“/../ FIM 2010 Self-Service Password Reset now supports all domain password policies. It was a joint effort between the Windows Active Directory and FIM development teams to provide this new functionality. ”
Steve added a pretty important note on the announcement:
“Please note that there is an error in the document. The registry value name required for enabling this functionality is incorrect.
Incorrect Version: ADMAEnforcePasswordPolicyHistory
Correct Version: ADMAEnforcePasswordPolicy”
In short (as displayed in the KB summary)
// Password reset in the Active Directory is historically been done in proxy by helpdesk personnel or user administrators. In this scenario, it is important to buffer those working in proxy from the end-user’s password history to preserve security.
With the release of Microsoft Forefront Identity Manager (FIM) 2010, Microsoft offers an application that enables end-users to reset their passwords without calling helpdesk. In this scenario, it is important to enforce all password policies so that users do not use the Self-Service Password Reset functionality in FIM to bypass organizational policies.
Until this change, all Windows APIs available to reset passwords in the domain did not enforce all domain password policies. This document describes how to install and configure Self-Service Password Reset in FIM 2010 to enforce all password policies configured in the domain.
Password Operations in the Active Directory Management Agent in FIM 2010
// Since MIIS 2003, the Active Directory management agent uses the Kerberos APIs for both Change Password and Reset Password operations. With the change described in this document, a new way of resetting passwords is added to the Active Directory management agent. You can use LDAP APIs over an LDAP SSL connection.
Details of this change can be found in http://support.microsoft.com/KB/2443871.