove/add members from the groups that I am the owner of. My questions are:
A) What else do I need to do to add/remove members from a group that I am not the owner of but this group still belongs to the set (b).
B) Why does the Portal force me to add an owner to every group that of set (b) that I click to view/edit. Isn't there a way around that i.e. not having to put any owner and still be able to add/remove members. For all the groups in set (b), the Join Instruction
is set to "None" (i.e. any user can become a member of the group).
I hope someone can shed some light on this. I have seen similar questions on the forum from a few years ago but they hadn't been answered (completely).
ThanksHello,
this is because there are to MPRs which Trigger a Group Validation Workflow (Requestor Validation).
These 2 MPRs are responsible:
- Group management workflow: Validate requestor on add member to open group
- Group management workflow: Validate requestor on remove member
The MPR Triggers this workflow for "All Non-Administrators".
So you should edit the All Non-Administrators" Set and add the following to it:
ResourceID not in (your set in a).
So the Requestor Validation workflow will no longer be triggerd for your users in Set (A)
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
Security groups naming convention in FIM 2010 R2
Hi,
I am using five security groups for Installing FIM Synchronization Service Manager the automatically pick these groups when installed the FIM Synchronization Service Manager
FIMSyncAdmins,
FIMSyncJoiners,
FIMSynchOperators,
FIMSyncBrowse,
FIMSyncPasswordSet
Everything is working fine bot now for naming Convention clients wants to change these securities groups name.
So I want know that five security groups name should be same as above name or can we change these security groups name for naming convention.
For this what steps should be follow in running Environment.
Regards
Anil KumarAnil,
I believe you should not think of renaming any of these mentioned groups. If you make any change to any of these groups, there is a possibility that you end up with doing installation of FIM again.
For details of these groups please refer to the link :
http://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
Regards,
Manuj Khurana -
Hi,
While installing the FIM, 5 security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents
FIMSyncAdmins
FIMSyncOperators
FIMSyncJoiners
FIMSyncBrowse
FIMSyncPasswordSet
Can we add prefix or suffix any word in the above groups to follow the naming convention.
Like FIMGroup-FIMSyncAdmins-abc. Will it impact if rename the 5 security groups name before installation of FIM?
Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?
Thanks
HarryHello Harry,
Of course you can rename this group before installing FIM, with no impacts.
And yes you can rename it after installation: you MUST run the install again.Ensure that you will backup the FIM encryption key before doing any actions!
Regards,
Sylvain -
New security group then added into either built in administrator or domain admin group
I am having windows 2012 R2 DC so i need to create administrator group please let me know if we create new security group then added into either built in administrator or domain admin group it will work? i have tried but not working any other alternative
methods to get admin accessControlling local group membership could be done by GPOs:
Using Group Policy Restricted Groups: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Using a startup script that adds a domain group as member of a local group: http://technet.microsoft.com/en-us/library/bb490706.aspx
If you have manually added a domain security group to local Administrators group of a computer and you still see that the members are not admins then you can do the following:
Logoff and logon again and see if that helps
If you are using a universal group then you be having a problem with the membership. More details here: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html. You can try converting the group to a global one for testing.
Adding a user to Domain Admins group will make you, by default, a local administrator on domain-joined Windows Systems. This is because, domain admins are, by default, members of local Administrators group. However, you should make the membership of Domain
Admins group very limited and only for users who do global domain administration.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Memebers of group not appear to Group Owner at FIM portal
In my distribution groups I have added some member via owner approval and that member appears added to me when i view that group from FIM admin portal but when i look at the same DG from Owner's FIM portal then user does not appear! strange !
Any suggestion pls why is this happening?Some MPRs are not enabled or they have non-default configuration.
Check if you have the following MPRs enabled:
Distribution list management: Users can read selected attributes of group resources
Distribution list management: Owners can read attributes of group resources
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. -
FIM Portal - FIM service could not be contacted. Please contact your administrator.
Hello,
I have an issue with FIM where I can access the fim portal in it's entirety on the fim server itself using my domain admin credentials, but if I try to connect in from another server I can get the FIM homepage, but clicking through various menus I receive
a "service could not be contacted error".
I've setup fim as shown below:
http://technet.microsoft.com/en-us/library/ff512685(v=ws.10).aspx
vm-fim08-01 --- fim service + portal (uses SharePoint foundation 2010)
DNS Alias "fimportal" for vm-fim08-01
SharePoint - 80 application account: service.spportal
FIM service account - service.fim
vm-fim-sync -- fim sync service + sql 2008 R2
vm-fim-sql08 -- contains SQL 2008 R2 DB for fim service
SPNs configured as shown below (setspn -l):
service.fim
FIMService/fimportal
FIMService/fimportal.domaina.local
mssqlsvc/vm-fim-sql-01:1433
service.spportal
HTTP/fimportal.domaina.local
HTTP/fimportal
Delegation setup as shown in the pics on the two service accounts only.
http://fimportal/IdentityManagement/default.aspxfrom the
fim portal server (vm-fim08-01) works OK without a login prompt for full portal access (I don't received the service could not be contacted message). Using the fqdn fimportal.domaina.local from the same server this time asks for a login prompt,
I enter my current Windows credentials, get the home page, but I soon receive "The FIM service could not be contacted".
Using a different server with the fqdn I'm prompted for a login (using the alias logs me in immediately). Either way, whenever I use a different server other than the fim portal server I soon receive "The FIM service could not be contacted".
On the fim portal server's application event logs I see
The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be
due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service."
I'm pretty sure this is down to an authentication failure, but changing delegation settings have not helped (I've tried setting my service accounts and computer accounts to delegate for any service, but it didn't help). I've checked my SPNs which
look right to me. Any advice is much appreciated.
Thanks in advanceYou did setup an alias for the DNS name. Kerberos delegation needs A records. If you use an Alias you get the type of errors you describe.
Locally this works as the kerberos ticket is available on the local server. If you access the portal from another computer the FIM service has to request a ticket with delegation, that service needs a records as it uses the hostname in the request. -
I have just installed the FIM portal into my test environment. The synchronisation service was already working perfectly (can provision users from a .csv file).
The FIM Service and Portal are installed on a server (we'll call it SPF1), and the FIM sync service on another server (SYNC1)
Whenever I try to log on to the fim portal with my standard user account (it has never worked), I get the following error:
Unable to process your request.
Please contact your help desk or system administrator.
Error processing your request: The server was unwilling to perform the requested operation.
Reason: The requester of this operation is invalid.
Correlation Id: 7da76fce-5c9a-4596-90f7-8d7243c21de8
Details: The requestor's identity was not found.
>Go to Forefront Identity Manager home page
(The web page header does show the FIM logo, so the portal itself is there).
In the ForeFront logs on SPF1, I get the following:
Log Name: Forefront Identity Manager
Source: Microsoft.ResourceManagement
Date: 1/13/2015 5:48:08 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SPF1.testdomain.internal
Description:
GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft.ResourceManagement" />
<EventID Qualifiers="0">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
<EventRecordID>523</EventRecordID>
<Channel>Forefront Identity Manager</Channel>
<Computer>SPF1.testdomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)</Data>
</EventData>
</Event>
Log Name: Forefront Identity Manager
Source: Microsoft.ResourceManagement
Date: 1/13/2015 5:48:08 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SPF1.testdomain.internal
Description:
Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft.ResourceManagement" />
<EventID Qualifiers="0">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
<EventRecordID>522</EventRecordID>
<Channel>Forefront Identity Manager</Channel>
<Computer>SPF1.testdomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
</EventData>
</Event>
Further, I note that it has trouble connecting to the web exchange connector. I wonder if this is because I used an alias (for easy migration in the future) for which the certificate does not match the name for? I'm connecting to "mail.testdomain.internal",
although that's actually a NLB group between two CAS/HUB servers.
Log Name: Application
Source: Microsoft.ResourceManagement.ServiceHealthSource
Date: 1/13/2015 7:43:49 PM
Event ID: 12
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: SPF1.testdomain.internal
Description:
The Forefront Identity Manager Service cannot connect to the Exchange Web Service.
The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the failure may be due to incorrect Exchange Web Service configuration.
Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer. Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly. Last, ensure that the
Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft.ResourceManagement.ServiceHealthSource" />
<EventID Qualifiers="0">12</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-14T03:43:49.000000000Z" />
<EventRecordID>7581</EventRecordID>
<Channel>Application</Channel>
<Computer>SPF1.testdomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>The Forefront Identity Manager Service cannot connect to the Exchange Web Service.
The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the failure may be due to incorrect Exchange Web Service configuration.
Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer. Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly. Last, ensure that the
Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.</Data>
</EventData>
</Event>
I'm not really sure where to start investigating at this point. The only other thing to note is that after installing the portal, I didn't see a new management agent in the synchronization service (I thought one was supposed to appear, though I could
be mistaken).I eventually figured this out - it was that the portal management agent hadn't been created yet, I had to create it.
-
Grant access to help desk users to add members to distribution and security groups
Hello,
I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members
in the FIM Portal and flow it down to ADS.
This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as
well as MPR "Security group management: Users can read selected attributes of group resources".
The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
Any help is greatly appreciated.
Thanks!I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
which was added a minute ago) he gets Access Denied:
The
request included members which the requestor is not authorized
to add and/or remove from this group."
It is caused by default MPR:
Group management workflow: Validate requestor on remove member
Question is how this activity validates this request - any insight? -
Can users in AD DS be in a group for FIM password registration?
Hi guys,
Just a quick question. I've set up FIM to create users in AD and they can all log on and have the password registration portal appear as normal. Great! The question is, I have several hundred users in my AD and instead of importing them all into FIM (because
I don't need to manage them all in there) can I simply add them to a group and then have any member of that group have to register their security questions? Or will it simply ask them every time they log on? If it can be done does anyone know how?
Thanks guys!To provide them availability to reset own password, each user has to have responses for questions stored somewhere. So you have to import them to FIM (at least their AccountName, ObjectSID and Domain) to store their Password Reset answers in one of FIM attributes.
Once they would be created in FIM Portal and you have "FIM Rich Client" on workstations in environment, users would be asked to register for password reset.
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.
Maybe you are looking for
-
How To Extend Adobe Audition CS5.5
I've received a number of questions on how to extend Adobe Audition with questions similar to: How do I import file format X? How do I import a project from application Y? Will there be an SDK available? How do I add plug-ins to Audition? I had made
-
Send Ex factory date from R3 to APO and populate in PO in APO as start date
Hi , Need your expertise in one scenario. SAP IS retail is combined with SAP APO. 1) Purchase Order is ciffed to APO. 2) Based on delivery date in PO in R3....APO calcualated date for distribution demand at source location by taking lead time from tl
-
this happens when i try to download an app on my new iPad, iTunes requires me to fill out an online form but when enetring the phone number, iTunes doesn`t recognize any entry format.
-
When I try to update Elements 9 I get an error message despite the fact that the update seems to download completely. Why?
-
My neighbor is looking to possibly buy a Macbook Pro this month. She would like to get the 512 solid state drive upgrade but the cost is utterly nuts. My reply to her was, "why pay less when you can pay more?" Seriously. I did mention that she could