Adaxes

Custom Script for Generating Passwords

0 votes

Hello,

We're just getting started evaluating Adaxes and I'm wondering if it's possible to use a custom script to generate user passwords. In my org, we've been using word based passwords, and I have a pre-existing function to generate them (below). Ideally, I'd like Adaxes to use this if we can.

function New-RandomPassword
{
    param (
        [int]$MinimumLength = 12
    )

    # Define the URL for the word list
    $WordListUrl = "https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt"

    # Download the word list
    try
    {
        $WordList = Invoke-WebRequest -Uri $WordListUrl -UseBasicParsing -ErrorAction Stop | ForEach-Object { $_.Content }

        # Split the word list into an array of words
        $Words = $WordList -split "`n" | ForEach-Object {
            $split = $_ -split "`t"
            [PSCustomObject]@{
                Number = $split[0]
                Word   = $split[1]
            }
        }

        # Select three random words from the list
        $RandomWords = Get-Random -InputObject $Words -Count 2

        # Capitalize the first letter of each word
        $CapitalizedWords = $RandomWords.Word | ForEach-Object { $_.Substring(0, 1).ToUpper() + $_.Substring(1) }

        # Join the capitalized words with hyphens
        $Password = $CapitalizedWords -join "-"

        # Add a random digit to the end
        $RandomDigit = Get-Random -Minimum 0 -Maximum 9
        $Password += "-$RandomDigit"

        # Ensure the password is at least 12 characters
        if ($Password.Length -lt $MinimumLength)
        {
            $Password = ($CapitalizedWords -join "-") + "-$RandomDigit"
        }
    }
    catch
    {
        Write-Warning "Error downloading word list. You will have to manually enter a first time password for this user."
        $Password = Read-Host "Enter Initial Password"
    }
    return $Password
}
by (50 points)
0

In case anyone else is looking to do the same, here is PS for the "Before creating a user" business rule I ended up using. I'm sure this could be improved on but it works for our use:

$MinimumLength = 12

    # Define the URL for the word list
    $WordListUrl = "https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt"

    # Download the word list
    try
    {
        $WordList = Invoke-WebRequest -Uri $WordListUrl -UseBasicParsing -ErrorAction Stop | ForEach-Object { $_.Content }

        # Split the word list into an array of words
        $Words = $WordList -split "`n" | ForEach-Object {
            $split = $_ -split "`t"
            [PSCustomObject]@{
                Number = $split[0]
                Word   = $split[1]
            }
        }

        # Select three random words from the list
        $RandomWords = Get-Random -InputObject $Words -Count 2

        # Capitalize the first letter of each word
        $CapitalizedWords = $RandomWords.Word | ForEach-Object { $_.Substring(0, 1).ToUpper() + $_.Substring(1) }

        # Join the capitalized words with hyphens
        $Password = $CapitalizedWords -join "-"

        # Add a random digit to the end
        $RandomDigit = Get-Random -Minimum 0 -Maximum 9
        $Password += "-$RandomDigit"

        # Ensure the password is at least 12 characters
        if ($Password.Length -lt $MinimumLength)
        {
            $Password = ($CapitalizedWords -join "-") + "-$RandomDigit"
        }
    $Context.SetModifiedPropertyValue("unicodePwd", $Password)
    $Context.SetNewPassword($Password)
    $Context.LogMessage("Password for new user %sAMAccountName% set to $($Password)", "Information")
    $Context.SendMail("%adm-InitiatorEmail%", "New Account: %sAMAccountName%", "User: %sAMAccountName%`nPass: $Password",$null)
}
    catch
    {
        $Context.LogMessage("Error downloading word list. You will have to manually enter a first time password for this user.",2)
    }
by (50 points)
0

Hello,

We recommend you to move the script to a business rule triggering After creating a user and update it accordingly. This way, the email will not be sent in case the user creation fails and the recipients will not go to check for the user before it actually exists.

by (305k points)

1 Answer

0 votes
by (305k points)
selected by
Best answer

Hello,

It should work just fine except for the catch block. The thing is that user interaction is prohibited in Adaxes scripts. Also, Write-Host and Read-Host cmdlets do not work in Adaxes. You can make an output to the execution log using method $Context.LogMesage. For details on how to execute a script in Adaxes upon user creation, see https://www.adaxes.com/help/RunPowerShellScriptAfterCreatingUser.

0

Thanks for that quick response!

I figured I'd have to tweak it a bit, thanks for giving me a head start on that. If I go this route, could I still use this procedure https://www.adaxes.com/help/SendInitialPasswordToNewUsers/, or would I need to incorporate emailing the new password as part of my custom password generation script?

I'm assuming it's the latter since %unicodePwd% wouldn't be set to the password my custom generation script creates?

by (50 points)
0

Hello,

Your assumption is correct. In this case, the only option to send the password via email is by doing so in the script where the password is generated.

by (305k points)
0

If you want a much more random password, use the API at makemeapassword.ligos.net. Here's how we generate passphrases such as Lantern-clothed-lowered8

try {
    $url = "https://makemeapassword.ligos.net/api/v1/passphrase/json?s=normal&ups=1&whenup=startofword&wc=3&nums=1&whennum=endofphrase"
    $newPass = Invoke-RestMethod $url -ErrorAction Stop

    if ($newPass.Error) {        
        throw [System.Exception]::new("Failed to request new password for $samAccountName. Error: $($newPass.Error)")        
    }

   $newPass = ConvertTo-SecureString -AsPlainText ([string]$newPass.pws).Replace(" ", "-") -Force

catch {
    $Context.LogException($_.Exception)
    $Context.Cancel("Failed to request a password for $samAccountName")
}

Set-AdmAccountPassword -Identity $samAccountName -NewPassword $newpass -Reset
by (360 points)

Related questions

0 votes
1 answer
I suspect the answer is no, is the system able to produce a report for weak passwords?

We are trying to do a report on weak passwords, but i dont think adaxes is able to?

asked Mar 16, 2022 by marcwoollard (40 points)
+2 votes
1 answer
Is generating and distributing a Temporary Access Pass (TAP) from Azure AD instead of a password supported?

Aiming to go passwordless, this is a must-have

asked Aug 30, 2023 by JM (40 points)
0 votes
1 answer
Trouble Generating and Exporting Adaxes Reports in Powershell

I've been attempting to run the "Management History" report located in Reports -> All Reports -> Miscellaneous->Logging based on this script in the repository. ... to using the ADSI Adaxes functionality and I'm not sure where to begin troubleshooting.

asked Aug 15, 2023 by awooten (80 points)
0 votes
1 answer
Generating report from return values of PowerShell function

I'm trying to generate a custom report based off the return values of a PowerShell script. I've tried looking over the tutorial docs and SDK, but I can't seem to piece it all ... Expression = { $_.Properties[1].Value } } } catch { Throw $_.Exception } } }

asked Sep 6, 2021 by joshua.lapchuk (60 points)
0 votes
1 answer
Script to get the email of each user object in a multi value object custom attribute?

We are using the below snippet to grab the email of a single custom attribute object. Can I get guidance on the best way to modify this to get all the emails of each ... "The user specified in parameter 'MyParameter' has no email address. ", "Information") }

asked Dec 23, 2024 by msheppard (840 points)
3,734 questions
3,412 answers
8,631 comments
550,247 users