Active Directory management & automation

Tutorials

Autoenroll Users for Self-Password Reset

If the Secret Question & Answers verification option is enabled for Self-Service Password Reset, users need to enroll for password self-service. Enrollment is a one-time process where users provide answers to secret questions. If your organization stores employee data such as social security numbers, places of birth, ID numbers, or similar, you can enroll users automatically by preloading the data into their Q&A profiles.

Since the secret questions used for autoenrollment most probably will be pretty general and simple, it is recommended to use the normal enrollment process where users can select secret questions and supply answers to them by themselves.

In this tutorial you will learn how to enroll users for Password Self-Service using PowerShell cmdlets, and how to configure Adaxes to automatically enroll new users and update enrollment data for those who already have enrolled.

PowerShell Cmdlets for Enrollment

To enroll and disenroll users from Password Self-Service, you can use the following PowerShell cmdlets:

To use these cmdlets, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.

New-AdmPasswordSelfServiceEnrollment

The New-AdmPasswordSelfServiceEnrollment cmdlet enrolls an Active Directory user into the Password Self-Service.

Required Parameters:

  • Identity - specifies the Active Directory user to be enrolled. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
  • QuestionsAndAnswers - specifies a hash table containing secret questions and answers.
  • AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute this cmdlet.

Example 1 - enroll a user with hard-coded questions and answers 

  Import-Module Adaxes

  $question1 = "What are the last 4 digits of your credit card?"
  $answer1 = "1234"
  $question2 = "What is your social security number?"
  $answer2 = "987654321"

  New-AdmPasswordSelfServiceEnrollment JohnSmith `
    -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost

Example 2 - enroll users using a CSV file 

  Import-Module Adaxes

  $question1 = "What are the last 4 digits of your credit card?"
  $question2 = "What is your social security number?"

  foreach ($line in (Import-Csv c:\qa.csv))
  {
    $answer1 = $line.CardDigits
    $answer2 = $line.SSN

    New-AdmPasswordSelfServiceEnrollment $line.User `
      -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost
  }

The example assumes that a CSV file with the following content is used: 

  User,CardDigits,SSN
  JohnSmith,1234,654321
  JimWillis,1122,332211


Remove-AdmPasswordSelfServiceEnrollment

The Remove-AdmPasswordSelfServiceEnrollment cmdlet disenrolls an Active Directory user from the Password Self-Service.

Required Parameters:

  • Identity - specifies the Active Directory user to be disenrolled. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
  • AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute this cmdlet.

Example: 

  Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost

Permissions to Enroll/Disenroll Users

By default, all users have the permission to enroll and disenroll themselves from Password Self-Service. To enroll and disenroll other users, the Enroll/Disenroll User permission must be granted with the help of Security Roles.

Adaxes service administrators have unrestricted access and are allowed to perform any operation on any AD object, including the ability to enroll and disenroll any user for Password Self-Service.

To auto-enroll users for Password Self-Service using a PowerShell script, the script must be executed under an account with the permissions necessary to read data from the data source (CSV file, HR database, etc.) and to enroll users for Password Self-Service in Adaxes.

See how to grant the right to enroll and disenroll users

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Security Roles and select the role, to which you want to add the permission to enroll and disenroll users.


The permissions of the selected role will be displayed in the Result Pane (located to the right).

In the Result Pane, click the Add button located under the Permissions list.

In the Add Permissions dialog, select User in the list of object types on the left. In the General permissions list, select the Allow check box for the Enroll/Disenroll User (Password Self-Service) permission.

Click OK, and then click Save changes below the Assignments list.

Enrollment by Schedule

You can configure Adaxes to automatically enroll new users, and keep Q&A profiles of existing users updated if the information used for user enrollment changes. For this purpose you can use the built-in Scheduled Task called Self-Password Reset Enroller. This task automatically runs a PowerShell script for user enrollment on a predefined schedule.

By default, the task is disabled. To activate it, you need to modify the PowerShell script executed by this task to work with your data source, and then enable the task.

To activate the Self-Password Reset Enroller task:

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin. Select the Self-Password Reset Enroller task.


In the Result Pane right-click the Run PowerShell script action, and select Edit Action in the context menu.


Modify the PowerShell script to work with your data source.

By default, the script gets data from an MS SQL database. If your data is stored in an MS SQL database, you just need to specify your database host, database and table names, field names, etc.
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

If necessary, change the user account used to run the script.

The user account must have the right to read data from the data source and enroll users for Password Self-Service in Adaxes. By default, the script is executed using the account of the default service administrator. The default service administrator has the right to enroll users for Password Self-Service. If necessary, you can grant this right to any user via Security Roles. For more details, see Permissions to Enroll/Disenroll Users.

Click OK and then click Save changes.

To enable the task, right-click it, point to All Tasks, and click Enable.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for new users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts