0 votes

Hello,

We're just getting started evaluating Adaxes and I'm wondering if it's possible to use a custom script to generate user passwords. In my org, we've been using word based passwords, and I have a pre-existing function to generate them (below). Ideally, I'd like Adaxes to use this if we can.

function New-RandomPassword
{
    param (
        [int]$MinimumLength = 12
    )

    # Define the URL for the word list
    $WordListUrl = "https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt"

    # Download the word list
    try
    {
        $WordList = Invoke-WebRequest -Uri $WordListUrl -UseBasicParsing -ErrorAction Stop | ForEach-Object { $_.Content }

        # Split the word list into an array of words
        $Words = $WordList -split "`n" | ForEach-Object {
            $split = $_ -split "`t"
            [PSCustomObject]@{
                Number = $split[0]
                Word   = $split[1]
            }
        }

        # Select three random words from the list
        $RandomWords = Get-Random -InputObject $Words -Count 2

        # Capitalize the first letter of each word
        $CapitalizedWords = $RandomWords.Word | ForEach-Object { $_.Substring(0, 1).ToUpper() + $_.Substring(1) }

        # Join the capitalized words with hyphens
        $Password = $CapitalizedWords -join "-"

        # Add a random digit to the end
        $RandomDigit = Get-Random -Minimum 0 -Maximum 9
        $Password += "-$RandomDigit"

        # Ensure the password is at least 12 characters
        if ($Password.Length -lt $MinimumLength)
        {
            $Password = ($CapitalizedWords -join "-") + "-$RandomDigit"
        }
    }
    catch
    {
        Write-Warning "Error downloading word list. You will have to manually enter a first time password for this user."
        $Password = Read-Host "Enter Initial Password"
    }
    return $Password
}
by (50 points)
0

In case anyone else is looking to do the same, here is PS for the "Before creating a user" business rule I ended up using. I'm sure this could be improved on but it works for our use:

$MinimumLength = 12

    # Define the URL for the word list
    $WordListUrl = "https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt"

    # Download the word list
    try
    {
        $WordList = Invoke-WebRequest -Uri $WordListUrl -UseBasicParsing -ErrorAction Stop | ForEach-Object { $_.Content }

        # Split the word list into an array of words
        $Words = $WordList -split "`n" | ForEach-Object {
            $split = $_ -split "`t"
            [PSCustomObject]@{
                Number = $split[0]
                Word   = $split[1]
            }
        }

        # Select three random words from the list
        $RandomWords = Get-Random -InputObject $Words -Count 2

        # Capitalize the first letter of each word
        $CapitalizedWords = $RandomWords.Word | ForEach-Object { $_.Substring(0, 1).ToUpper() + $_.Substring(1) }

        # Join the capitalized words with hyphens
        $Password = $CapitalizedWords -join "-"

        # Add a random digit to the end
        $RandomDigit = Get-Random -Minimum 0 -Maximum 9
        $Password += "-$RandomDigit"

        # Ensure the password is at least 12 characters
        if ($Password.Length -lt $MinimumLength)
        {
            $Password = ($CapitalizedWords -join "-") + "-$RandomDigit"
        }
    $Context.SetModifiedPropertyValue("unicodePwd", $Password)
    $Context.SetNewPassword($Password)
    $Context.LogMessage("Password for new user %sAMAccountName% set to $($Password)", "Information")
    $Context.SendMail("%adm-InitiatorEmail%", "New Account: %sAMAccountName%", "User: %sAMAccountName%`nPass: $Password",$null)
}
    catch
    {
        $Context.LogMessage("Error downloading word list. You will have to manually enter a first time password for this user.",2)
    }
0

Hello,

We recommend you to move the script to a business rule triggering After creating a user and update it accordingly. This way, the email will not be sent in case the user creation fails and the recipients will not go to check for the user before it actually exists.

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello,

It should work just fine except for the catch block. The thing is that user interaction is prohibited in Adaxes scripts. Also, Write-Host and Read-Host cmdlets do not work in Adaxes. You can make an output to the execution log using method $Context.LogMesage. For details on how to execute a script in Adaxes upon user creation, see https://www.adaxes.com/help/RunPowerShellScriptAfterCreatingUser.

0

Thanks for that quick response!

I figured I'd have to tweak it a bit, thanks for giving me a head start on that. If I go this route, could I still use this procedure https://www.adaxes.com/help/SendInitialPasswordToNewUsers/, or would I need to incorporate emailing the new password as part of my custom password generation script?

I'm assuming it's the latter since %unicodePwd% wouldn't be set to the password my custom generation script creates?

0

Hello,

Your assumption is correct. In this case, the only option to send the password via email is by doing so in the script where the password is generated.

0

If you want a much more random password, use the API at makemeapassword.ligos.net. Here's how we generate passphrases such as Lantern-clothed-lowered8

try {
    $url = "https://makemeapassword.ligos.net/api/v1/passphrase/json?s=normal&ups=1&whenup=startofword&wc=3&nums=1&whennum=endofphrase"
    $newPass = Invoke-RestMethod $url -ErrorAction Stop

    if ($newPass.Error) {        
        throw [System.Exception]::new("Failed to request new password for $samAccountName. Error: $($newPass.Error)")        
    }

   $newPass = ConvertTo-SecureString -AsPlainText ([string]$newPass.pws).Replace(" ", "-") -Force

catch {
    $Context.LogException($_.Exception)
    $Context.Cancel("Failed to request a password for $samAccountName")
}

Set-AdmAccountPassword -Identity $samAccountName -NewPassword $newpass -Reset

Related questions

0 votes
1 answer

We are trying to do a report on weak passwords, but i dont think adaxes is able to?

asked Mar 16, 2022 by marcwoollard (40 points)
0 votes
1 answer

We are using the below snippet to grab the email of a single custom attribute object. Can I get guidance on the best way to modify this to get all the emails of each ... "The user specified in parameter 'MyParameter' has no email address. ", "Information") }

asked 1 day ago by msheppard (660 points)
0 votes
1 answer

I have a number of custom Powershell scripts that add users to Teams, groups, etc. I re-use these scripts dozens of times for different conditions and only change one ... possible to convert this script to a custom command and pass parameters to it instead?

asked Dec 16 by cwyant-hfg (40 points)
0 votes
0 answers

We currently convert user mailboxes to shared mailboxes during deprovisioning process but if the user mailbox was already a shared mailbox then the script throws an error ... user mailbox. Here is the actions of the current deprovision command: Thanks!

asked Oct 1 by Carlos (40 points)
0 votes
1 answer

We've the following script we want to use in Adaxes to create as part of user creation, to ask if the user will need a AWS workspace, then asks employeetype for different ... "Error") exit(-1) } else { $Context.LogMessage("Created workspace", "Information") }

asked May 3 by Plusa (20 points)
3,589 questions
3,278 answers
8,303 comments
548,121 users