The script resets a user password in the resource domain after it is changed or reset in the primary domain. To use the script, create a business rule triggering After changing password of a user or After resetting password of a user in the primary domain.
For the script to work, user must have the same username (LDAP name sAMAccountName) or Full Name (LDAP name cn).
Paramerter:
- $domainDN - Specifies the distinguished name (DN) of the resource domain.
PowerShell
$domainDN = "DC=domain,DC=com" # TODO: modify me
$searcher = $Context.BindToObjectByDN($domainDN)
$searcher = New-AdmCriteria "user" -Expression {(sAMAccountName -eq "%username%") -or (cn="%fullname%")}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SizeLimit = 2
# Search user account in the resource domain
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
if ($searchResults.Length -eq 0)
{
$Context.LogMessage("Cannot reset password of the user account in the secondary domain because the user doesn't have an account in the secondary domain.", "Warning")
return
}
elseif ($searchResults.Length -gt 1)
{
$Context.LogMessage("Found more than one account for the user in the secondary domain", "Warning")
return
}
# Set the password
$user = $Context.BindToObject($searchResults[0].AdsPath)
$user.SetPassword("%unicodePwd%")
}
finally
{
# Release resources
$searchResultIterator.Dispose()
}