FIM 2010 R2 Self-Service Password Reset : Permissions minimum pour le compte de service

As you may know the best practices regarding Active Directory account permissions is to set them with the least required. In order to??set the minimum permissions required to enable password reset with FIM SSPR you??will have to set the permission as following in you Active Directory.

Open Active Directory Users and Computers with advanced features.
Right-click on the parent OU on which??you want to enable Self Service Password Reset for and select ???Properties??? (child OUs will inherit these permissions)
Click the ???Security??? tabFIM-SSPR_AdvancedSecurity
Click the ???Advanced??? button
Click the ???Add??? button
Select the principal as the FIM service account being used for password reset.
From this point you need to select the following options:

Set ???Applies to:??? to?????Descendant user objects???, then:

  • In the ???Object??? part??tick ???Change password??? and ???Reset password???
  • In the ???Properties??? part??tick ???Change password??? and ???Reset password??? then tick ???Read lockoutTime???, ???Write lockoutTime???, ???Read userAccountControl???, and ???Write userAccountControl???
Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.