0 votes

I am attempting to write a powershell script that will enroll users in the self-service password system. However I would like to execute the new enrollment only if the user is not currently enrolled.

This example gets me part of the way..
http://www.adaxes.com/tutorials_SelfSer ... dReset.htm

Import-Module Adaxes

  $question1 = "What are the last 4 digits of your credit card?"
  $question2 = "What is your social security number?"

  foreach ($line in (Import-Csv c:\qa.csv))
  {
    $answer1 = $line.CardDigits
    $answer2 = $line.SSN

    # I would love an if statement here checking if user is already enrolled.
    New-AdmPasswordSelfServiceEnrollment $line.User -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost
  }

Reviewing the SDK points at an adsi method within IAdmPasswordSelfServiceReportRecord called GetUserInfo that appears to have the information I require. I am not sure how to use this in PowerShell, there are no examples within that section of the SKD

# ... a bunch of code up above that queries a SQL database and returns $results and sets variables
foreach ($result in $results) {
$userObj = get-ADUser $result.Identity -Properties CanonicalName,sAMAccountName,distinguishedName
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($AdaxesService)
$admUser = $admService.OpenObject(("Adaxes://" + $userObj.DistinguishedName), $NULL, $NULL, 0)

# i dont quite know what to put here...
if ( $admUser... ? -eq $false ) {
New-AdmPasswordSelfServiceEnrollment -Identity $result.Identity -QuestionsAndAnswers @{$question1=$pin;$question2=$result.DateOfBirth} -AdaxesService $AdaxesService
}
}

oh, and if New-admPasswordSelfServiceEnrollment command only "does anything" if there is no enrollment that would be great, but the system keeps re-enrolling every time I send the command.

I would love some assistance, thank you

by (70 points)

1 Answer

0 votes
by (216k points)

Hello David,

To determine whether a user is enrolled, you can use ADSI interfaces. The IAdmPasswordSelfServiceOps::IsEnrolled property exposed by each AD user in Adaxes indicates whether a user is enrolled for Password Self-Service.

How do you plan to launch the script, as a part of an Adaxes Scheduled Task or directly from the Windows PowerShell Console, for example?

if New-admPasswordSelfServiceEnrollment command only "does anything" if there is no enrollment that would be great

Actually, the current behavior of the cmdlet was done on purpose, because Password Self-Service Policies can change, as well as user data can change, so you may need to re-enroll a user with other Password Self-Service parameters. For this purpose, the cmdlet always re-enrolls users.

0

Support Thank you.

omg, it is really that easy. /sigh

if ($admUser.IsEnrolled) { ... } 

The database that contains our "answers" is only available from specific machines, the adaxes server is no one of them. I will be scheduling a powershell script on a server that does have access to the data. This server as the adaxes powershell components installed.

0

David,

Actually, it won't be that simple. The thing is that the built-in $Context variable is only available in scripts run by Adaxes Business Rules, Custom Commands or Scheduled Tasks. It represents the script runtime context. Since you are going to run the script outside of Adaxes, you'll first need to connect to your Adaxes service. Here's a version of the script that'll do the job:

Import-Module Adaxes
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceAddress = "adaxesserver.example.com" # TODO: modify me
$cSVFilePath = "c:\qa.csv" # TODO: modify me

$question1 = "What are the last 4 digits of your credit card?" # TODO: modify me
$question2 = "What is your social security number?" # TODO: modify me

# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceAddress)

foreach ($line in (Import-Csv $cSVFilePath))
{
    # Find the user in AD
    $user = Get-AdmUser $line.User -ErrorAction SilentlyContinue

    if (-not($user))
    {
        $userId = $line.User
        Write-Host "Could not find user with identity $userId"
        continue
    }

    # Bind to the user
    $userDN = $user.DistinguishedName
    $userObj = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

    if (-not($userObj.IsEnrolled))
    {
        $answer1 = $line.CardDigits
        $answer2 = $line.SSN

        New-AdmPasswordSelfServiceEnrollment $user -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService $serviceAddress
     }   
}

Related questions

0 votes
0 answers

Whether I try to run a script or manually run the commands to enroll users, users remain unenrolled. Example of a basic script: Import-Module ... ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost Adaxes version 2021

asked Mar 27, 2023 by gwadmin (80 points)
0 votes
1 answer

Hi, Somehow I cannot enroll users anymore since the upgrade, I get this message: "You cannot enroll for Password Self-Service because the policy effective for your account requires ... disenroll I get this message: Anyone got any idea of what is going wrong?

asked Jul 11, 2018 by droezel (110 points)
0 votes
1 answer

Hi there, We're preparing for the release of a Password Self-Service portal with Adaxes, essentially a scaled-down version of the selfservice portal with a customized ... the properties/conditions used to determine "person is not enrolled"? Thanks in advance!

asked Dec 30, 2011 by Kirk (60 points)
0 votes
1 answer

Hello, Similarly to how you can have a mobile number field on the Password Self Service enrollment page, is there any way you can have an alternate field such as ... a custom attribute after enrollment through regular self service. Possible or no? Thank you.

asked Nov 27, 2017 by Kevin (100 points)
0 votes
1 answer

Is there a way to set the time that the automatic self-service enrollment invitation email is sent? (the one sent if the box is checked on the policy) Additionally, is ... email to be HTML format? They appear to only allow plain text when editing the policy.

asked Jun 29, 2017 by HDClown (220 points)
3,569 questions
3,259 answers
8,275 comments
547,987 users