Adaxes

Current Password In Email

0 votes

We would like to have some email notifications sent based on custom commands. The issue is some of the emails need to have the users password in them.

While reading through the forum, we understand that the %unicodePwd% variable is only good in a Business Rule and doesn't resolve in a custom command. So we modified our business rule so that anytime a password is reset, it also writes that password to CustomAttributeText1 of the affected user.

Here is the business rule:

After resetting password of a user:
Always
Modify the User: set adm-CustomAttributeText1 to '%unicodePwd%'

Here is our custom command:

Always
Reset password for the User
Modify the User: set Password Never Expires to 'False', set Must Change Password at Logon to 'True', set User Cannot Change Password to 'False'
Send e-mail notification (New Password for %fullname%)

The issue we see is that the email notification in the custom command is being generated and sent BEFORE the business rule has changed the password and written the new password to CustomAttributeText1. As a result, the email that goes out always has the old value in CustomAttributeText1, not the changed password in the first step of the custom command.

Any suggestions would be appreciated.

by (70 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The reason why your Custom Command does not work is that value references are resolved before executing any actions contained in a Custom Command. In particular, the %adm-CustomAttributeText1% value reference is resolved into the old value before the command resets a user password.

To resolve the issue, we recommend that you send e-mail notification using a script. You can find an example of the script in the Server-Side Scripting article, the Sending Email and SMS section.

In the script, you need to get the value of the CustomAttributeText1 attribute using the IADs::Get() method, for example:

$newPassword = $Context.TargetObject.Get("adm-CustomAttributeText1")

$to = "%adm-ManagerEmail%"
$subject = "New Password for %fullname%"
$bodyText =
@"
Password for %fullname% has been changed. New password: $newPassword.
"@
$bodyHtml = $NULL

$Context.SendMail($to, $subject, $bodyText, $bodyHtml)

Warning: Pay attention that storing passwords as plain text is not a good idea from the security standpoint. We recommend storing passwords in encrypted form. As you will use a script to send passwords anyway, you can store them as SecureString instead of plain text. In that case SecureString will be decrypted in your Custom Command immediately before sending the email notification. It will be possible to decrypt the SecureStrings only using credentials of the default service administrator. We can provide you code samples for encrypting / decrypting passwords to/from SecureStrings.

Related questions

0 votes
1 answer
What is the most current way of checking if a user has MFA enabled in Azure?

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
0 votes
0 answers
see the following error in adaxes portal cmdlet Get-CASMailbox is not present in the role definition of the current user

Over the last day or so we have been seeing this pop up under the exchange header in adaxes portal. cmdlet Get-CASMailbox is not present in the role definition of the current user

asked Jul 3, 2023 by Jeff.Briand (80 points)
0 votes
1 answer
Email group when an account's password is expiring

For service accounts or accounts where multiple people need to know the password is expiring, is there a way to use the password expiration task to notify the members ... to work and the password notification to work, just having problems connecting the two.

asked Oct 10 by ajmilic (100 points)
0 votes
1 answer
Will a user get an email from Datashield(Lumifi) for failed password change attempts?

User received email from Lumifi and wanted to verify if legit or if this is not from Adaxes?

asked Nov 30, 2022 by Jeff.Briand (80 points)
0 votes
1 answer
Custom Command to re-enable disabled user and email w/ new password

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23, 2020 by sirslimjim (480 points)
3,550 questions
3,241 answers
8,236 comments
547,827 users