Active Directory management & automation

Autoenroll Users for Self-Password Reset

If the Secret Question & Answers verification option is enabled for Self-Service Password Reset, users need to enroll for password self-service. Enrollment is a one-time process where users provide answers to secret questions. If your organization stores employee data such as social security numbers, places of birth, ID numbers, or similar, you can enroll users automatically by preloading the data into their Q&A profiles.

Since the secret questions used for autoenrollment most probably will be pretty general and simple, it is recommended to use the normal enrollment process where users can select secret questions and supply answers to them by themselves.

In this tutorial you will learn how to enroll users for Password Self-Service using PowerShell cmdlets, and how to configure Adaxes to automatically enroll new users and update enrollment data for those who already have enrolled.

PowerShell Cmdlets for Enrollment

To enroll and disenroll users from Password Self-Service, you can use the following PowerShell cmdlets:

To use these cmdlets, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.

New-AdmPasswordSelfServiceEnrollment

The New-AdmPasswordSelfServiceEnrollment cmdlet enrolls an Active Directory user into the Password Self-Service.

Required Parameters:

  • Identity - specifies the Active Directory user to be enrolled. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
  • QuestionsAndAnswers - specifies a hash table containing secret questions and answers.
  • AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute this cmdlet.

Example 1 - enroll a user with hard-coded questions and answers

  Import-Module Adaxes

  $question1 = "What are the last 4 digits of your credit card?"
  $answer1 = "1234"
  $question2 = "What is your social security number?"
  $answer2 = "987654321"

  New-AdmPasswordSelfServiceEnrollment JohnSmith `
    -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost

Example 2 - enroll users using a CSV file

  Import-Module Adaxes

  $question1 = "What are the last 4 digits of your credit card?"
  $question2 = "What is your social security number?"

  foreach ($line in (Import-Csv c:\qa.csv))
  {
    $answer1 = $line.CardDigits
    $answer2 = $line.SSN

    New-AdmPasswordSelfServiceEnrollment $line.User `
      -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost
  }

The example assumes that a CSV file with the following content is used:

  User,CardDigits,SSN
  JohnSmith,1234,654321
  JimWillis,1122,332211


Remove-AdmPasswordSelfServiceEnrollment

The Remove-AdmPasswordSelfServiceEnrollment cmdlet disenrolls an Active Directory user from the Password Self-Service.

Required Parameters:

  • Identity - specifies the Active Directory user to be disenrolled. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
  • AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute this cmdlet.

Example:

  Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost

Permissions to Enroll/Disenroll Users

By default, all users have the permission to enroll and disenroll themselves from Password Self-Service. To enroll and disenroll other users, the Enroll/Disenroll User permission must be granted with the help of Security Roles.

Adaxes service administrators have unrestricted access and are allowed to perform any operation on any AD object, including the ability to enroll and disenroll any user for Password Self-Service.

To auto-enroll users for Password Self-Service using a PowerShell script, the script must be executed under an account with the permissions necessary to read data from the data source (CSV file, HR database, etc.) and to enroll users for Password Self-Service in Adaxes.

See how to grant the right to enroll and disenroll users

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Security Roles and select the role, to which you want to add the permission to enroll and disenroll users.


The permissions of the selected role will be displayed in the Result Pane (located to the right).

In the Result Pane, click the Add button located under the Permissions list.

In the Add Permissions dialog, select User in the list of object types on the left. In the General permissions list, select the Allow check box for the Enroll/Disenroll User (Password Self-Service) permission.

Click OK, and then click Save changes below the Assignments list.

Enrollment by Schedule

You can configure Adaxes to automatically enroll new users, and keep Q&A profiles of existing users updated if the information used for user enrollment changes. For this purpose you can use the built-in Scheduled Task called Self-Password Reset Enroller. This task automatically runs a PowerShell script for user enrollment on a predefined schedule.

By default, the task is disabled. To activate it, you need to modify the PowerShell script executed by this task to work with your data source, and then enable the task.

To activate the Self-Password Reset Enroller task:

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin. Select the Self-Password Reset Enroller task.


In the Result Pane right-click the Run PowerShell script action, and select Edit Action in the context menu.


Modify the PowerShell script to work with your data source.

By default, the script gets data from an MS SQL database. If your data is stored in an MS SQL database, you just need to specify your database host, database and table names, field names, etc.
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

If necessary, change the user account used to run the script.

The user account must have the right to read data from the data source and enroll users for Password Self-Service in Adaxes. By default, the script is executed using the account of the default service administrator. The default service administrator has the right to enroll users for Password Self-Service. If necessary, you can grant this right to any user via Security Roles. For more details, see Permissions to Enroll/Disenroll Users.

Click OK and then click Save changes.

To enable the task, right-click it, point to All Tasks, and click Enable.

? Waiting

Progress status: Checking...