I have deployed FIM 2010 R2 with Self service password reset feature. It is working currently users can register and reset their password. I have following questions

1- If a user has not registered for SSPR , can he still be able to reset the password using reset portal?

2- Is it mandatory to register for SSPR for resetting the password?

3- Can there be a mechanism wherein help desk users log in to the portal and reset the account for a user  and send the password through email to users manager?

4- Basically we do not want users to call help desk and helpdesk reset the password in AD. Help desk must use fim portal.

for resetting the password

Hi,

So at first :

1) If a user is not registered for SSPR he/she can not reset password.

2) Registration for password reset is must to use Password Reset.

3) You need a little custom activities to perform to reset user password using Admin account at portal but yes FIM provide the functionallity to send E-mail notification to users personal Email address using Workflow activity.

So, if you don't want to users to call your help desk for password reset. You can do one thing.

1) When user is provisioned very first time send an E-mail which consists username,Password, E-mail ID and anything whichever you want to send to user.

2) In the same E-mail put a link for Password Registration and ask users that they have to register themselves for password Reset at very first and Yes, if you have installed Add-in extensions on all machines thn if you login at very first time "Password Registration pop-up will come".

I hope hope this will give you an idea to achieve what you are seeking for.

Thanks~

Giriraj

FIM is a great product and does a lot of great things- but- we decided against it for the self service password reset portion because just like you experienced it will not allow users to reset their AD password unless they first enroll.  We went with Password Reset PRO from www.sysoptools.com because it is more well thought through for real-world use cases, and it works alongside FIM's other features just fine:

1. allows non-enrolled users to enroll with an expired password or temporary (must change on next logon) password, and then directs them to reset their password after enrollment (awesome!)

2. has three different access modes to choose from and does not use the old-school "question / answer" enrollment, which just does not work.

3. is totally customizable and uses a two-tier secure architecture for extranet deployment (no credentials in the web application and does not reside on a domain member server)

4. uses AD natively without modifications, no database installs, and runs alongside FIM jsut fine- allowing full use of other FIM features.

5. it is not expensive

6. it was rediculously easy to install.

7. it is accesible from all web-capable mobile devices and phones and seems to work with all browsers.

8. can be load balanced and has recovery / DR built in

Hope this helps.