Using FIM or MIM Synchronization Service for password reset: initialisation problem RRS feed

  • Question

  • We have determined that we can do this by flowing to the unicodePwd attribute in a suitably configured
    Active Directory Domain Services Management Agent.
    We know too that we can set an initial password using a Metaverse Extension.

    Our problem: we have a mature AD and do not wish to change any passwords on existing accounts when we initialise
    our system.

    We will import our AD structure and parallel information which is stored in a SQL database.
    The latter will include an 'initial password' which will not match the usernames actual password in all likelyhood.
    Synchronize the two sources and with suitable projection rules join the related objects, with the objective of flowing
    any changes from the SQL database to the AD Management Agent. Currently though, when we 'turn on' a flow of the
    password every password is reset.  Can we avoid this?

    Any advice will be gratefully received.  Thank you.

    Tuesday, October 13, 2015 4:07 PM

All replies

  • You can, but it will not be an elegant solution.  Plus you will have a piece of configuration sitting there all the time when it was meant to perform a one time task.

    If I am understanding this correctly, you want to synchronize passwords from a SQL table to AD.

    You don't want to use FIM SSPR, and you don't want to reset anyone's passwords initially.  SQL Table will have the Password Authority going forward.

    If that is the case,  One way is to use a timestamp and synch only accounts updated after today. So in a step by step, scenario.

    1. Extend MV Schema, create a new attribute called PassChanged (Boolean).

    2. Create an import flow  -> PassChanged. Set as constant True for everyone.  Import all passwords to MV as well through a direct flow.

    3. Change the flow above. Create an advanced import rule in SQL MA for Password --> PassChanged. 

    If (SQL Password is not the same as MV Password)


    Set PassChanged = True.





    3. Create advanced flow to unicodePwd in AD MA.  Here you check for the PassChanged Boolean. If true, set unicodePwd  in AD, if not leave it alone.  

    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Thursday, October 15, 2015 11:33 AM
    Tuesday, October 13, 2015 5:57 PM
  • Thanks Nosh, I am grateful.  Apologies for the late reply.  I think in step 2 we would set to [false] since the aim is to inhibit flow... I am even tempted to think the import logic alone will suffice.
    Thursday, October 15, 2015 7:57 AM
  • Hi Terry, No that would not suffice because you are synchronizing old passwords. Unless your SQL passwords are current, in ehich case you dont need any of this.

    Nosh Mernacaj, Identity Management Specialist

    Thursday, October 15, 2015 11:32 AM