none
Programmatically Unlock Users RRS feed

  • Question

  • Hi,

    Is it possible to write (preferably Powershell) a script that can unlock a FIM user. What I am after is:

     - User X is locked out of the FIM portal due to say 9 incorrect logon attempts.
     - Script "unlock user testuser.lockedout" is ran and user testuser.lockedout is then unlocked by the account triggering the workflow. 

     I haven't seen any examples of this done before and would love to hear some opinions of whether it's possible/ideas of getting it going.

    Thanks in advance

    Monday, December 1, 2014 11:21 AM

All replies

  • Hello,

    yes you can do this, I've done exactly this in one of my environments, not automatic but for helpdesk.

    You can use a Powershell Activity, ex. https://fimpowershellwf.codeplex.com/

    This activity will run as FIMService or impersonate the use if you want.

    I've granted the FIMService account rights to reset password. Just let the account lockout flow into portal and put a trigger with an MPR on it.

    As it could take some time for this information to sync into portal I also catch the account locked event through a eventsubscription on all writeable DCs an let this information flow into portal in nearly "realtime", takes around 20 seconds.

    You could also wait some time, since next release of FIM (MIM2015) will have an Self-Service Account Unlock feature if you look at all the presentations from TechEd Europe 2014 on channel9.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, December 1, 2014 11:39 AM
  • Thanks for the input Peter. Reading your link, would I be right in thinking I'd need to install and setup the CodePlex module, then write the necessary PowerShell code in a workflow to clear "Lockout gate registration resource" for the appropriate user?

    Once done, presumably it would be possible to trigger the script from a command line using a similar syntax to my original post?

    You mentioned the trigger on the account lockout MPR - can you clarify a little more what the trigger does?

    Much appreciated

    Monday, December 1, 2014 12:15 PM
  • Hi

    another way to achive the same Thing is to also use a Powershell workflow but instead of resetting the account directly I use the WMI Interface of FIM Synchronization. The Workflow in my case is triggered by a Helpdesk user.

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms697760(v=vs.100).aspx

    You don´t need a second account with additional permissions and you have got the FIM PWD Reset history. This is exact the way FIM PCNS uses and also the Self-Service Password Reset Portal.

    Henry

    Wednesday, December 3, 2014 9:29 PM