Monday, June 14, 2010 8:00 AM
WMI permissions required for a FIM2010 self-password reset scenario
A recent post from Brad Turner reminded me of something I wanted to blog about since I setup my Forefront Identity Manager (FIM) lab for self-password reset for users. So here it is – WMI permissions …
… If you want to enable the self-password reset scenario for users (which is one of scenarios you definitely want to enable when you deploy FIM) there is a number things to do – enabling MPRs, set permissions in AD, configure sync engine settings and also configure WMI permissions. All steps required are outlined in this TechNet document. One of the steps is setting up permissions on the WMI space on the FIM synchronization service machine.
The instructions tell you to set up some permissions on the ROOT\CIMV2 namespace and all the child namespaces for the FIM 2010 service account. The reasons behind these changes is the actual password reset on the object is being performed through WMI calls to the FIM synchronization service, which enables lookups for MV objects and CS objects and the password reset call. Actually, the same scenario is possible for ILM 2007 or even MIIS 2003 with not so magical code and I’ve used it in the past to deploy similar solutions for customers … but this is just on the side note.
There is nothing wrong with these instructions, but well … I tend to think in problems when instructions tell me to delegate “all rights” on an entire tree of objects, when it is not completely necessary.
This comes from my experience and if you want to stick to the completely supported way it probably means that this has to be done by the TechNet or ask Microsoft representative about support. However I don’t think that it will break the scenario – in my case it works great and it worked for ILM 2007 … but well, I got a reason to write a disclaimer ;).
If you take a look at the WMI tree on the FIM synchronization service you will notice that there is a specific namespace: ROOT\MicrosoftIdentityIntegrationServer. It is enough to set permissions outlined in the TechNet document only on this namespace to make FIM self-password reset scenario work, when it comes to WMI permissions.
It should be also easy to fix it in Brad Turner's script (great work Brad).