FIM 2010 R2 Self-Service Password Reset : Permissions minimum pour le compte de service
As you may know the best practices regarding Active Directory account permissions is to set them with the least required. In order to set the minimum permissions required to enable password reset with FIM SSPR you will have to set the permission as following in you Active Directory.
Open Active Directory Users and Computers with advanced features.
Right-click on the parent OU on which you want to enable Self Service Password Reset for and select “Properties” (child OUs will inherit these permissions)
Click the “Security” tab
Click the “Advanced” button
Click the “Add” button
Select the principal as the FIM service account being used for password reset.
From this point you need to select the following options:
Set “Applies to:” to “Descendant user objects”, then:
- In the “Object” part tick “Change password” and “Reset password”
- In the “Properties” part tick “Change password” and “Reset password” then tick “Read lockoutTime”, “Write lockoutTime”, “Read userAccountControl”, and “Write userAccountControl”