Active Directory management & automation

Request Approval for Self-Password Reset

With the help of Adaxes, user passwords can be reset by administrators and other technical personnel, such as Help Desk or IT support staff. In addition to that, users can also reset their passwords on their own using the Password Self-Service feature of Adaxes. Workflow capabilities in Adaxes give you the ability to control how the Self-Service Password Reset feature is used. For example, for security reasons, you may want somebody to approve self password reset when the operation is performed by a user with high privileges.

In this tutorial, you will learn how to configure Adaxes to request an approval when users reset their own password. For this purpose, you need to create a Business Rule triggered before self password reset.

Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule. The Create Business Rule wizard will open.
Launching the Create Business Rule wizard

Enter a name for the new Business Rule and click Next.
Here you need to specify when the new Business Rule must be executed. To send a request for approval when a user resets their own password:
  • Select User in the Object Type list.
  • Select Before in the Operation section.
  • Select Self-resetting password in the Operation section and click Next.

At the next step, you need to specify what the Business Rule will do when it is executed. Click the Add Action link and select the Send this operation for approval action.

In the Action Parameters section, click Add and select users or groups that will be able to approve the requests to self reset password.

Optionally, you can use one of the following options:
  • Manager of the requestor to allow the manager of the user whose password is reset to approve or deny the operation. The manager-employee relationship is stored in the Manager property of an AD user.
  • Owner of the requestor's OU to allow the owner of the Organizational Unit (OU) containing the account of the user whose password is reset to approve or deny the operation. The OU owner is specified in the Managed By property of OU objects.
  • Since the Business Rule will be triggered when users reset password for their own accounts, the manager of the target user and the owner of the target user's OU are the same as the manager of the requestor and the owner of the requestor's OU.
When done, click OK.
If you need to build the list of approvers dynamically or based on complex criteria, you can use a PowerShell script to submit the operation for approval.

How to request for approval from PowerShell script

To run a PowerShell script, your Business Rule must execute the Run a program or PowerShell script action.
  • Add a new action to the Business Rule.
  • In the Add Action dialog, select the Run a program or PowerShell script action.
  • In the Short description field, describe what does your script do, its purpose or intention.

    Optionally, assign a custom description for the action

    You can assign a custom description for the Run a program or PowerShell script action that will replace the default description generated by Adaxes. To do this:
    • Click the Assign Custom Action Description button.
    • Type the description in the Custom action description field.

      Add custom action description.

  • Type the text of the script in the Script field and click OK.

To submit a request for approval from a script, you need to call the SubmitForApproval method of the pre-defined PowertShell variable called Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers. For detailed information on the input parameters of the method, see SubmitForApproval.

The following script submits an approval request to a specific user and members of a specific group.

$approvers = @(
		"CN=John Smith,CN=Users,DC=example,DC=com",
		"CN=Group,OU=Groups,DC=example,DC=com")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)

How to get the DN of an object

To get the DN of an Active Directory object:
  • Launch Adaxes Administration Console.
  • Right-click the object you need.
  • In the context menu, open the submenu of the Copy item.
  • Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.

You can use value references in distinguished names of approvers. Before executing the script, Adaxes will replace the value references with corresponding property values of the user whose password is reset.

The following example submits an approval request to the user's secretary and members of the group called Admins located in the Organizational Unit where the user account resides.

$approvers = @(
		"%secretary%",
		"CN=Admins,%adm-InitiatorParentDN%")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)
The next example submits a request to the members of the group with a name consisting of the name of the user's department plus Managers.
$approvers = @("%department%Managers,CN=Users,DC=example,DC=com")
$Context.SubmitForApproval($approvers, $False, $False, $False, $False)
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

You can configure the Business Rule to request for approval only if certain conditions are met. For example, request for approval only if the user is a member of a specific group or Business Unit or is located in a specific OU.

To request an approval only if the user is a member of a certain group, do the following:
  • Right-click the action and select Add Condition in the context menu.
  • In the dialog that opens, select the If is a member of <Group> condition type.
  • In the Condition Parameters section, click Select Group.

  • Select the necessary group from the list.

    You can specify a template to be used to generate the distinguished name (DN) of the group.

    Specifying group template

    To specify a group DN template, switch to the Specify template tab and type the template in the Template field.

    You can use value references (e.g. %department%) in the DN template. Value references will be substituted with corresponding property values of the user whose password is reset. For example, if you specify the following: CN=%department%,DC=company,DC=com, the %department% value reference will be substituted with the value of the Department property of the user. So, if a user whose department is Human Resources is trying to reset own password, the group DN will be CN=Human Resources,DC=company,DC=com.

    To select a value reference, click the button embedded in the Template field.

  • Click OK two times. You'll see something like this

  • If necessary, add other conditions. For this purpose, right-click the action again and click Add Condition.
  • When done, click Next.

Here, at the Activity Scope page, you need to specify where in Active Directory a user must be located or what groups or Business Units they should be a member of to be affected by the Business Rule. Click Add.

In the Business Rule Activity Scope dialog, select one of the following items:
  • All Objects - select if you want the Business Rule to be executed if the password is reset by a user from any AD domain managed by Adaxes.

  • Specific Domain - select a specific domain if you want the Business Rule to be executed if the user whose password is reset is located in the AD domain you specify.

  • OU or Container - select a specific OU or container if you want the Business Rule to be executed if the user whose password is reset is located under the selected OU or container.

  • Group - select a specific group if you want the Business Rule to be executed if the user whose password is reset is a member of the selected group.

  • Business Unit - select a Business Unit if you want the Business Rule to be executed if the user whose password is reset is a member of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.


Select the item you need and click Add. When finished, click OK.

The specified activity scope items will be displayed in the Assignments list. Click Finish

? Waiting

Progress status: Checking...