0 votes

Is it possible to reset a password and force the user to change password at next login within the same action of a custom command? When they are split out into separate actions as shown, it doesn't initiate an attribute sync when using Azure AD connect. Presumably one would have to use a powershell script to accomplish this, and if so, I would like to request this functionality be added to the reset password action in the future.

2020-03-20 12_00_21-Reset Password - Adaxes Administration Console 2019.1.png

connectsync.png

by (2.5k points)

1 Answer

0 votes
by (2.6k points)

Yes, it is possible. The only discrepancy in your Custom Command configuration is the actions order. The Reset password for the user action should be executed before the Modify the user action as in the current configuration the User must change password at next logon option will be set to No after the password reset and thus will not be replicated to Azure AD. Finally, your Custom Command should look like the following: image.png

0

Actually the order you are suggesting is what I tested first, but then switched them and got the same result. Our server version is 3.11.16825.0 and we also have configured simultaneous Azure AD password change.

0

Hello,

Sorry for the confusion. There is no possibility to synchronize passwords of accounts who have the User must change password at next logon option enabled. The behavior is by design in hybrid Active Directory environments and is not related to Adaxes. However, the synchronization of temporary passwords and the User must change password at next logon option is available for public preview. For details, have a look at the Public Preview of synchronizing temporary passwords and "Force Password Change on Next Logon" section of the following Microsoft article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization.

0

Yes I'm aware of that option and I have enabled it in Azure AD, the issue is that the two actions in the custom command function differently than the adaxes or ADUC native password reset functionality in that they don't trigger the attribute to sync. The same is true if I use ADUC and reset the password, but don't check the "require change" box and then check the box afterwards in the user properties. It has to be done simultaneously.

+1

Hello,

Thank you for specifying. To reset a user password and enable the User must change password at next logon option at the same time, the below script can be executed in the Run a program or PowerShell script Custom Command action.

# Bind to the user
$user = $Context.BindToObjectEx($Context.TargetObject.AdsPath , $True)

# Enable the 'User must change password at next logon' option
$user.Put("pwdLastSet", 0)

# Disable the 'Password never expires' option
$user.Put("userAccountControl", 0)
[int]$passwordNeverExpires = [Softerra.Adaxes.Interop.Adsi.PersistentObjects.ADS_USER_FLAG_ENUM]::ADS_UF_DONT_EXPIRE_PASSWD
$user.PutPropertyItemMask("userAccountControl", $passwordNeverExpires)

# Disable the 'User cannot change password' option
$user.Put("adm-CanNotChangePassword", $False)

# Generate a password
$rootDSE = $Context.BindToObject("Adaxes://RootDSE")
$password = $rootDSE.GeneratePassword($Context.TargetObject)

# Set Password
$user.Put("unicodePwd", $password)

# Save changes
$user.SetInfo()

Related questions

0 votes
1 answer

We have several scripts that use the following action: $commandID = "{b4b66610-be71-403a-a6b7-8bcf51d200ef}" $user.executecustomCommand($commandID) is there syntax that allows ... is there another way to pass parameters to a custom command through scripting?

asked Jul 11, 2019 by ggallaway (1.2k points)
0 votes
0 answers

Is there a way to combine the two functions for Unlock, and Password Reset? Most of the time, users lock themselves out because they don't remember the password, so the HelpDesk ... for the user, then changing the password. Is there any other way to do this?

asked Oct 24, 2016 by rurbaniak (5.4k points)
0 votes
1 answer

is it possible to allow a user to enroll for both options, or even only one option out of the two available? I would like to give my users the choice to use either. Some users may not want an authenticator, but other's might do.

asked Nov 6, 2019 by mashworth (290 points)
0 votes
1 answer

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19 by Martin (280 points)
0 votes
1 answer

I have an ADP Sync scheduled task that modifies and creates users from a csv file. I also have reports that show new users created and management history for user ... ADP Sync scheduled task so that they only run after the ADP Sync task is complete?

asked Jan 7 by barberk (290 points)
2,135 questions
1,900 answers
5,319 comments
3,536 users