What's New in Softerra Adaxes 2011.3
- Version
- 3.2.7913.0
- Release Date
- January 31, 2012
The new release of Softerra Adaxes includes several long-awaited features that aim to provide secure password self-service for users, significantly improve Active Directory automation and management, enhance notification capabilities and much more. Below you will find the list of the new major features and important updates introduced in Softerra Adaxes 2011.3.
Self-Service Password Reset
The new version of Adaxes includes the Self-Service Password Reset feature that allows users to securely reset their passwords themselves without addressing help desk or administrators. Users can perform self-password reset from the Windows Logon Screen or from the logon page of Adaxes Web Interface. You can also integrate the feature with your own sites and web applications if they use Active Directory for user authentication.
For details, see Configure Password Self-Service.
Identity Verification Methods
Security is the most important concern when delegating rights to users. It is crucial to guarantee that a person who initiates a password reset is really eligible for this. To check users' identity, Adaxes uses robust identity-verification methods: Security Questions & Answers and SMS Verification. To get access to self-service password reset, a user must answer a number of security questions, and/or enter a verification code sent to their mobile phone by Adaxes.
SMS Verification
Security Questions
Security Measures
To prevent hacker attacks that aim to get access to the system by guessing answers to security questions or applying brute force attacks, Adaxes uses the following security measures:
- Blocking user accounts after a certain number of failed authentication attempts.
- Sending email notifications to users every time their passwords are reset via the Self-Password Reset system. Users are prompted to contact an administrator in case they did not reset the password.
- Captcha – a word verification image that prevents brute force attacks.
- Statistics – helps to track failed password reset attempts and localize the source of possible attacks.
Statistics
To monitor the password reset and enrollment activities, Adaxes equips you with very proverful reporting capabilities. Using the reporting feature, you can:
- Track enrolled and not enrolled users. It helps you monitor the enrollment process and take necessary actions in case of low enrollment activity.
- Trace failed and successful password resets. By monitoring the failed attempts, you can localize the source of possible attacks and take preventive measures.
- Handle user accounts blocked after a certain number of failed authentication attempts.
Automatic User Enrollment
If Q&A verification is enabled, users need to enroll to the self-password reset service. If your organization stores user-specific data (Social Security numbers, places of birth, etc.) in a datasource like an HR database, you can configure Adaxes to enroll users automatically by pre-loading the data into their Q&A profiles. For this purpose, you can use the following PowerShell cmdlets:
-
New-AdmPasswordSelfServiceEnrollment
Example:
$question = "What are the last 5 digits of your credit card?" $answer = "12345" New-AdmPasswordSelfServiceEnrollment JohnSmith -QuestionsAndAnswers @{$question=$answer} -AdaxesService localhost -
Remove-AdmPasswordSelfServiceEnrollment
Example:
Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost
The information in the datasource used for automated enrollment can be changed or updated. To enable automatic creation of Q&A profiles for new users and updating existing ones, you can automate the synchronization with the datasource by activating the built-in scheduled task named Self-Password Reset Enroller. This task runs a PowerShell script for automated enrollment on a predefined schedule. To activate the task, you need to enable it and modify the script to use your datasource.
For details, see Autoenroll Users for Self-Password Reset.
Scheduled Tasks
The new version of Adaxes introduces a new useful feature called Scheduled Tasks. With its help, you can automate the launch of a wide range of operations on a predefined schedule. Such operations can include sending expiration notifications, deleting inactive accounts, maintaining group membership, and much more.
For details, see Schedule Tasks for Active Directory Management.
Below you will find the most burning problems that can be solved with the help of Scheduled Tasks.
Password Expiration Notifications
For users, passwords always expire unexpectedly. It would be great to inform them about password expiration beforehand. With the help of the built-in Scheduled Task named Password Expiration Notifier, you can automate sending of email or SMS notifications to inform users about password expiration in advance.
Account Expiration Notifications
With the help of the Account Expiration Notifier task, you can enable automated sending of account expiration notifications to users and their managers.
Automated Cleanup of Inactive Users and Computers
Active Directory may contain a lot of accounts that are not used for a long time. Some of them are accounts left after employee dismissal or computer removal and not required any longer, and some can be still in use, but used very seldom. To automate deletion of the inactive accounts, it is important to introduce the means of distinguishing inactive accounts from accounts used occasionally.
To introduce strong and reliable mechanism of inactive account deleting, Adaxes provides two built-in Scheduled Tasks: Inactive Computer Deleter and Inactive User Deleter.
Inactive Computer Deleter
For details, see Delete Inactive Computers.
Inactive User Deleter
For details, see Delete Inactive Computers.
Inactive User Deleter
For details, see Automatically deprovision inactive users.
Automated Management of Group Membership
Now you can significantly improve the automated management of group membership. For example, you can automate adding users located under a specific OU to a group associated with this OU.
Approvals for Scheduled Task Actions
A very important feature of Scheduled Tasks is the ability to control their execution by submitting specific task actions for approval. Actions that require approval will not be executed until approved by an authorized person.
SMS Support
Now, with the help of Adaxes it is possible to send SMS messages to Active Directory users.
SMS Verification on Password Reset
To perform a password reset requested by phone, it is crucial for a Help Desk operator to verify the user's identity. For this purpose, Adaxes allows sending SMS verification code to the user's mobile phone during password reset.
Automated SMS Sending
SMS messages can be sent automatically by Business Rules, Custom Commands and Scheduled Tasks as a notification about an action performed. This will help you, for example, automatically inform administrators about new users added to groups, send notifications to users whose account options have been changed, send new passwords to users, and much more.
In advanced cases, it is possible to send SMS messages from a PowerShell script:
$Context.SendSms($mobileNumber, $text)
Enhanced AD Management and Automation Features
Execute Custom Command Action
Now Custom Commands can be executed from other Custom Commands, Business Rules and Scheduled Tasks. It allows you to create one Custom Command and execute it, for example, after a user is created or updated, on a schedule, or manually.
Value References in Conditions
Now you can use value references in conditions. It is helpful in case you need a condition to include the information contained in the AD object properties.
Value References in 'before create' and 'after delete' Actions
Now Adaxes allows using AD object properties before the creation or after deletion of an object. Thus, for example, you can pass the information about not yet created or already deleted objects to PowerShell scripts.
New Conditions
| Inactive Period | With the help of this condition, you can verify if the user or computer is inactive more than/less than the specified period. 
|
| Account/Password Expiration | With the help of this condition, you can verify the expiration status of the user's account or password 
|
Customization of Approval Notifications
The new version of Adaxes allows customizing templates for email notifications sent as a part of approval-based workflow. For all the notifications, you can edit the subject, header and footer as well as specify font and text size.
Web Interface Improvements
- The visual look of the Web Interface has been improved significantly.
- Added the ability to display user images in search results and object grids.
- Added the ability to customize the footer of the web pages.
- Now it is possible to change the Web Interface icon (favicon).
New Virtual Properties
In the new version of Adaxes, you can use the following virtual properties in value references:
| Property Name | Description |
|---|---|
| adm-PasswordExpires | The date and time of the password expiration of the account, for which the property is calculated. When this property is calculated, the Default Domain Password Policy and Fine-Grained Password Policy are considered. |
| adm-InactivityDuration | The number of days a user does not log on to the system or computer remains turned off. This property can be used to automate processing of inactive accounts. The period of inactivity is reliable only if it is more than 7 days. |
| adm-AccountExpiresDaysLeft | The number of days left before the expiration of the account, for which the property is calculated. This property can be used to notify users about their account expiration. For example, you can specify the following pattern in the notification text: Your account expires in %adm-AccountExpiresDaysLeft% days. |
| adm-PasswordExpiresDaysLeft | The number of days left before the expiration of the password of the user, for which the property is calculated. This property can be used to notify users about their password expiration. For exmaple, you can specify the follwoing pattern: Your password expires in %adm-PasswordExpiresDaysLeft% days. |
| adm-InitiatorMobile | The mobile of the operation initiator. This property can be used to send SMS messages to the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorMobile%. |
| adm-InitiatorManagerEmail | The e-mail of the manager of the operation initiator. This property can be used to send e-mail notifications to the manager of the user, who performs the operation. For this purpose, specify the notification receiver as follows: %adm-InitiatorManagerEmail%. Manager is specified in the Manager property. |
| adm-InitiatorManagerFirstName | The first name of the manager of the operation initiator. Manager is specified in the Manager property. |
| adm-InitiatorManagerLastName | The last name of the manager of the operation initiator. Manager is specified in the Manager property. |
| adm-InitiatorManagerFullName | The full name of the manager of the operation initiator. Manager is specified in the Manager property. |
| adm-InitiatorManagerUserName | The logon name of the manager of the operation initiator. Manager is specified in the Manager property. |
| adm-InitiatorManagerMobile | The mobile phone of the manager of the operation initiator. This property can be used to send SMS messages to the manager of the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorManagerMobile%. Manager is specified in the Manager property. |
| adm-ManagerEmail | The e-mail of user's manager. This property can be used to send e-mail notifications to the manager of a user. For this purpose, specify the notification receiver as follows: %adm-ManagerEmail%. Manager is specified in the Manager property. |
| adm-ManagerFirstName | The first name of user's manager. Manager is specified in the Manager property. |
| adm-ManagerLastName | The last name of user's manager. Manager is specified in the Manager property. |
| adm-ManagerFullName | The full name of user's manager. Manager is specified in the Manager property. |
| adm-ManagerUserName | The logon name of user's manager. Manager is specified in the Manager property. |
| adm-ManagerMobile | The mobile of user's manager. This property can be used to send SMS messages to the manager of a user. For this purpose, specify the SMS receiver as follows: %adm-ManagerMobile%. |
| adm-WebInterfaceUrl | The URL of the Web Interface specified for the Adaxes service. For example, this property can be used in e-mail notifications to insert links to the Adaxes Web Interface. |
Filtering in Logging
The new version of Adaxes allows you to filter the information stored in the Adaxes service log. You can filter by operation type, by initiator type, by target object type or by initiator host.
Miscellaneous
Sending SMS and E-mail Notifications from PowerShell Scripts
Now, to send SMS or email messages from a PowerShell script executed by Custom Commands, Business Rules or Scheduled Tasks, you can use the SendMail and SendSms methods of the $Context variable:
$Context.SendMail($toAddress, $subject, $bodyText, $bodyHtml) $Context.SendSms($mobileNumber, $text)
Icon for Users With Expired Accounts
Now expired user accounts are marked with a specific icon:
Show All Affected Objects Feature
Now Adaxes Administration Console enables you to view all the AD objects affected by a Business Rule, Property Pattern, or Scheduled Task by clicking the Show All Affected Objects button.
