One of the things that sometimes gets overlooked when implementing Self Service Password Reset Portal is the enforcement of password history settings in the domain Group Policy. Without configuring correctly users would be able to reset their password through the portal using a password they have used previously.
The portal can be configured to enforce this setting to stop the group policy being circumvented as long as the following statements are true:
- LDAP over SSL is available/configured
- PDC domain controller is Windows 2008 R2
- KB2386717 is installed on the PDC domain controller
- FIM update KB2417774 is installed
Although these settings are only required on the PDC emulator it would be recommended to make sure each domain controller (at least in the same site as the FIM Synchronization Service) is configured the same. Once these settings have been confirmed the last thing to so is to create the following registry key for each MA that requires enforcing password history:
Reg Key – HKLM/SYSTEM/CurrentControlSet/Services/FIMSynchronizationService/Parameters/PerMAInstance/<ma name>
Reg Value – ADMAEnforcePasswordPolicy = 1
You can then test this by ensuring that the Password history Group Policy is set and then attempting a password reset through the portal using a password you know has been used previously. You should get a message something like:
Now Password history policies should be enforced!