The new release of Softerra Adaxes includes several long-awaited features that aim to provide secure password self-service for users, significantly improve Active Directory automation and management, enhance notification capabilities and much more. Below you will find the list of the new major features and important updates introduced in Softerra Adaxes 2011.3.
The new version of Adaxes includes the Self-Service Password Reset feature that allows users to securely reset their passwords themselves without addressing help desk or administrators. Users can perform self-password reset from the Windows Logon Screen or from the logon page of Adaxes Web Interface. You can also integrate the feature with your own sites and web applications if they use Active Directory for user authentication.
For details, see Configure Password Self-Service.
Security is the most important concern when delegating rights to users. It is crucial to guarantee that a person who initiates a password reset is really eligible for this. To check users' identity, Adaxes uses robust identity-verification methods: Security Questions & Answers and SMS Verification. To get access to self-service password reset, a user must answer a number of security questions, and/or enter a verification code sent to their mobile phone by Adaxes.
SMS Verification
Security Questions
To prevent hacker attacks that aim to get access to the system by guessing answers to security questions or applying brute force attacks, Adaxes uses the following security measures:
To monitor the password reset and enrollment activities, Adaxes equips you with very proverful reporting capabilities. Using the reporting feature, you can:
If Q&A verification is enabled, users need to enroll to the self-password reset service. If your organization stores user-specific data (Social Security numbers, places of birth, etc.) in a datasource like an HR database, you can configure Adaxes to enroll users automatically by pre-loading the data into their Q&A profiles. For this purpose, you can use the following PowerShell cmdlets:
Example:
$question = "What are the last 5 digits of your credit card?" $answer = "12345" New-AdmPasswordSelfServiceEnrollment JohnSmith -QuestionsAndAnswers @{$question=$answer} -AdaxesService localhost
Example:
Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost
The information in the datasource used for automated enrollment can be changed or updated. To enable automatic creation of Q&A profiles for new users and updating existing ones, you can automate the synchronization with the datasource by activating the built-in scheduled task named Self-Password Reset Enroller. This task runs a PowerShell script for automated enrollment on a predefined schedule. To activate the task, you need to enable it and modify the script to use your datasource.
For details, see Autoenroll Users for Self-Password Reset.
The new version of Adaxes introduces a new useful feature called Scheduled Tasks. With its help, you can automate the launch of a wide range of operations on a predefined schedule. Such operations can include sending expiration notifications, deleting inactive accounts, maintaining group membership, and much more.
For details, see Schedule Tasks for Active Directory Management.
Below you will find the most burning problems that can be solved with the help of Scheduled Tasks.
For users, passwords always expire unexpectedly. It would be great to inform them about password expiration beforehand. With the help of the built-in Scheduled Task named Password Expiration Notifier, you can automate sending of email or SMS notifications to inform users about password expiration in advance.
With the help of the Account Expiration Notifier task, you can enable automated sending of account expiration notifications to users and their managers.
Active Directory may contain a lot of accounts that are not used for a long time. Some of them are accounts left after employee dismissal or computer removal and not required any longer, and some can be still in use, but used very seldom. To automate deletion of the inactive accounts, it is important to introduce the means of distinguishing inactive accounts from accounts used occasionally.
To introduce strong and reliable mechanism of inactive account deleting, Adaxes provides two built-in Scheduled Tasks: Inactive Computer Deleter and Inactive User Deleter.
For details, see Delete Inactive Computers from Active Directory.
For details, see Automatically Deprovision Inactive AD Users.
Now you can significantly improve the automated management of group membership. For example, you can automate adding users located under a specific OU to a group associated with this OU.
A very important feature of Scheduled Tasks is the ability to control their execution by submitting specific task actions for approval. Actions that require approval will not be executed until approved by an authorized person.
Now, with the help of Adaxes it is possible to send SMS messages to Active Directory users.
To perform a password reset requested by phone, it is crucial for a Help Desk operator to verify the user's identity. For this purpose, Adaxes allows sending SMS verification code to the user's mobile phone during password reset.
SMS messages can be sent automatically by Business Rules, Custom Commands and Scheduled Tasks as a notification about an action performed. This will help you, for example, automatically inform administrators about new users added to groups, send notifications to users whose account options have been changed, send new passwords to users, and much more.
In advanced cases, it is possible to send SMS messages from a PowerShell script:
$Context.SendSms($mobileNumber, $text)
Now Custom Commands can be executed from other Custom Commands, Business Rules and Scheduled Tasks. It allows you to create one Custom Command and execute it, for example, after a user is created or updated, on a schedule, or manually.
Now you can use value references in conditions. It is helpful in case you need a condition to include the information contained in the AD object properties.
Now Adaxes allows using AD object properties before the creation or after deletion of an object. Thus, for example, you can pass the information about not yet created or already deleted objects to PowerShell scripts.
Inactive Period |
With the help of this condition, you can verify if the user or computer
is inactive more than/less than the specified period.
![]() |
Account/Password Expiration |
With the help of this condition, you can verify the expiration status of
the user's account or password
![]() |
The new version of Adaxes allows customizing templates for email notifications sent as a part of approval-based workflow. For all the notifications, you can edit the subject, header and footer as well as specify font and text size.
In the new version of Adaxes, you can use the following virtual properties in value references:
Property Name | Description |
---|---|
adm-PasswordExpires | The date and time of the password expiration of the account, for which the property is calculated. When this property is calculated, the Default Domain Password Policy and Fine-Grained Password Policy are considered. |
adm-InactivityDuration |
The number of days a user does not log on to the system or computer remains turned off. This
property can be used to automate processing of inactive accounts.
The period of inactivity is reliable only if it is more than 7 days. |
adm-AccountExpiresDaysLeft | The number of days left before the expiration of the account, for which the property is calculated. This property can be used to notify users about their account expiration. For example, you can specify the following pattern in the notification text: Your account expires in %adm-AccountExpiresDaysLeft% days. |
adm-PasswordExpiresDaysLeft | The number of days left before the expiration of the password of the user, for which the property is calculated. This property can be used to notify users about their password expiration. For exmaple, you can specify the follwoing pattern: Your password expires in %adm-PasswordExpiresDaysLeft% days. |
adm-InitiatorMobile | The mobile of the operation initiator. This property can be used to send SMS messages to the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorMobile%. |
adm-InitiatorManagerEmail |
The e-mail of the manager of the operation initiator. This property can be used to send e-mail
notifications
to the manager of the user, who performs the operation. For this purpose, specify the notification
receiver as follows: %adm-InitiatorManagerEmail%. Manager is specified in the Manager property. |
adm-InitiatorManagerFirstName | The first name of the manager of the operation initiator. Manager is specified in the Manager property. |
adm-InitiatorManagerLastName | The last name of the manager of the operation initiator. Manager is specified in the Manager property. |
adm-InitiatorManagerFullName | The full name of the manager of the operation initiator. Manager is specified in the Manager property. |
adm-InitiatorManagerUserName | The logon name of the manager of the operation initiator. Manager is specified in the Manager property. |
adm-InitiatorManagerMobile |
The mobile phone of the manager of the operation initiator. This property can be used to send SMS
messages
to the manager of the user, who performs the operation. For this purpose, specify the SMS receiver
as follows: %adm-InitiatorManagerMobile%. Manager is specified in the Manager property. |
adm-ManagerEmail |
The e-mail of user's manager. This property can be used to send e-mail notifications to
the manager of a user. For this purpose, specify the notification receiver as follows:
%adm-ManagerEmail%. Manager is specified in the Manager property. |
adm-ManagerFirstName | The first name of user's manager. Manager is specified in the Manager property. |
adm-ManagerLastName | The last name of user's manager. Manager is specified in the Manager property. |
adm-ManagerFullName | The full name of user's manager. Manager is specified in the Manager property. |
adm-ManagerUserName | The logon name of user's manager. Manager is specified in the Manager property. |
adm-ManagerMobile | The mobile of user's manager. This property can be used to send SMS messages to the manager of a user. For this purpose, specify the SMS receiver as follows: %adm-ManagerMobile%. |
adm-WebInterfaceUrl | The URL of the Web Interface specified for the Adaxes service. For example, this property can be used in e-mail notifications to insert links to the Adaxes Web Interface. |
The new version of Adaxes allows you to filter the information stored in the Adaxes service log. You can filter by operation type, by initiator type, by target object type or by initiator host.
Now, to send SMS or email messages from a PowerShell script executed by Custom Commands, Business Rules or Scheduled Tasks, you can use the SendMail and SendSms methods of the $Context variable:
$Context.SendMail($toAddress, $subject, $bodyText, $bodyHtml) $Context.SendSms($mobileNumber, $text)
Now expired user accounts are marked with a specific icon:
Now Adaxes Administration Console enables you to view all the AD objects affected by a Business Rule, Property Pattern, or Scheduled Task by clicking the Show All Affected Objects button.