Adaxes

Password Reset of specified users.

0 votes

I do a process every 60 days with 75 training accounts, this is basically what I do:

Step 1: Reset Password of all 75 accounts to the same password.
Step 2: Email trainers that the password has changed, and where to find the new one.
Step 3: copy a text file with the password to the trainers home drive so they can retrieve it.

I want to automate this as much as possible to give to our Help Desk.

So, my thoughts and concerns are. #1, I don't need to do step 3 as i"m doing today, we could do this via an email. So, combine step 2 and 3.
Next concern is, I don't want the Training Managers to receive 75 emails just because 75 users were reset.

So to do this, I'd create a report that they'd run that would easily allow them to select 75 training users. Then from the side menu, they could select the Reset Password option. Then, a business rule would be looking for Reset Password changes to Training Users to send an email, or run a custom command etc. So the question is, can I make it send 1 email instead of 75 here. And do you see any problems with what I stated above?

by (1.5k points)
0

Hello,

Yes, this all can be done using a Custom Command and a PowerShell script. For us to help you with the solution, provide the following details:

  • How is it possible to detect the 75 users whose passwords should be reset? Do they have specific property values (e.g. Job Title equals Trainee) or located in a specific OU?
  • Do we understand correctly that the email notification containing the new password of trainees should be sent to all trainers? If so, do you want to explicitly specify trainers' email addresses in the script or the script should find trainers by some parameters (e.g. property values, location, etc.)?
by (289k points)
moved by
0

* They need to be reset after each training class. All the users live under the "Training Accounts" OU.

* Yes, we can simply specify the Trainers email addresses.

by (1.5k points)
moved by

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

Thank you for clarifying. The solution will include an Action and a Custom Command. The action will execute the command that will run the script. The script in its turn will reset passwords for all the users in the specified container and send notifications to all the trainers.

i. Creating the Custom Command

  1. Launch Adaxes Administration Console.

  2. In the Console Tree, right-click your service node.

  3. In the context menu, navigate to New and click Custom Command.

  4. On step 2 of the Create Custom Command wizard, select Organizational-Unit Object type and click Next.

  5. Click Add an action.

  6. Select Run a program or PowerShell script.

  7. Paste the below script into the Script field.
    In the script:

    • $to – Specifies email addresses of trainers;
    • $subject – Specifies the subject of the email notification;
    • $message – Specifies the template of the notification text.
     $to = "recipient1@domain.com, recipient2@domain.com" # TODO: modify me
 $subject = "Password" # TODO: modify me
 $message = "Password: {0}" # TODO: modify me

 function SearchObjects($filter)
 {
     $searcher = $Context.TargetObject
     $searcher.SearchFilter = $filter
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.PageSize = 500

     try
     {
         $searchResultIterator = $searcher.ExecuteSearch()
         $searchResults = $searchResultIterator.FetchAll()

         return ,$searchResults
     }
     finally
     {
         # Release resources
         if ($searchResultIterator){ $searchResultIterator.Dispose() }
     }
 }

 # Search users
 $searchResults = SearchObjects "(sAMAccountType=805306368)"

 if ($searchResults.Length -eq 0)
 {
     $Context.LogMessage("Users not found.", "Warning")
     return
 }

 for ($i = 0; $i -lt $searchResults.Length; $i++)
 {
     $user = $Context.BindToObjectEx($searchResults[$i].AdsPath, $True)
     if ($i -eq 0)
     {
         # Generate password
         $rootDSE = $Context.BindToObject("Adaxes://rootDSE")
         $password = $rootDSE.GeneratePassword($user)
     }

     # Reset password for user
     try
     {
         $user.SetPassword($password)
     }
     catch
     {
         $userName = $Context.GetDisplayNameFromAdsPath($searchResults[$i].AdsPath)
         $Context.LogMessage("An error occurred when resetting password for user $userName. Error: " + $_.Exception.Message, "Warning")
     }
 }

 # Send mail
 $message = [System.String]::Format($message, $password)
 $Context.SendMail($to, $subject, $message, $NULL)

  8. Enter a short description and click OK.

  9. Click Next and finish creating the Custom Command.

For information on how to grant permissions to execute Custom Commands, see https://www.adaxes.com/tutorials_Delega ... mmands.htm.

ii. Creating the Action

  1. Open Adaxes Web Interface Configurator.
  2. In the top left corner, select the Web Interface you need.
  3. In the Actions section, click Add.
  4. Select Custom Command.
  5. Select the command you created and click Next twice.
  6. Select Always perform on a specific AD object.
  7. Select the Training Accounts OU and click Finish.
0

Ok, this works. But is it possible for us to set the password, instead of a random one? Generally, I set a friendly password that meets our requirements, but is easier for the user as well. An obvious bad example would be P@ssw0rd123!. But easier on the user.

by (1.5k points)
moved by
0

Hello,

Yes, it is possible. Find the updated script below. In the script, the $password variable specifies the password which will be set for the users.

$password = "P@ssw0rd123!" # TODO: modify me

# E-mail settings
$to = "recipient1@domain.com, recipient2@domain.com" # TODO: modify me
$subject = "Password" # TODO: modify me
$message = "Password: $password" # TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.TargetObject
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500

    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Search users
$searchResults = SearchObjects "(sAMAccountType=805306368)"

if ($searchResults.Length -eq 0)
{
    $Context.LogMessage("Users not found.", "Warning")
    return
}

for ($i = 0; $i -lt $searchResults.Length; $i++)
{
    $user = $Context.BindToObjectEx($searchResults[$i].AdsPath, $True)

    # Reset password for user
    try
    {
        $user.SetPassword($password)
    }
    catch
    {
        $userName = $Context.GetDisplayNameFromAdsPath($searchResults[$i].AdsPath)
        $Context.LogMessage("An error occurred when resetting password for user $userName. Error: " + $_.Exception.Message, "Warning")
    }
}

# Send mail
$Context.SendMail($to, $subject, $message, $NULL)
by (216k points)
moved by

Related questions

0 votes
1 answer
Reset users password and send it on SMS

Hi, In a previous installation of Adaxes, we were able to reset users passwords, and send it automatically by SMS to the user. When we try to do the same in Adaxes 2018. ... when we reset a users password. A similar SMS works just fine when we create the user.

asked May 23, 2019 by eirikza (120 points)
0 votes
0 answers
Enroll users in Password Reset based on AD Property

Hello, We are in the early stages of rolling out Adaxes, and we sent a bunch of users over to the SelfService website, where, per password reset policy, they ... property that is populated with our employees mobile number) and then auto-enroll those users?

asked Jul 1, 2016 by ajrechk (480 points)
0 votes
1 answer
Local password self service reset for Windows breaks access to private keys of user certificates

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer
Is there a way to send notification to remind users of AD for changing password when it is about to expire?

We are evaluating the product and would like to let users of AD to change password in self service page. We would like to set a 90 days change password policy, ... self service page? Is it achievable (with customization and batch program)? Thanks in advance.

asked Apr 27, 2020 by eric (20 points)
0 votes
1 answer
Is it possible to add extra properties to built-in actions like "Reset Password"

I'd like to add a field for "Ticket Number" to pass through so that I can have it run a script post execution to log data to our ticketing system. I ... it may be possible to extend the public class ResetPasswordOptions but that's not really ideal...

asked May 27 by ZoomGhost (280 points)
3,553 questions
3,244 answers
8,245 comments
547,831 users