Active Directory management & automation

What's New in Softerra Adaxes 2011.3

Version: 3.2.7708.0
Release Date: November 18, 2011

The new release of Softerra Adaxes includes several long-awaited features that aim to provide secure password self-service for users, significantly improve Active Directory automation and management, enhance notification capabilities and much more. Below you will find the list of the new major features and important updates introduced in Softerra Adaxes 2011.3.

Self-Service Password Reset

The new version of Adaxes includes the Self-Service Password Reset feature that allows users to securely reset their passwords themselves without addressing help desk or administrators. Users can perform self-password reset from the Windows Logon Screen or from the logon page of Adaxes Web Interface. You can also integrate the feature with your own sites and web applications if they use Active Directory for user authentication.

Self-Password Reset

For details, see Configure Password Self-Service.

Identity Verification Methods

Security is the most important concern when delegating rights to users. It is crucial to guarantee that a person who initiates a password reset is really eligible for this. To check users' identity, Adaxes uses robust identity-verification methods: Security Questions & Answers and SMS Verification. To get access to self-service password reset, a user must answer a number of security questions, and/or enter a verification code sent to their mobile phone by Adaxes.

SMS Verification

Security Questions

Security Measures

To prevent hacker attacks that aim to get access to the system by guessing answers to security questions or applying brute force attacks, Adaxes uses the following security measures:

  • Blocking user accounts after a certain number of failed authentication attempts.
  • Sending email notifications to users every time their passwords are reset via the Self-Password Reset system. Users are prompted to contact an administrator in case they did not reset the password.
  • Captcha – a word verification image that prevents brute force attacks.
  • Statistics – helps to track failed password reset attempts and localize the source of possible attacks.

Statistics

To monitor the password reset and enrollment activities, Adaxes equips you with very proverful reporting capabilities. Using the reporting feature, you can:

  • Track enrolled and not enrolled users. It helps you monitor the enrollment process and take necessary actions in case of low enrollment activity.
  • Trace failed and successful password resets. By monitoring the failed attempts, you can localize the source of possible attacks and take preventive measures.
  • Handle user accounts blocked after a certain number of failed authentication attempts.
Self-Password Service Statistics

Automatic User Enrollment

If Q&A verification is enabled, users need to enroll to the self-password reset service. If your organization stores user-specific data (Social Security numbers, places of birth, etc.) in a datasource like an HR database, you can configure Adaxes to enroll users automatically by pre-loading the data into their Q&A profiles. For this purpose, you can use the following PowerShell cmdlets:

  • New-AdmPasswordSelfServiceEnrollment
    Example:
            $question = "What are the last 5 digits of your credit card?"
            $answer = "12345"
            New-AdmPasswordSelfServiceEnrollment JohnSmith -QuestionsAndAnswers
            @{$question=$answer} -AdaxesService localhost
          
  • Remove-AdmPasswordSelfServiceEnrollment
    Example:
            Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost
          

The information in the datasource used for automated enrollment can be changed or updated. To enable automatic creation of Q&A profiles for new users and updating existing ones, you can automate the synchronization with the datasource by activating the built-in scheduled task named Self-Password Reset Enroller. This task runs a PowerShell script for automated enrollment on a predefined schedule. To activate the task, you need to enable it and modify the script to use your datasource.

For details, see Autoenroll Users for Self-Password Reset.

Scheduled Tasks

The new version of Adaxes introduces a new useful feature called Scheduled Tasks. With its help, you can automate the launch of a wide range of operations on a predefined schedule. Such operations can include sending expiration notifications, deleting inactive accounts, maintaining group membership, and much more.

For details, see Schedule Tasks for Active Directory Management.

Sample Scheduled Task

Below you will find the most burning problems that can be solved with the help of Scheduled Tasks.

Password Expiration Notifications

For users, passwords always expire unexpectedly. It would be great to inform them about password expiration beforehand. With the help of the built-in Scheduled Task named Password Expiration Notifier, you can automate sending of email or SMS notifications to inform users about password expiration in advance.

Account Expiration Notifications

With the help of the Account Expiration Notifier task, you can enable automated sending of account expiration notifications to users and their managers.

Automated Cleanup of Inactive Users and Computers

Active Directory may contain a lot of accounts that are not used for a long time. Some of them are accounts left after employee dismissal or computer removal and not required any longer, and some can be still in use, but used very seldom. To automate deletion of the inactive accounts, it is important to introduce the means of distinguishing inactive accounts from accounts used occasionally.

To introduce strong and reliable mechanism of inactive account deleting, Adaxes provides two built-in Scheduled Tasks: Inactive Computer Deleter and Inactive User Deleter.

Inactive Computer Deleter


For details, see Delete Inactive Computers from Active Directory.

Inactive User Deleter


For details, see Automatically Deprovision Inactive AD Users.

Automated Management of Group Membership

Now you can significantly improve the automated management of group membership. For example, you can automate adding users located under a specific OU to a group associated with this OU.

Approvals for Scheduled Task Actions

A very important feature of Scheduled Tasks is the ability to control their execution by submitting specific task actions for approval. Actions that require approval will not be executed until approved by an authorized person.

SMS Support

Now, with the help of Adaxes it is possible to send SMS messages to Active Directory users.

SMS Verification on Password Reset

To perform a password reset requested by phone, it is crucial for a Help Desk operator to verify the user's identity. For this purpose, Adaxes allows sending SMS verification code to the the user's mobile phone during password reset.

Automated SMS Sending

SMS messages can be sent automatically by Business Rules, Custom Commands and Scheduled Tasks as a notification about an action performed. This will help you, for example, automatically inform administrators about new users added to groups, send notifications to users whose account options have been changed, send new passwords to users, and much more.

In advanced cases, it is possible to send SMS messages from a PowerShell script:

      $Context.SendSms($mobileNumber, $text)
    

Enhanced AD Management and Automation Features

Execute Custom Command Action

Now Custom Commands can be executed from other Custom Commands, Business Rules and Scheduled Tasks. It allows you to create one Custom Command and execute it, for example, after a user is created or updated, on a schedule, or manually.

Value References in Conditions

Now you can use value references in conditions. It is helpful in case you need a condition to include the information contained in the AD object properties.

Value References in 'before create' and 'after delete' Actions

Now Adaxes allows using AD object properties before the creation or after deletion of an object. Thus, for example, you can pass the information about not yet created or already deleted objects to PowerShell scripts.

New Conditions

Inactive Period With the help of this condition, you can verify if the user or computer is inactive more than/less than the specified period.
Account/Password Expiration With the help of this condition, you can verify the expiration status of the user's account or password

Customization of Approval Notifications

The new version of Adaxes allows customizing templates for email notifications sent as a part of approval-based workflow. For all the notifications, you can edit the subject, header and footer as well as specify font and text size.

Web Interface Improvements

  • The visual look of the Web Interface has been improved significantly.
  • Added the ability to display user images in search results and object grids.
  • Added the ability to customize the footer of the web pages.
  • Now it is possible to change the Web Interface icon (favicon).
  • Active Directory Web Interface

New Virtual Properties

In the new version of Adaxes, you can use the following virtual properties in value references:

Property Name Description
adm-PasswordExpires The date and time of the password expiration of the account, for which the property is calculated. When this property is calculated, the Default Domain Password Policy and Fine-Grained Password Policy are considered.
adm-InactivityDuration The number of days a user does not log on to the system or computer remains turned off. This property can be used to automate processing of inactive accounts.
The period of inactivity is reliable only if it is more than 7 days.
adm-AccountExpiresDaysLeft The number of days left before the expiration of the account, for which the property is calculated. This property can be used to notify users about their account expiration. For example, you can specify the following pattern in the notification text: Your account expires in %adm-AccountExpiresDaysLeft% days.
adm-PasswordExpiresDaysLeft The number of days left before the expiration of the password of the user, for which the property is calculated. This property can be used to notify users about their password expiration. For exmaple, you can specify the follwoing pattern: Your password expires in %adm-PasswordExpiresDaysLeft% days.
adm-InitiatorMobile The mobile of the operation initiator. This property can be used to send SMS messages to the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorMobile%.
adm-InitiatorManagerEmail The e-mail of the manager of the operation initiator. This property can be used to send e-mail notifications to the manager of the user, who performs the operation. For this purpose, specify the notification receiver as follows: %adm-InitiatorManagerEmail%.
Manager is specified in the Manager property.
adm-InitiatorManagerFirstName The first name of the manager of the operation initiator. Manager is specified in the Manager property.
adm-InitiatorManagerLastName The last name of the manager of the operation initiator. Manager is specified in the Manager property.
adm-InitiatorManagerFullName The full name of the manager of the operation initiator. Manager is specified in the Manager property.
adm-InitiatorManagerUserName The logon name of the manager of the operation initiator. Manager is specified in the Manager property.
adm-InitiatorManagerMobile The mobile phone of the manager of the operation initiator. This property can be used to send SMS messages to the manager of the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorManagerMobile%.
Manager is specified in the Manager property.
adm-ManagerEmail The e-mail of user's manager. This property can be used to send e-mail notifications to the manager of a user. For this purpose, specify the notification receiver as follows: %adm-ManagerEmail%.
Manager is specified in the Manager property.
adm-ManagerFirstName The first name of user's manager. Manager is specified in the Manager property.
adm-ManagerLastName The last name of user's manager. Manager is specified in the Manager property.
adm-ManagerFullName The full name of user's manager. Manager is specified in the Manager property.
adm-ManagerUserName The logon name of user's manager. Manager is specified in the Manager property.
adm-ManagerMobile The mobile of user's manager. This property can be used to send SMS messages to the manager of a user. For this purpose, specify the SMS receiver as follows: %adm-ManagerMobile%.
adm-WebInterfaceUrl The URL of the Web Interface specified for the Adaxes service. For example, this property can be used in e-mail notifications to insert links to the Adaxes Web Interface.

Filtering in Logging

The new version of Adaxes allows you to filter the information stored in the Adaxes service log. You can filter by operation type, by initiator type, by target object type or by initiator host.

Miscellaneous

Sending SMS and E-mail Notifications from PowerShell Scripts

Now, to send SMS or email messages from a PowerShell script executed by Custom Commands, Business Rules or Scheduled Tasks, you can use the SendMail and SendSms methods of the $Context variable:

    $Context.SendMail($toAddress, $subject, $bodyText, $bodyHtml)
    $Context.SendSms($mobileNumber, $text)
  

Icon for Users With Expired Accounts

Now expired user accounts are marked with a specific icon:

Show All Affected Objects Feature

Now Adaxes Administration Console enables you to view all the AD objects affected by a Business Rule, Property Pattern, or Scheduled Task by clicking the Show All Affected Objects button.

? Waiting

Progress status: Checking...