Adaxes

Current Password In Email

0 votes

We would like to have some email notifications sent based on custom commands. The issue is some of the emails need to have the users password in them.

While reading through the forum, we understand that the %unicodePwd% variable is only good in a Business Rule and doesn't resolve in a custom command. So we modified our business rule so that anytime a password is reset, it also writes that password to CustomAttributeText1 of the affected user.

Here is the business rule:

After resetting password of a user:
Always
Modify the User: set adm-CustomAttributeText1 to '%unicodePwd%'

Here is our custom command:

Always
Reset password for the User
Modify the User: set Password Never Expires to 'False', set Must Change Password at Logon to 'True', set User Cannot Change Password to 'False'
Send e-mail notification (New Password for %fullname%)

The issue we see is that the email notification in the custom command is being generated and sent BEFORE the business rule has changed the password and written the new password to CustomAttributeText1. As a result, the email that goes out always has the old value in CustomAttributeText1, not the changed password in the first step of the custom command.

Any suggestions would be appreciated.

by (70 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The reason why your Custom Command does not work is that value references are resolved before executing any actions contained in a Custom Command. In particular, the %adm-CustomAttributeText1% value reference is resolved into the old value before the command resets a user password.

To resolve the issue, we recommend that you send e-mail notification using a script. You can find an example of the script in the Server-Side Scripting article, the Sending Email and SMS section.

In the script, you need to get the value of the CustomAttributeText1 attribute using the IADs::Get() method, for example:

$newPassword = $Context.TargetObject.Get("adm-CustomAttributeText1")

$to = "%adm-ManagerEmail%"
$subject = "New Password for %fullname%"
$bodyText =
@"
Password for %fullname% has been changed. New password: $newPassword.
"@
$bodyHtml = $NULL

$Context.SendMail($to, $subject, $bodyText, $bodyHtml)

Warning: Pay attention that storing passwords as plain text is not a good idea from the security standpoint. We recommend storing passwords in encrypted form. As you will use a script to send passwords anyway, you can store them as SecureString instead of plain text. In that case SecureString will be decrypted in your Custom Command immediately before sending the email notification. It will be possible to decrypt the SecureStrings only using credentials of the default service administrator. We can provide you code samples for encrypting / decrypting passwords to/from SecureStrings.

Related questions

0 votes
0 answers
see the following error in adaxes portal cmdlet Get-CASMailbox is not present in the role definition of the current user

Over the last day or so we have been seeing this pop up under the exchange header in adaxes portal. cmdlet Get-CASMailbox is not present in the role definition of the current user

asked Jul 3, 2023 by Jeff.Briand (60 points)
0 votes
1 answer
Will a user get an email from Datashield(Lumifi) for failed password change attempts?

User received email from Lumifi and wanted to verify if legit or if this is not from Adaxes?

asked Nov 30, 2022 by Jeff.Briand (60 points)
0 votes
1 answer
Custom Command to re-enable disabled user and email w/ new password

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23, 2020 by sirslimjim (480 points)
0 votes
0 answers
setup Email notification for password

I am trying to enable the email notification for user password expiration. We use O365 and I have setup the Mail Settings but I get the following error: The SMTP server ... .7.57 SMTP; Client was not authenticated to send anonymous mail What am I missing?

asked Dec 1, 2017 by bbuck (140 points)
0 votes
1 answer
Email notification for password reset

We are looking to implement an email going to the manager of end user and end user that a password request was performed. We will use this a security measure similar to ... this to be a great stop gap measure for security. Please advise if this is possible.

asked Dec 9, 2016 by willy-wally (3.2k points)
3,355 questions
3,054 answers
7,799 comments
545,157 users