none
HOW to configure MIM 2016 Password Reset to enforce AD Password Policy? RRS feed

  • Question

  • I am looking at the article https://support.microsoft.com/en-us/kb/2443871

    "FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies"

    It seems I need to set a Registry Key. [FIM] documentation says:

    Registry Key
    SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
    Registry Value Name    Values    Class    Created by    Explain
    ADMAEnforcePasswordPolicy    dword    HKLM    Admin    1- true, everything else is false

    Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.

    Note:

    This setting is only supported on FIM build version 4.0.3561.2 and later versions.

    Note:

    This is only supported where the domain controller is as follows:
    · Windows Server 2008 R2 with KB2386717
    · Windows Server 2008 R2 SP1
    · Windows Server 2008 with KB2386717

    Our Windows 2008 DomainControllers are patched. ldp.exe works over SSL.I have MIM. version 4.3.2266.0

    BUT I cannot locate that registry key in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters

    What must I do for MIM 2016 to enforce the AD Password Policy. Testers complain that SSPR works but allows old passwords.

    Friday, September 2, 2016 10:48 AM

All replies

  • OK.. If I have to manually create this Key PerMAInstance\<ma name> must I enclose the <ma name> in quotes if it contains a blank?

    My AD MA is named:   SW AD MA

    Friday, September 2, 2016 10:53 AM
  • Hi,

    Please confirm whether the policy is first set in AD.

    To achieve the requirement, create the required folders (PerMAInstance\SW AD MA) and DWORD (ADMAEnforcePasswordPolicy) with hexadecimal value =1.

    Regards,

    Antony.

    • Proposed as answer by Antony Petson Tuesday, July 16, 2019 12:01 PM
    Tuesday, July 16, 2019 12:01 PM