Symptoms

You are using the FIM self-service password reset client, and are in the process of resetting your password. You have successfully answered the challenge questions. When you click the Reset button on the Enter Your New Password page, a dialog returns the error:

“An error occurred when attempting to reset password, please try again.”
On the server running the FIM service, a corresponding Applications and Service Event log error with description:

“PWReset Activity's MIIS Password Set call failed with ma-access-denied” is written to the FIM event log.

Cause

The return code "ma-access-denied" indicates that the relevant Active Directory Management Agent (AD MA) does not have the right to set the password on a specific target user object.


This article discusses the specific scenario where Forefront Identity Manager is unable to reset passwords on a group of user objects whose Security Descriptor attribute is managed by the domain to match the AdminSDHolder object’s Security Descriptor.

Please see the More Information section of this article for additional information about the AdminSDHolder.

Resolution

Generally, the resolution to this problem is to either:

1. Grant sufficient permissions to the Active Directory Management Agent account to be able to reset passwords on these user objects

2. Remove the user objects whose security descriptor is managed by the AdminSDHolder from the set of users enabled for Self-Service Password Reset in FIM
Detailed Options to Resolve this Problem


• Decide these accounts are too important and don’t allow them to use FIM to reset their passwords by taking those users out of the password reset users set
• Remove users who will be managing their password reset options through FIM from the groups listed below
• If the users who will be managing password reset using FIM are in one of the following groups and in no other, consider removing one or more of these groups from the management of the AdminSDHolder (http://support.microsoft.com/kb/817433)
o Account Operators
o Server Operators
o Print Operators
o Backup Operators

• Grant Change Password and Reset Password rights to the Active Directory MA account on the AdminSDHolder object
                  
o This will allow the Active Directory MA account to reset the password of every user who is a member of the groups listed below under “AdminSDHolder Secured Groups”
   o To grant these permissions on the AdminSDHolder object, the DSACLS command must be used.  Please see examples under “Granting Permissions on the AdminSDHolder Object” in the More Information section

More Information

In order to secure the Administrative accounts in the Active Directory, there is a process that automatically runs against members of the following groups to set the security descriptor to match that of the AdminSDHolder object in the Active Directory. 

• Administrators

• Account Operators

• Server Operators

• Print Operators

• Backup Operators

• Domain Admins

• Schema Admins
• Enterprise Admins
• Cert Publishers

How and why this process is in place is important to understand prior to making any changes to the permissions on these objects via a change in the Security Descriptor of the AdminSDHolder object.  There are many good articles published on the TechNet website.  Simply search for “AdminSDHolder” from http://technet.microsoft.com.   

Granting Permissions on the AdminSDHolder Object

Important: When making a change to the AdminSDHolder security descriptor, please realize this change is applied on every object whose security descriptor is managed by the Active Directory to match the AdminSDHolder.  This includes, among others, members of the Domain Admins and Enterprise Admins security groups.  To delegate Change Password and Reset Password rights to AdminSDHolder, use DSACLS at a command line as follows:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Reset Password"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "mydomain\svc_fimadma:CA;Change Password"
Note: Please modify the distinguishedName and AD MA account in the commands above to match your system.

Additional Documentation Links:

AdminSDHolder, Protected Groups and SDPROP
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/kb/817433

Security tab of the adminSDHolder object does not display all properties
http://support.microsoft.com/kb/301188

How Security Principals Work
http://technet.microsoft.com/en-us/library/cc779144(WS.10).aspx
गुण

आलेख ID: 2028194 - पिछली समीक्षा: 02/02/2011 - संशोधन: 1

प्रतिक्रिया