0 votes

Is it possible to reset a password and force the user to change password at next login within the same action of a custom command? When they are split out into separate actions as shown, it doesn't initiate an attribute sync when using Azure AD connect. Presumably one would have to use a powershell script to accomplish this, and if so, I would like to request this functionality be added to the reset password action in the future.

2020-03-20 12_00_21-Reset Password - Adaxes Administration Console 2019.1.png

connectsync.png

by (540 points)

1 Answer

0 votes
by (11.0k points)

Hello!

Yes, it is possible. The only discrepancy in your Custom Command configuration is the actions order. The Reset password for the user action should be executed before the Modify the user action as in the current configuration the User must change password at next logon option will be set to No after the password reset and thus will not be replicated to Azure AD. Finally, your Custom Command should look like the following: image.png

0

Actually the order you are suggesting is what I tested first, but then switched them and got the same result. Our server version is 3.11.16825.0 and we also have configured simultaneous Azure AD password change.

0

Hello,

Sorry for the confusion. There is no possibility to synchronize passwords of accounts who have the User must change password at next logon option enabled. The behavior is by design in hybrid Active Directory environments and is not related to Adaxes. However, the synchronization of temporary passwords and the User must change password at next logon option is available for public preview. For details, have a look at the Public Preview of synchronizing temporary passwords and "Force Password Change on Next Logon" section of the following Microsoft article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization.

0

Yes I'm aware of that option and I have enabled it in Azure AD, the issue is that the two actions in the custom command function differently than the adaxes or ADUC native password reset functionality in that they don't trigger the attribute to sync. The same is true if I use ADUC and reset the password, but don't check the "require change" box and then check the box afterwards in the user properties. It has to be done simultaneously.

+1

Hello,

Thank you for specifying. To reset a user password and enable the User must change password at next logon option at the same time, the below script can be executed in the Run a program or PowerShell script Custom Command action.

# Bind to the user
$user = $Context.BindToObjectEx($Context.TargetObject.AdsPath , $True)

# Enable the 'User must change password at next logon' option
$user.Put("pwdLastSet", 0)

# Disable the 'Password never expires' option
$user.Put("userAccountControl", 0)
[int]$passwordNeverExpires = [Softerra.Adaxes.Interop.Adsi.PersistentObjects.ADS_USER_FLAG_ENUM]::ADS_UF_DONT_EXPIRE_PASSWD
$user.PutPropertyItemMask("userAccountControl", $passwordNeverExpires)

# Disable the 'User cannot change password' option
$user.Put("adm-CanNotChangePassword", $False)

# Generate a password
$rootDSE = $Context.BindToObject("Adaxes://RootDSE")
$password = $rootDSE.GeneratePassword($Context.TargetObject)

# Set Password
$user.Put("unicodePwd", $password)

# Save changes
$user.SetInfo()
0

Thank you, I will test this out. Is it possible to still use a password template within the script? For example:

2020-04-17 11_36_30-Window.png

0

Hello,

Yes, it is possible. Find the updated script below. In the script, the $passwordTemplate variable specifies a template that will be used to generate user passwords. You can use value references in the template (e.g. %datetime%).

$passwordTemplate = "Pw-%datetime:format[mm-dd-yy-hh]%" # TODO: modify me

# Bind to the user
$user = $Context.BindToObjectEx($Context.TargetObject.AdsPath , $True)

# Enable the 'User must change password at next logon' option
$user.Put("pwdLastSet", 0)

# Disable the 'Password never expires' option
$user.Put("userAccountControl", 0)
[int]$passwordNeverExpires = [Softerra.Adaxes.Interop.Adsi.PersistentObjects.ADS_USER_FLAG_ENUM]::ADS_UF_DONT_EXPIRE_PASSWD
$user.PutPropertyItemMask("userAccountControl", $passwordNeverExpires)

# Disable the 'User cannot change password' option
$user.Put("adm-CanNotChangePassword", $False)

# Update user password
$user.Put("unicodePwd", $passwordTemplate)

# Save changes
$user.SetInfo()

Related questions

0 votes
1 answer

Hello, we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as ... $identity = "%distinguishedName%" Remove-AdmUser -Identity $identity -Confirm:$False regards Helmut

asked Nov 17, 2020 by a423385 (510 points)
0 votes
1 answer

We have several scripts that use the following action: $commandID = "{b4b66610-be71-403a-a6b7-8bcf51d200ef}" $user.executecustomCommand($commandID) is there syntax that allows ... is there another way to pass parameters to a custom command through scripting?

asked Jul 11, 2019 by ggallaway (300 points)
0 votes
1 answer

Is it possible to surface Azure native AAD security groups within the Adaxes console in order to allow users to add themselves?

asked Dec 6, 2022 by sirslimjim (480 points)
0 votes
0 answers

Is there a way to combine the two functions for Unlock, and Password Reset? Most of the time, users lock themselves out because they don't remember the password, so the HelpDesk ... for the user, then changing the password. Is there any other way to do this?

asked Oct 24, 2016 by rurbaniak (1.4k points)
0 votes
1 answer

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23, 2020 by sirslimjim (480 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users