Issue

 Self-Service password reset appears to be failing with error 3000 from the FIM Password Reset web portal, but the password change is actually successful.

FIM Service Trace

FIMService trace revealed the following error:

PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005

Cause

Read LockoutTime and Write LockoutTime permissions were not granted to the AD MA account for the OU containing the password reset users.

More information

Usually, if ADMA account permissions are set incorrectly we will see 'ma-access-denied' right after the WQL Select statement in the FIM Service trace.  ma-access-denied is thrown if 'Change Password' and 'Reset Password' permissions are not set for the AD MA account for all descendent user objects in the OU.

Minimum OU permissions needed for ADMA account to reset passwords with FIM Self-Service Password Reset

Apply to: Descendent User Objects:

  • Object
    • Change Password
    • Reset Password
  • Properties
    • Read lockoutTime
    • Write lockoutTime