0 votes

When allowing Account Unlocking from the Self Password Reset service, is there a way to limit the amount of times that someone can unlock their account before they are forced to reset their password? Basically I want to give you 3 chances to self-unlock your account, and on the 4th time that you try to unlock your account you are forced to reset your password (the Unlock my password choice would be greyed out, or removed altogether). Is something like this possible? Thanks!

by (360 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

You can do something similar with Adaxes. On the 4th attempt, the option will not be greyed out / disabled, however it is possible to cancel operation. In this case, users will be returned back to the page where they can chose to reset or not reset their passwords, and you can also specify a cancel reason so that users know what to do and why they cannot unlock their accounts.

To implement such a solution, you'll need two Business Rules, one of them will be triggered before self-resetting password, and another one triggered after. Note that rules triggered by self-resetting password are executed not only when users reset passwords for themselves, but also when they unlock their accounts without resetting a password.

Also, you'll need to use a certain property that can store integer values (numbers). It'll serve as a counter to identify how many times a user has unlocked his/her account. We suggest using one of Adaxes virtual properties (for example, CustomAttributeInt1). Such properties are not stored in AD, but can be used as any other properties of AD objects.

The Business Rule triggered before self-resetting password will cancel the operation if a user has unlocked his/her account 3 times already. To create such a Business Rule:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select User and Before Self-resetting password.
  3. On the 3rd step, add the Cancel this operation action.
  4. Optionally, you can add a short note to users why they can't simply unlock their accounts in the Reason for canceling field.
  5. Click OK.
  6. Now, you need to add conditions when an attempt should be canceled. First of all, you need to add a condition for the Business Rule to be triggered only when users try to unlock their accounts, but not when they unlock and reset their password. Right-click the action that you've added and click Add Condition.
  7. Select the If <property> <relation> <value> condition type.
  8. Expand the <property> drop-down list and select Show all properties.
  9. Select the Password property.
  10. Select is empty. The password property will be empty only if users don't reset their passwords.
  11. Click OK.
  12. Now, you need to add a condition for the Business Rule to be triggered only when a user has unlocked own account 3 times already. Right-click the action again and click Add Condition.
  13. Select the If <property> <relation> <value> condition type.
  14. Expand the <property> drop-down list and select Show all properties.
  15. Select the property that you want to use as the unlock attempt counter, for example, CustomAttributeInt1.
  16. Select greater or equal and type 3.
  17. Click OK. You should receive something like this:
  18. Finish creation of the Business Rule.

The Business Rule triggered after self-resetting password will increase the unlock attempt counter each time a user manages to successfully unlock his/her account. Also, it'll reset the counter once a user self-resets his/her own password. To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select User and After Self-resetting password.

  3. On the 3rd step, add the Run a program or PowerShell script action. You'll need a script to increase the unlock attempt counter.

  4. Paste the following script in the Script field:

     $attemptCounterProperty = "adm-CustomAttributeInt1" # TODO: modify me
    
     # Get number of times the user has been unlocked
     try
     {
         $unlockCounter = $Context.TargetObject.Get($attemptCounterProperty)
     }
     catch
     {
         $unlockCounter = 0
     }
    
     # Increase by 1 and save
     $unlockCounter++
     $Context.TargetObject.Put($attemptCounterProperty, $unlockCounter)
     $Context.TargetObject.SetInfo()
    

  5. In the script, $attemptCounterProperty specifies the property to be used as the unlock attempt counter. If you want to use another property, change it.

  6. Enter a short description for the script and click OK.

  7. Now, you need to add a condition for the counter to be increased only when password is not reset. Right-click the action that you've added and click Add Condition.

  8. Select the If <property> <relation> <value> condition type.

  9. Expand the <property> drop-down list and select Show all properties.

  10. Select the Password property.

  11. Select is empty.

  12. Click OK.

  13. Now, you need to add one more action/condition set that will reset the unlock attempt counter upon password reset. Click the Add action to a new set link.

  14. Add the Update the user action.

  15. Click Add.

  16. Expand the Property to modify drop-down list and select Show all properties.

  17. Select the property to be used as the unlock attempt counter.

  18. Switch the radio button to Remove property and click OK 2 times.

  19. Now, you need to add a condition for the counter to be reset only when password is reset. Right-click the action that you've added and click Add Condition.

  20. Select the If <property> <relation> <value> condition type.

  21. Expand the <property> drop-down list and select Show all properties.

  22. Select the Password property.

  23. Select is not empty.

  24. Click OK. You should receive something like this:

  25. Finish creation of the Business Rule.

0

Wow!

I will give that a try today. Thank you!

0

Just as a follow-up, the solution was dead-on. I have implemented it in our test environment and it worked perfectly. Thank you again for your excellent support!

0

Hello,

Thank you for your good words, we really appreciate it! :)

Related questions

0 votes
1 answer

We have configured Self Service so users can reset or change their passwords. But we disallow access to the account unlock feature through the Password Self-Service Policy ... page to eleminate the words "or unlock a locked out user account" ?

asked Oct 27, 2014 by theckel (520 points)
0 votes
1 answer

We are looking to combine the password unlock/reset options to one screen and would like all information dispalyed only. ie. lastpassword set time, if account expires and so on. Thanks in advance for the help

asked Nov 9, 2016 by willy-wally (3.2k points)
0 votes
0 answers

Is there a way to combine the two functions for Unlock, and Password Reset? Most of the time, users lock themselves out because they don't remember the password, so the HelpDesk ... for the user, then changing the password. Is there any other way to do this?

asked Oct 24, 2016 by rurbaniak (1.5k points)
0 votes
1 answer

We have two on-prem domains; Domain A and Domain B. Domain A is our primary domain and syncs with Azure AD. Domain B contains accounts created for external ... user attempts to authenticate, they are only authenticating against the Domain B on-prem domain?

asked Apr 10 by awooten (80 points)
+1 vote
1 answer

Hi, Is there any way to make Password Self Service Policies OR Operation? Let say, user can enroll to both Q&amp;A and OTP App Google Authenication. However, during the password reset, user can choose either to use Q&amp;A or OTP App.

asked Nov 18, 2021 by fachmi (170 points)
3,588 questions
3,277 answers
8,303 comments
548,098 users