Request Approval for Self-Password Reset
With the help of Adaxes, user passwords can be reset by administrators and other technical personnel, such as Help Desk or IT support staff. In addition to that, users can also reset their passwords on their own using the Password Self-Service feature of Adaxes. Workflow capabilities in Adaxes give you the ability to control how the Self-Service Password Reset feature is used. For example, for security reasons, you may want somebody to approve self password reset when the operation is performed by a user with high privileges.
In this tutorial, you will learn how to configure Adaxes to request an approval when users reset their own password. For this purpose, you need to create a Business Rule triggered before self password reset.
- Select User in the Object Type list.
- Select Before in the Operation section.
- Select Self-resetting password in the Operation section and click Next.
At the next step, you need to specify what the Business Rule will do when it is executed. Click the Add Action link and select the Send this operation for approval action.
In the Action Parameters section, click Add and select users or groups that will be able to approve the requests to self reset password.
Optionally, you can use one of the following options:
- Manager of the requestor to allow the manager of the user whose password is reset to approve or deny the operation. The manager-employee relationship is stored in the Manager property of an AD user.
- Owner of the requestor's OU to allow the owner of the Organizational Unit (OU) containing the account of the user whose password is reset to approve or deny the operation. The OU owner is specified in the Managed By property of OU objects.
How to request for approval from PowerShell script
- Add a new action to the Business Rule.
- In the Add Action dialog, select the Run a program or PowerShell script action.
In the Short description field, describe what does your script do,
its purpose or intention.
Optionally, assign a custom description for the actionYou can assign a custom description for the Run a program or PowerShell script action that will replace the default description generated by Adaxes. To do this:
- Click the Assign Custom Action Description button.
Type the description in the Custom action description field.
Type the text of the script in the Script field and click OK.
To submit a request for approval from a script, you need to call the SubmitForApproval method of the pre-defined PowertShell variable called Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers. For detailed information on the input parameters of the method, see SubmitForApproval.
The following script submits an approval request to a specific user and members of a specific group.
$approvers = @( "CN=John Smith,CN=Users,DC=example,DC=com", "CN=Group,OU=Groups,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
How to get the DN of an object
- Launch Adaxes Administration Console.
- Right-click the object you need.
- In the context menu, open the submenu of the Copy item.
Click Copy DN. The DN of the selected Active Directory object will be copied to the clipboard.
You can use value references in distinguished names of approvers. Before executing the script, Adaxes will replace the value references with corresponding property values of the user whose password is reset.
The following example submits an approval request to the user's secretary and members of the group called Admins located in the Organizational Unit where the user account resides.
$approvers = @( "%secretary%", "CN=Admins,%adm-InitiatorParentDN%") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)The next example submits a request to the members of the group with a name consisting of the name of the user's department plus Managers.
$approvers = @("%department%Managers,CN=Users,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.
To request an approval only if the user is a member of a certain group, do the following:
Right-click the action and select
Add Condition in the context menu.
- In the dialog that opens, select the If is a member of <Group> condition type.
In the Condition Parameters section, click Select Group.
Select the necessary group from the list.You can specify a template to be used to generate the distinguished name (DN) of the group.
Specifying group template
To specify a group DN template, switch to the Specify template tab and type the template in the Template field.
You can use value references (e.g. %department%) in the DN template. Value references will be substituted with corresponding property values of the user whose password is reset. For example, if you specify the following: CN=%department%,DC=company,DC=com, the %department% value reference will be substituted with the value of the Department property of the user. So, if a user whose department is Human Resources is trying to reset own password, the group DN will be CN=Human Resources,DC=company,DC=com.
To select a value reference, click the button embedded in the Template field.
Click OK two times. You'll see something like this
- If necessary, add other conditions. For this purpose, right-click the action again and click Add Condition.
- When done, click Next.
All Objects - select if you want the Business Rule to be executed if the password
is reset by a user from any AD domain managed by Adaxes.
Specific Domain - select a specific domain if you want the Business Rule to be
executed if the user whose password is reset is located in the AD domain you specify.
OU or Container - select a specific OU or container if you want the Business Rule
to be executed if the user whose password is reset is located under the selected OU or
Group - select a specific group if you want the Business Rule to be executed if
the user whose password is reset is a member of the selected group.
Business Unit - select a Business Unit if you want the Business Rule to be executed if the user whose password is reset is a member of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
Select the item you need and click Add. When finished, click OK.
The specified activity scope items will be displayed in the Assignments list. Click Finish