MIM 2016: pwreset miis password set call failed with access-denied

This happens with the SSPR, during password reset. After I have answered the questions correctly, I get this error when I click to reset the password. Arguably a mystery to resolve this error. We do know that there are 2 possible causes for this error.

  1. The MIM AD MA account does not have the rights to amend the password of the AD user.
  2. The MIM Service account does not have the rights to request a password change for this user from the MIM AD MA account because it is not in the MIMSyncBrowse or MIMSyncPasswordSet groups.

Here is my setup

My MIM AD MA account is a Domain Admin so forget about not enough AD rights.

The MIM Service account is in the AD MIMSyncBrowse and MIMSyncPasswordSet.

What I did to troubleshoot

I turned up Domain Audit logging to show more details on Password reset activities, I saw NO attempt from the MIM AD MA account to perform a password reset activity. So obviously the request is not getting to the DC.

What is DCOM

DCOM (Distributed Component Object Model) is a set of Microsoft concepts and program interfaces in which client program objects can request services from server program objects on other computers in a network. When you install MIM it gives the MIM groups access to the server DCOM services so that MIM can communicate to other servers like other MIM servers or DCs.

Solution

I checked the DCOM service, see this. I saw that the 4 MIMSync groups were added in the security tab and there was a group called TLKMIMServer\TLKDomainMIMSyncPasswordSet. That was it! I fat fingered the MIMSyncPasswordSet during installation and MIM created a local group. I have three options

  1. Go to the different places like the DCOM and WMI services remove this foreign group and add the correct AD group.
  2. Use the Local group created by MIM by placing the MIM Service account into that group.
  3. Reinstall the MIM sync and specify the correct AD group.

I chose option 3 and problem was resolved.