none
How can we force a single user to re-register to Self service password reset?

    Question

  • In my scenario, I trying to figure out how I can force a user to re-register if he forgets his answers for his pwd reset questions? I tried to force it by checking the re-register check box on Password reset set, but it enforces it on every user.

    Thanks

    Thursday, September 09, 2010 2:45 PM

Answers

  • short answer, there is no way to do that.

    That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk.

    At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-register


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Thursday, September 09, 2010 9:27 PM

All replies

  • side question: how do u know if a user has forgotten the answers?
    Thursday, September 09, 2010 5:43 PM
  • short answer, there is no way to do that.

    That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk.

    At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-register


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Thursday, September 09, 2010 9:27 PM
  • I don't have my FIM environment nearby, but I do have some course book laying around:

    1. As an admin log on to the portal
    2. Choose administration -> unlock users
    3. Search for your user, click it
    4. Click "password reset authN workflow" and select "require re-registration"
    5. OK and submit
    6. Let the user log on, it should be asked to re-register

    This seems quit similiar to what you said, allthough It's unclear to me wheter you selected "require re-registration" on the workflow in the workflow section or for your specific user.


    http://setspn.blogspot.com
    Monday, September 20, 2010 6:42 PM
  • That's a big NO. That will un-register EVERYONE for that workflow, not just one user.

     

    Is the course book from OCG? If yes, i have already talked to Hugh about that. If not, please notify your source.

     

    "Per user un-registration" is a feature that we've cut very very early on (before RC)


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Monday, September 20, 2010 9:36 PM
  • Ahah, lucky you are awake and watching us! I guess it's because in the portal everything is all linked up. So when clicking the workflow on the user, your actually opening the workflow who applies for all.

    The source is indeed the OCG book. Gonna get my pen and correct that.

    Well if that way is a no go, Id sugest assisting the user by phone and perform one of the following:

    • start - run - cmd - "MsPwdRegistration -all"
    • Go to the FIM portal and let the user click the link to register his questions again

    Ofcousre if you have to do this for a lot of users...

     


    http://setspn.blogspot.com
    Monday, September 20, 2010 9:42 PM
  • We envision the scenario as the following

    >>That said, when user has forgotten his answers, it will probably be the case when he tries to reset his pwd. After 3 fail attempts, he's locked out and call helpdesk.

    >>At this point, helpdesk should just reset the user's pwd WITHOUT unlocking the user from FIM SSPR. When user next logon to the system, he would be prompted to re-register

    If you see a core scenario that requires per user un-registration, do contact PSS and let us know


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Monday, September 20, 2010 10:34 PM
  • I tested the scenario as you describe it:

    Users enters wrong answers to many times, is locked out from SSPR and "helpdesk" resets PW in AD. At succesfull logon the user is notified that someone tried to answer too many times and he can re-register his answers.

    Makes perfect sense.


    http://setspn.blogspot.com
    Wednesday, September 22, 2010 6:52 AM
  • Is it possible to search for the GateRegistration objects for that user (in my environment I find three) and delete the registration objects?

    -Jeremy

    Friday, November 05, 2010 7:41 PM
  • registration status flag is stored under User.AuthNWFRegistered. Modifying that directly is NOT supported
    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Friday, November 05, 2010 10:04 PM
  • Remove the workflow IDs from User.AuthNWFRegistered.  His registration data will still be in the system but it will mark that user as unregistered.

     

    There's no portal UI to do this, but you can do this manually (through Powershell or webservice calls, or if you have admin access in the portal and go to the extended attributes and clear that attribute).


    ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
    • Proposed as answer by Ikrima Elhassan Thursday, November 18, 2010 8:33 AM
    Thursday, November 18, 2010 8:33 AM
  • If one were to do that using PowerShell it might look like this:

    001
    002
    003
    004
    005
    006
    007
    008
    009
    010
    011
    012
    013
    014
    015
    016
    017
    018
    019
    020
    021
    022
    023
    024
    025
    026
    027
    028
    029
    030
    031
    032
    033
    034
    035
    036
    037
    038
    039
    040
    041
    042
    043
    044
    045
    046
    047
    048
    049
    050
    051





    ###
    ### Get the User object
    ###

    $xPathFilter = "/Person[AccountName='HoofHearted']"
    $queryResult = Export-FIMConfig -OnlyBaseResources -CustomConfig $xPathFilter

    ### Display the object
    $queryResult | foreach{$_.resourcemanagementobject.ResourceManagementAttributes | ft -AutoSize}

    ###
    ### Get the object ID and the AuthNWFRegistered attributes
    ###

    $objectId = $queryResult.ResourceManagementObject.ResourceManagementAttributes | where{$_.AttributeName -eq 'ObjectID'}
    $AuthNWFRegistered = $queryResult.ResourceManagementObject.ResourceManagementAttributes | where{$_.AttributeName -eq 'AuthNWFRegistered'}

    ###
    ### Create a new ImportObject for the User
    ###

    $update = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $update.ObjectType = "Person"
    $update.SourceObjectIdentifier = $objectId.Value
    $update.TargetObjectIdentifier = $objectId.Value
    $update.State = 1 
    ## Put

    ###
    ### AuthNWFRegistered is multivalued
    ###

    foreach($AuthNWFRegisteredValue in $AuthNWFRegistered.Values)
    {
    ###
    ### Create an ImportChange for each value in AuthNWFRegistered
    ###

        $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
        $importChange.Operation = 2 ## Delete
        $importChange.AttributeName = "AuthNWFRegistered"
        $importChange.AttributeValue = $AuthNWFRegisteredValue
        $importChange.FullyResolved = 2
        $importChange.Locale = "Invariant"

        $update.Changes += $importChange
    }

    ###
    ### Finally, import the change to FIM
    ###

    Import-FIMConfig 
    $update


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, January 07, 2011 12:01 AM