Adaxes

Choose domain controller for password reset

0 votes

Hi,

We are a European branch of a US company, our Exchange server is in US and talks to the US DC.

This leads to the situation that when our helpdesk resets a password, in order to make the reset effective immediately for the user, they need to perform the reset for internal users on the local DC and for external users on the US DC.

Would there be any way to have the team choose the DC to perform the reset on when resetting passwords through web UI? Even better would be if it could be scripted based on OU the user resides in.

Thanks!

by (240 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

There is no such possibility. As a workaround, you can install an instance of Adaxes service and Web Interface in each site. In this case, the Web Interfaces will connect to the closes service, and the services will connect to the nearest available DCs, making password change effective immediately.

The Adaxes Services, in their turn, can share a common configuration. This means that you do not need to configure each service separately. A change in the configuration of one of the services will be replicated to the other ones immediately. Also, when configuration is shared, you can use one license for all the service instances that share the configuration. For information on how to share configuration between services, have a look at the following help article: http://www.adaxes.com/help/?HowDoI.Mana ... ation.html.

Finally, you can configure your DNS so that all the Web Interfaces have the same address, but users will be redirected to the necessary Web interface server depending on which site they are in.

0

Thanks, while that approach might work for other situations, for what I am trying to accomplish it seems a bit too convoluted.

Right now I am trying the following:

- Created a business rule that triggers after a password reset is done
- Add powershell script action that sets the password for the user on the US DC using Set-ADAccountPassword with -Server parameter pointing to the US DC

Now I am running into the issue that when I value reference the AD object the reset is done for (I tried both %username% and %sAMAccountName%) I get

The term 'Set-ADAccountPassword' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

If I specify a specific account manually instead of the value reference the command works, could you point me in direction to troubleshoot this please?

by (240 points)
0

Update:

I now cannot replicate the command succeeding when specifying the account directly instead of using value reference so please disregard my comment about that.

I tried now also with the Set-AdmAccountPassword command but same result, this is the code I am using :

Set-AdmAccountPassword -Identity %sAMAccountName% -Reset -NewPassword (ConvertTo-SecureString -AsPlainText %unicodePwd% -Force) -Server ourdc.ourdomain.com
by (240 points)
0

Hello,

Adaxes uses PowerShell 2.0, so you need to import PowerShell modules explicitly:

Import-Module Adaxes

Set-AdmAccountPassword -Identity "%sAMAccountName%" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "%unicodePwd%" -Force) -Server ourdc.ourdomain.com

Note, however, that such an approach can cause issues when Active Directory performs password replication. We strongly do not recommend it.

by (216k points)
0

Thanks for the explanation and warning, did not consider that.

Resolved it now by adding a home page action that triggers a custom command on user object, in the custom command i use the powershell code to reset the password on the appropriate DC based on the OU the user account is located in. This works now.

Thanks for the help!

by (240 points)

Related questions

0 votes
1 answer
On the built in Create User, how can I get the ability for the user to choose a different domain in the username field?

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Limit Self Service Password Reset to a Single Managed Domain

We have two on-prem domains; Domain A and Domain B. Domain A is our primary domain and syncs with Azure AD. Domain B contains accounts created for external ... user attempts to authenticate, they are only authenticating against the Domain B on-prem domain?

asked Apr 10 by awooten (60 points)
+1 vote
1 answer
OR for self password reset

Hi, Is there any way to make Password Self Service Policies OR Operation? Let say, user can enroll to both Q&A and OTP App Google Authenication. However, during the password reset, user can choose either to use Q&A or OTP App.

asked Nov 18, 2021 by fachmi (170 points)
0 votes
1 answer
Local password self service reset for Windows breaks access to private keys of user certificates

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer
Enforcing Password Policies for Password Reset

Hello! We have password policies set up to prevent users from reusing the last several passwords and to prevent them from changing their password more than once in a 24 ... know of any way to fully enforce all of the password policies for password resets?

asked Sep 9, 2021 by KelseaIT (320 points)
3,346 questions
3,047 answers
7,772 comments
544,970 users