How to: Search for Password Change Requests from a Connected Data Source

  • Article

When users change their passwords at a connected data source, the password change is first imported into the Forefront Identity Manager Synchronization Service (FIM Synchronization Service) connector space for that data source. The password is then synchronized with the metaverse and exported to the other connected data sources. The MIIS_PasswordChangeHistorySource Class class contains the password change history from the originating connected data source.

The following examples show how to search for password change requests from the originating connected data source.

Search by User

The following Microsoft Visual Basic Scripting Edition (VBScript) example shows how to retrieve the password change history for a specified user from the data source that requested the change.

Option Explicit

On Error Resume Next

Const PktPrivacy = 6    ' Authentication level

Dim Service             ' Service object
Dim queryString         ' SQL Query string
Dim userName            ' sAMAccountName of the user
Dim domainName          ' User domain
Dim errorString         ' Error string
Dim statusString        ' Status string
Dim CSUsers             ' Connector space user collection
Dim User                ' Connector space user
Dim changeHistories     ' Change history collection
Dim changeHistory       ' Change history member

userName = "jeffsmith"
domainName ="fabrikam"

Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer")
If err.number<>0 then 
    errorString = "Could not retrieve service object: "
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If

queryString = "Select * From MIIS_CSObject WHERE Domain = "
queryString = queryString & "'" & domainName & "' "
queryString = queryString & "and account = '" & userName & "'"
Set CSUsers = Service.ExecQuery(queryString)

If err.number <> 0 then
    errorString = "Could not find the user: "
    errorString = errorString & err.Description
    ErrorHandler(errorString)
End If

If CSUsers.Count = 0 then 
    statusString = "No users with that sAMAccountName."
    ErrorHandler(statusString)
End If 

For each User in CSUsers

    queryString = "Select * from MIIS_PasswordChangeHistorySource WHERE " &_
    queryString = queryString & "CsGuid = '"
    queryString = queryString & User.Guid & "'"
    Set changeHistories = Service.ExecQuery(queryString)
    
    If err.number <> 0 then
        errorString = "Could not retrieve password change history: " 
        errorString = errorString & Err.Description
        ErrorHandler(errorString)
    End If

    If changeHistories.Count = 0 then
        statusString = "There are no password change histories for the " 
        statusString = statusString & "user " & User.Account & "."
        WScript.Echo statusString
      Else
        For Each changeHistory in changeHistories
            statusString = "Change History for this user "
            statusString = statusString & userName &":"
            WScript.Echo statusString
            WScript.Echo changeHistory.eventDetails
        Next
    End If
Next
Sub ErrorHandler (ErrorMessage)
    WScript.Echo ErrorMessage
    WScript.Quit(1)
End Sub

Search by Time

The following VBScript example shows how to retrieve the password change history for any change request made after September 16, 2004.

Option Explicit

On Error Resume Next

Const PktPrivacy = 6    ' Authentication level
Dim Service             ' Service object
Dim queryString         ' SQL Query string
Dim errorString         ' Error string
Dim timePeriod          ' Time string
Dim changeHistories     ' Change history collection
Dim changeHistory       ' Change history member

Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer")
If err.number<>0 then 
    errorString = "Could not retrieve service object: "
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If

timePeriod = "2004-09-16"
queryString = "Select * From MIIS_PasswordChangeHistorySource WHERE MIISReceiveTime > '"
queryString = queryString & timePeriod & "'"
    
Set changeHistories = Service.ExecQuery(queryString)

If err.number <> 0 then
    errorString = "Could not retrieve password change history: " 
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If

If changeHistories.Count = 0 then
    WScript.Echo "There are no password changes requested after "
    WScript.Echo timePeriod & "."
    WScript.Quit(0)
End If

For Each changeHistory in changeHistories
    WScript.Echo changeHistory.eventDetails
Next

Sub ErrorHandler (ErrorMessage)
    WScript.Echo ErrorMessage
    WScript.Quit(1)
End Sub

Search by Management Agent

The following VBScript example shows how to retrieve the password change history from the originating connected data source for a specified management agent.

Option Explicit

On Error Resume Next

Const PktPrivacy = 6    ' Authentication level
Dim Service             ' Service object
Dim queryString         ' SQL Query string
Dim errorString         ' Error string
Dim statusString        ' Status string
Dim ManagementAgentSet  ' Management agent collection
Dim ManagementAgent     ' Management agent member
Dim changeHistories     ' Change history collection
Dim changeHistory       ' Change history member

Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer")

If err.number<>0 then 
    errorString = "Could not retrieve service object: "
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If

queryString = "Select * From MIIS_ManagementAgent"

Set ManagementAgentSet = Service.ExecQuery(queryString)

If err.number <> 0 then
    errorString = "Could not retrieve management agent collection: " 
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If 

If ManagementAgentSet.Count = 0 then
    statusString = "There are no management agents on this server."
    ErrorHandler(statusString)
End If

For Each ManagementAgent in ManagementAgentSet
    queryString = "Select * From MIIS_PasswordChangeHistorySource WHERE MaGuid = '"
    queryString = queryString & ManagementAgent.Guid & "'"
    
    Set changeHistories = Service.ExecQuery(queryString)

    If err.number <> 0 then
        errorString = "Could not retrieve password change history: " 
        errorString = errorString & Err.Description
        ErrorHandler(errorString)
    End If

    If changeHistories.Count = 0 then
        statusString = "There are no password change histories for the " 
        statusString = statusString & ManagementAgent.Name
        statusString = statusString & " management agent."
        WScript.Echo statusString
    Else

        For Each changeHistory in changeHistories
            statusString = "Change History for the "
            statusString = statusString & ManagementAgent.Name
            statusString = statusString & " management agent."
            WScript.Echo statusString
            WScript.Echo changeHistory.eventDetails
        Next
    End If
Next

Sub ErrorHandler (ErrorMessage)
    WScript.Echo ErrorMessage
    WScript.Quit(1)
End Sub

Search by Reference GUID

The following VBScript example shows how to retrieve the password change history for a specified reference GUID from the originating server. In this example, the reference GUID is supplied. You can obtain the reference GUID from the MIIS_PasswordChangeHistoryTarget Class class or the MIIS_PasswordChangeQueue Class class. You can pass the value to this script to track the password change history from the originating connected data source to the target data sources.

Option Explicit

On Error Resume Next

Const PktPrivacy = 6    ' Authentication level
Dim Service             ' Service object
Dim queryString         ' SQL Query string
Dim errorString         ' Error string
Dim statusString        ' Status string
Dim refGuid             ' Reference Guid string
Dim changeHistories     ' Change history collection
Dim changeHistory       ' Change history member

' In this example, the reference GUID is supplied.
' In practice, the reference GUID can be obtained from the
' MIIS_PasswordChangeHistoryTarget or the MIIS_PasswordChangeQueue
' classes and be passed to this script.

refGuid = "{B6F6FEB7-0EB7-45D9-B4CB-3B6B02CA9023}"

Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer")

If err.number<>0 then 
    errorString = "Could not retrieve service object: "
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If
   
queryString = "Select * From MIIS_PasswordChangeHistorySource WHERE "
queryString = queryString & "ReferenceGuid = '"

queryString = queryString & refGuid & "'"

Set changeHistories = Service.ExecQuery(queryString)

If err.number <> 0 then
    errorString = "Could not retrieve password change history: " 
    errorString = errorString & Err.Description
    ErrorHandler(errorString)
End If

If changeHistories.Count = 0 then
    statusString = "There are no password change histories for the " 
    statusString = statusString & "reference Guid "
    statusString = statusString & refGuid & "."
    WScript.Echo statusString
Else
    For Each changeHistory in changeHistories
        statusString = "Change History for Reference Guid: "
        statusString = statusString & refGuid
        statusString = statusString & "."
        WScript.Echo statusString
        WScript.Echo changeHistory.eventDetails
    Next
End If

Sub ErrorHandler (ErrorMessage)
    WScript.Echo ErrorMessage
    WScript.Quit(1)
End Sub

See Also

Reference

MIIS_PasswordChangeHistorySource Class

Concepts

Password Synchronization
WMI Provider Overview
Using the WMI Provider
Password Management