Microsoft®Forefront® Identity Manager (FIM) provides an integrated and comprehensive self-service group management and password reset solution. FIM enables group management through a Microsoft Office SharePoint®Server 2007 portal and a Microsoft Office Outlook®2007 Add-in.
Topics in this guide include:
- Install the FIM Add-Ins and Extensions
- Password Reset: Registration and Use
- Create and Manage Groups
- Use the Outlook Add-In
Customization note: This document contains step-by-step installation instructions that can be reused, customized, or deleted entirely if they do not apply to your organization’s installation scenarios. The text marked in red indicates either customization guidance or organization-specific variables. All of the red text in this document should either be deleted or replaced prior to distribution.
Before You Begin
•Users running Windows Vista® or Windows® XP can expedite their FIM installation by installing the Microsoft .NET Framework version 3.5 Service Pack 1 (SP1) first.Users running Windows 7 already have the minimum required .NET Framework.
If you do not install the FIM and .NET Framework software separately, the total FIM installation process may take approximately one hour.
You can install the .NET Framework from <install location> at <URL>.
•To install the Office Outlook Add-in, FIM requires the 32-bit version of Microsoft Office 2007 SP1 or newer. Currently, you cannot install the FIM client with the 64-bit versions of Microsoft Office.
Install the FIM Add-Ins and Extensions
You can install the FIM Add-ins and Extensions by using any of the following methods:
•Wait for the FIM 2010 Add-Ins and Extensions-IT Install Notification to appear on your desktop
•Install manually from the FIM portal
•Install manually from Control Panel
Customization note: The above bullets represent the installation methods currently included in this guide, this list should be updated based on the installation methods chosen by your organization.
Install via the FIM Add-Ins and Extensions Notification
As Information Technology (IT) deploys FIM throughout <name of organization>, you will receive a notification on your desktop. If you install the FIM Add-ins and Extensions when the notification appears, Microsoft System Center Configuration Manager installs the following software:
•An operating system extension (GINA) and Credential Manager filter extension to enable self-serve password reset
•An Office Outlook Add-in that enables group management
As the FIM deployment reaches your organization, an Installation Requested dialog box appearson your desktop.
Customization note: The following screen capture represents a customizable dialog box, with the Do Not Install option enabled. You may choose to replace this image with one specific to your organization.
To install FIM:
1Click Install Now to install immediately.
By default, the installation is postponed if you do not take action on the InstallationRequested dialog box within 30 minutes. It will reappear every 18 hours until you take action.
2If you click Install Later, the Postpone Installation dialog box appears.
Customization note: The following screen capture represents a customizable dialog box. You may choose to replace this image with one specific to your organization.
You can set a time at which you would like the installation to occur or at which you will receive a reminder notification.
After the installation is complete,youneed to restart your computer if you are installing FIM for the first time or if you are installing a major update.
If the Restart Recommended dialog box appears, you may choose the option to Restart Later to set an alternate time for your computer to restart.
Install Manually from the FIM Portal
1Go to the FIM portal at portalURL.
Customization note: The following screen capture represents a customizable portal for example purposes, you may choose to replace this image with one specific to your organization.
2On the < installation link location on portal page, click Install the FIM Client.
3In the File Download window, click Run. The Welcome dialog box appears.
4Click OK to begin the installation.
The installation of FIM runs through a series of checksto ensure that prerequisites are met. The installer displays a dialog box that directs you to take specific action if any prerequisite is not met.
Important
You should install FIM over a wired network connection. Transfer rates over a wireless network can significantly increase the time that it takes to install the .NET Framework.
Install Manually from Control Panel
You can also install the FIM Add-ins and Extensions manually through Programs and Features in Control Panel. This option is available only after the Installation Requested dialog box appears on your system (see “Install Via the FIM Add-Ins and Extensions Notification” earlier in this document). You might want to install FIM using this installation method if you do not install when the installation notice is sent to you, but you decide to install at a later date.
To install FIM from Control Panel:
1Click Start, click Control Panel, click Programs and Features, and then click Install a program from the network.
2Select the FIM 2010 Add-ins and Extensions package from the list, and then click Install.
FIM verifies that you have the necessary system requirements. However, unlike installing from the portal, if you do not have all required software, the FIM installer exits the installation. You then must install all required software manually.
3Restart your machine after the installation is complete.
Verify That Your Installation Was Successful
Once your system restarts, you can verify your FIM installation. If FIM is installed, you will see:
•A Groups menu on the Outlook 2007 toolbar or a Groups item on the Add-Ins tab of the Outlook 2010 ribbon. When you click Groups, the following menu appears.
•A link for the self-serve FIM password reset in your Windows logon screen, as shown in the following graphic.
Note
Each time that you log on to your computer, a lock icon appears on the taskbar for a brief period. This indicates that FIM is checking to see if you are registered for password reset. If you are, this icon disappears automatically. If not, the Password Reset Registration Wizard starts and guides you through the reset registration process.
Password Reset: Registration and Use
The self-serve password reset feature in FIM enables you to manage your network password without having to call your Helpdesk. To use this feature, you must complete a one-time registration.
When you register for the FIM password reset, you must answer at least <xx> of <xx>questions that FIM provides. FIM uses the questions that you answer as challenges to authenticate your identity when you request a password reset.
Important
•You must connect to your corporate networkto do a password reset since the password reset communicates with both the FIM infrastructure and the corporate Active Directory® Domain Services. You cannot do a password reset through the Internet.
Register for Password Reset
The first time you log on to Corpnet following your successful FIM installation, the Password Reset Registration Wizard appears. If you connect through a virtual private network (VPN), you can wait to register for password reset until you connect to Corpnet, or you can connect to Corpnet via VPN, and then access the FIM portal at portalURL.
If youhave the FIM Add-ins and Extensions installed on yourcomputer, you can go to the FIM portal and click the Register for Password Reset link, which invokes the locally installed Password Reset Registration Wizard.
Whether you are a VPN user registering for the first time, or a registered user wanting to change your existing answers, you can click the Register for Password Resetlink.
To use the Password Reset Registration Wizard:
1In the Welcome to FIM Registration window, click Next, and then select and answer <xx> of <xx>challenge questions.
2Click Next. In the Registration Complete window, click Finish to finalize your registration.
Reset Your Password at Logon
After you complete your registration for the password reset functionality, you can use the Password Reset link in your Windows logon screen.
To reset your password:
1Click theReset Password link, and then answer at least three of the five challenge questions correctly.
2Enter a new password in the window that appears, and then click Reset.
Reset Your Password at the FIM Portal
1Go to the FIM portal at portalURL.
2Under Register for Password Reset, click Go to the Password Reset Portal. The Reset My Password dialog box appears.
3Enter your user name, click Reset Password, and then answer at least <xx> of the <xx> challenge questions correctly.
4Enter a new password in the window that appears, and then click Reset.
Create and Manage Groups
FIM enables you to create distribution and security groups, add or remove group members from your groups, and delete group members in bulk.
Tip
At any time while managing groups, you can click in the top right corner of a tab to display a windowthat provides additional information on that tab.
Create a Distribution Group
A distribution group is an easy way to send one e-mail message to multiple people.
To create a distribution group:
1Go to the FIM portal at portalURL.
2Under Distribution Groups (DGs), click Create a new DG.
3On the General tab:
a.In the Display Namebox, enterthe name that you want to appear in the FIM 2010 portal.
b.In the Email Aliasbox, enter the local portion of the e-mail address (does not include the atsign (@) or the domain).
c.Click Next.
4On the Members tab, do one of the following:
•In the Members to Add box, type the user names or aliases of the people that you want to add to your group (separate names or aliases with semicolons), and then click Validate and resolveor press ENTER. Click Next when you are finished adding members.
–OR–
•To search for users,click Browse, enter the user display names or aliases (separate with semicolons), and then clickSearch or press ENTER. Select the check box next to the users that you want to add, click OK, and then click Next when you are finished adding members.
Note
To delete a member, click the name in the Members To Add box, and then press DELETE.
5On the Owners tab:
a.To add or change a group owner, enter a person’s display name or alias, and then click Validate and resolve, or click Browseto search for a user.
Note
A group can have multiple owners but an organization’s e-mail system displays only one group owner. You must be an owner to make changes to a group.
b.To determine how users can join the group, select one of the Join Restriction option buttons, and then click Next.
6On the E-mail Settings tab, choose from the available options, and then click Next.
7On the Disclaimer tab, review the security information that details your legal responsibility regarding the dissemination of information within and outside of your organization, and then click Next.
8On the Summary tab, review your group’s attributes.
9Click Back to edit information on specific tabs, or click Submit to create the group.
Create a Security Group
You can use security groups to secure network resources. When you assign a group permission to use a resource, all of the group’s members can access it.
Important
Before you add members to a security group, you must determine whether those members can be added to a group in Active Directory Domain Services. If one or more members do not meet the Active Directory group membership requirements, FIM returns an Invalid member message.
For more information about Active Directory group membership requirements, see “Group scope” at
To create a security group:
1Go to the FIM portal at portalURL.
2Under Security Groups(SGs), click Create a new SG.
3On the General tab:
a.In the Display Name box,enter the name that you want to appear in the FIM 2010 portal.
b.Select the EmailEnabledcheck box if you want to allow your security group to send and receive e-mail messages.
c.In the Domainbox, enterthe domain in which the group’s account resides.
d.In the Scopebox, enter the access that you want to grant to your group’s resources within the organization. Domain Local secures resources local to your domain.Universal secures resources across the organization.
4On the remaining tabs—Members, Owners, E-mail Settings, Disclaimer,and Summary—complete the same steps as those for creating a distribution group. For detailed information, see “Create a Distribution Group” earlier in this document.
Add or Remove Group Members
1Go to the FIM portal at portalURL
2Do one of the following:
•Under Distribution Groups (DGs), clickManage my DGs.
–OR–
•Under Security Groups (SGs), click Manage my SGs.
3Select the check box next to the name of the group that you want to manage, and then do one of the following:
•To remove a group member, click Remove Member, select the box next to the name of the group member that you want to remove, and then click Next.
•To add a group member,click Add Member, enterthe name in the Members box, click Validate and resolve (or click Browse to search for a user), and then click Next.
4In the next page, review the summary information, and then click Submit.
Do a Bulk Deletion of Group Members
1Go to the FIM portal at portalURL.
2Do one of the following:
•Under Distribution Groups (DGs), click Manage my DGs.
–OR–
•Under Security Groups (SGs), click Manage my SGs.
3Select the check box next to the name of the group from which you want to remove members, and then click Remove Member.
4Select the check box next to the name of each individual that you wish to remove from the group. To select all group members, select the check box next to MemberName.
5Click Next.
6In the Remove Members page, review the summary information, and then click Submit.
Use the Outlook Add-In
The FIM Add-ins and Extensions installs an Outlook Add-in that enables you to utilize a Groups menu within Outlook. You can use the Groups menu to:
•Join a group
•Leave a group
•Add members to a group
•Remove members from a group
•Utilize a link to your group’s management Web site
•Utilize a link to the group management Help menu
Use Outlook to Join a Group
1On the Outlook toolbar, click Groups, and then click Join Group.
2Click the Join buttonin the window that appears, select the global address list for the group that you want to join, and then click OK.
3When the group name appears in the Join pane, click Send to send your join request.
Use Outlook to Leave a Group
1On the Outlook toolbar, click Groups, and then click Leave Group.
2In the message window that appears, select the group that you want to leave, and then click Leave.
3In the window that appears with the group selected, click OK, and then click Send. Outlook notifies the group owner that you want to be removed from the group.
Use Outlook to Add Group Members
1On the Outlook toolbar, click Groups, and then click Add Members to Groups.
2In the message window that appears, click Add.A new window appears that includes the global address list.
3Search for the person that you want to add, and then click Add, or double-click the person’s name.
4Click OK.The name appears in the Addpane.
5Click Join,search for or select the group name,and then click Groups.
6Click OK.The group name appears in the Joinpane.
7Click Send to process the request.
Use Outlook to Remove Group Members
1On the Outlook toolbar, click Groups, and then click Remove Members from Groups.
2In the message window that appears, click Remove.A window appears displaying the global address list.
3Search for the person that you want to remove, and then click Remove, or double-click the person’s name.
4Click OK.The person’s name appears in the Remove pane.
5Click Leave,search for or select the group name, and then click Groups.
6Click OK.The group name appears in the Leave pane.
7Click Send to process the request.