0 votes

We would like to be able to have the web interface error when a new user is created with a password that does not meet our complexity rules. Right now, the user is created but the account disabled. When this happens, our automation is not able to create the Exchange Mailbox. We would like to have the interface stop the user before submission. Is there a way to do this?

by (90 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Yes, there is. You can create a Business Rule executed before creating a user that will cancel the operation if a password does not meet the complexity requirements. To check for complexity requirements, you'll need to run a PowerShell script.

To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select User and Before Creating a User.

  3. On the 3rd step, add the Run a program or PowerShell script action and paste a script that will do the job.

    For example, here's a script that checks whether a new user's password meets the Password Complexity Requirements defined by Microsoft. Also, it checks whether the password length is at least 7 characters (defined by $minLength).

     $minLength = 7 # TODO: modify me
     $minRequirementsToPass = 3 # TODO: modify me
    
     $requirements = @{
         [regex]"[A-Z]" = 1, "The password does not contain an upper-case character.";
         [regex]"[a-z]" = 1, "The password does not contain a lower-case character.";
         [regex]"[0-9]" = 1, "The password does not contain a number.";
         [regex]"[^a-zA-Z0-9]" = 1, "The password does not contain a special character."}
     # TODO: modify me. Example: @{<requirement> = <minimum number of characters>, "Error message"}
    
     if ($Context.IsPasswordChanged())
     {
         $password = $Context.GetNewPassword();
         # Check password length
         if($password.length -lt $minLength)
         {
             $Context.Cancel("The password does not have at least $minLength characters.")
             return
         }
         # Passwords must not contain the user's entire samAccountName (Account Name) value.
         $username = "%username%".ToLower()
         if ($password.ToLower().Contains($username.SubString(0,3)))
         {
             $Context.Cancel("The password should not contain the username or parts of it.")
             return
         }
         # Passwords must not contain the user's entire displayName (Full Name) value
         $displayName = $Context.GetModifiedPropertyValue("displayName")
         $delimiters = @(".", ",", "-", "_", " ", "#")
         $displayNameParts = $displayName.Split($delimiters)
         foreach ($string in $displayNameParts)
         {
             if ($string.length -lt 3)
             {
                 continue
             }
    
             if ($password.ToLower().Contains($string.ToLower()))
             {
                 $Context.Cancel("The password should not contain the user's Display Name or parts of it.")
                 return
             }
         }
    
         # Check whether the password meets at least three complexity requirements
         $requirementsPassed = 0
         $errorMessages = @()
         foreach ($requirement in $requirements.Keys)
         {
             $minNubmerCharacters = ($requirements[$requirement])[0]
             if ($requirement.Matches($password).Count -lt $minNubmerCharacters)
             {
                 $errorMessages += ($requirements[$requirement])[1]
                 continue
             }
    
             $requirementsPassed++
         }
    
         # If the password does not meet at least three requirements, cancel operation.
         if ($requirementsPassed -lt $minRequirementsToPass)
         {
             $requirementsLeft = $minRequirementsToPass - $requirementsPassed
             $requirementsCount = $requirements.Count
             $Context.Cancel("The password must meet at least $minRequirementsToPass out of $requirementsCount complexity requirements of which only $requirementsPassed has been met. Meet at least $requirementsLeft more of the requirements above.")
             foreach ($message in $errorMessages)
             {
                 $Context.LogMessage($message, "Error")
             }
             return
         }
     }
    

Related questions

0 votes
1 answer

I have a fresh installation of adaxes 2018.1 and trying to hide password option in user creation I removed it but this doesn't work. Logged off twice from Config page and user page. Mike

asked Sep 6, 2018 by pavants (150 points)
0 votes
1 answer

Can I configure Adaxes service to send emails to HR staff after user creation and/or password change? I need this email to contain User Full Name (%username%) and password (is there a reference for this?)

asked Aug 23, 2011 by jmirks (180 points)
0 votes
1 answer

We recently added another domain to our environment, when we use the script to create users from a CSV file they are all being created in the first domain instead of the ... password for user '$displayName'. Error: " + $_.Exception.Message, "Warning") } }

asked Nov 1, 2017 by willy-wally (3.2k points)
0 votes
1 answer

All, I was wondering if there is a way to add check boxes that correspond to custom commands. Ie if I as the administrator want to give another user the ability to create ... to specific groups. All this would be avaliable from the new user form. Thanks, Tony

asked Nov 5, 2015 by cyspry (480 points)
0 votes
1 answer

Is it possible to trigger an external API request to update another directory whenever an AD user changes his password? Even if the password change didn't occur using adaxes, but directly in Active Directory? Thank you.

asked May 29, 2020 by nicolasdsa (20 points)
3,538 questions
3,229 answers
8,224 comments
547,747 users