Custom Command button on Self Service

Question

We are a Google Apps shop. Our help desk currently has to use a Google Admin Console page to reset user passwords when they forget them. We were talking today and wondered if it would be possible to put a Custom Command in Self Service just for the user logging in. Actually, it would be great if we could put it next to the Change Password button that the user sees when they access the Self Service. This would be perfect because the user can do it themselves and they just verified who they are with AD. We would then have to work on the button executing a Google API with data from AD to reset their password. Finding how to implement this now would be greatly appreciated.

Additional note would be that we would like to see being able to add this into the Password Self Service in future releases. Allow the user to select to reset their AD password and those that we can add to the service such as Google Apps.

Any thoughts, advise, or instructions are welcome.

Thanks

+tag
gmail

Answer 1

Hello,

We've found some Google API code samples that show how to manage Google accounts from PowerShell. However, we haven't yet managed to find a way to reset a user's password from Google API. We've given our script guy a task to investigate further into this issue, but it seems to be a lack of functionality in the API. If our script guy finds a way to rest user passwords from Google API with PowerShell, then it will be possible to execute a PowerShell script to reset a password for a user in a Custom Command with the help of the Run a program or PowerShell script action.

By default, a Custom Command that is configured to be executed for User objects, appears on the page used for viewing user accounts (including the page for viewing own account in the Self-Service Web Interface) on the operations panel, under the Other submenu. It can be configured to appear not in the submenu, but on the operations menu, next to the Change Password link, if necessary.

So, if our script guy finds a way how to reset a password with the help of Google API via PowerShell, it will be possible to create a Custom Command that resets passwords for Google users and add the Custom Command to the operations menu.

Comments

If it is put in the Operation Menu, can it be limited to the "self" only. With what we are figuring at the moment, the command will have a Google admin credential in it to actually do the command, so we will want to make sure that it can not be used against any other object except "self" in the Self Service page.

---

Hello,

Our script guy has come up with a PowerShell script that can do what you need. To accomplish your task, you need to create a Custom Command executed on User objects that will launch your script. Also, you will have to do some preparatory operations to make the script work, which will involve installing Google Data API dlls on the computer where Adaxes is installed and enabling Google Provisioning API for your Google Application.

If it is put in the Operation Menu, can it be limited to the "self" only.

Yes, this is possible. You can add a condition to your Custom Command that will check whether the initiator of the operation is the target user.

To accomplish your task:

1. Download Google Data API and install it on the computer where Adaxes is installed.

2. Enable Google Provisioning API in your Google application. To do this:

   • Open the Google Admin Panel for your Google Application, for which you want to reset user passwords.
   • Click Domain Settings, then User Settings.
   • Select the Enable provisioning API option.
     

3. Create the Custom Command that will reset passwords for users in your Google Application. To do this:

   • Create a new Custom Command.

   • On the 2nd step of the Create Custom Command wizard, select the User object type.
     

   • On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field.
     

       ```powershell
       [Reflection.Assembly]::LoadFrom("C:\Program Files\Google\Google Data API SDK\Redist\Google.GData.Apps.dll") # TODO: modify me
     
       $userName = "%sAMAccountName%" # TODO: modify me
       $userPassword = "%firstname%%lastname%" # TODO: modify me
       $domainName = "domain.com" # TODO: modify me
       $adminEmail = "administrator@domain.com" # TODO: modify me
       $adminPassword = "password" # TODO: modify me
     
       # Connect to Google Apps
       $service = New-Object "Google.GData.Apps.AppsService" ($domainName, $adminEmail, $adminPassword)
     
       # Get user in Google Apps
       try
       {
           $userEntry = $service.RetrieveUser($userName)
       }
       catch
       {
           $Context.LogMessage("User not found", "Error") # TODO: modify me
           return
       }
     
       # Set new password for the user
       $login = $userEntry.Login
       $login.Password = $userPassword
       $userEntry.Login = $login
     
       # Update user password
       try
       {
           $service.UpdateUser($userEntry)
       }
       catch
       {
           $baseException = $_.Exception.GetBaseException()
           if ($baseException -ne $NULL -and $baseException.Response -ne $NULL)
           {
               if ($baseException.Response.StatusCode -eq "BadRequest")
               {
                   $Context.LogMessage("The password does not meet the password policy", "Error") # TODO: modify me
                   return
               }
           }
           $Context.LogMessage($_.Exception.GetBaseException().Message, "Error")
       }
     
       ```
     
       In the script:   
     
       - *C:\\Program Files\\Google\\Google Data API SDK\\Redist\\Google.GData.Apps.dll* on the first line specifies the path to the **Google.GData.Apps.dll** from the **Google Data API** that you've installed on the **1st** step. Modify this to specify the actual location of the dll on the computer where Adaxes is installed.
       - **$userName** specifies the property that is used as the user's account name in Google. If it is the user's SAM account name, the %sAMAccountName% value reference needs to be specified. If you use another property to specify the user's account name in google, then use a value reference that will be replaced with the property value for the property that you use. For more information, see [Value Reference Format](http://www.adaxes.com/help/?ValueReferences.ValRefFormat.html).
       - **$userPassword** specifies a template for new password generation.
       - **$domainName** specifies the name of the domain registered in your Google application.
       - **$adminEmail** and **$adminPassword** specify the credentials of a user that has administrative privileges in your Google Application. If you would prefer not to store the credentials directly in the script, there is an option of importing them to a secure storage and then reading them from the storage each time when they are needed. If you would prefer this option, we will help you to modify the script.

   • Specify a short description for the script and click OK.

   • Now you have to add a condition for the script to be run only when the operation is performed on self. Double-click Always.

   • Select the If <property> <relation> <value> condition.

   • Expand the <property> drop-down list.

   • Select the Show all properties option.

   • Select the InitiatorDN property. When the Custom Command will be executed, this property will specify the Distinguished Name (DN) of the user who launched the Custom Command.
     

   • Select equals and type %distinguishedName%. %distinguishedName% is a value reference that will be replaced with the DN of the user, on which the Custom Command is executed.
     

   • Click OK and finish creation of the Custom Command.

---

So I haven't been successful with this yet. Getting invalid credentials, but that is for me and the Google Admin to work on on the correct permissions for the account. Now I did get it on the SelfService page. It looks great. After giving the SelfService role the permission to execute the custom command and then playing with Web Interface Console (I actually messed it up, but then got it back), I was able to get the buttons on the bar to look like:

Google Password Reset | Change Password

It looks sweet, but I already know what I am going to get hit with by my management when I show them this...."What password does 'Change Password' change?". Am I able to change the name of the "Change Password" button to "Change Domain Password"?

Thanks for all your help guys!!! This is going to be sweet!!

---

Hello,

Am I able to change the name of the "Change Password" button to "Change Domain Password"?

Adaxes doesn't allow to change the name under which the Change Password operation appears in the Web Interface.