Script Repository


Update security Q&A profile of user after Employee Number changes

February 24, 2021
944

The script can be used if you enroll users for Password Self-Service automatically using information from their AD user account. The script re-enrolls a user, if the value of a certain account property does not match the anwser to the corresponding security question. In the example below, the script will re-enrol a user if their Employee Number does not match the answer to the following question: What is your employee number?

To update Q&A profiles of users automatically with the help of the script, you can create a scheduled task configured for User objects. To add the script to your task, use the Run a program or PowerShell script action.

Parameters:

  • $questionText - Specifies the text of the question, answer to which needs to be compared with AD.
  • $questionsWithAnswersInfo - Specifies parameters to re-enroll a user with: questions and value references for the corresponding properties that contain the answers.
  • $policyDN - Specifies the distingusihed name (DN) of the Password Self-Service Policy a user needs to be enrolled with to be affected by the script. Users enrolled with other policies will be ignored. For information on how to get the DN, see Get the DN of a directory object.

Edit Remove
PowerShell
$questionText = "What is your employee number?" # TODO: modify me
$questionsWithAnswersInfo = @{
    "What is your employee number?" = "%employeeNumber%";
    "What is your job title?" = "%title%";
    "What is your line manager's name?" = "%adm-ManagerFirstName%";
}
$policyDN = "CN=My Policy,CN=Policies,CN=Password Self Service,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

if ($Context.TargetObject.EnrollmentPolicyDN -ine $policyDN)
{
    return # The user is not enrolled at all or enrolled with another policy
}

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")
$cookie = ""
$passwordResetManager =  $admService.CreateSelfPasswordResetManager("%userPrincipalName%", $NULL, [ref]$cookie)

for ($i=0; $i -lt $passwordResetManager.NumberQuestionsToAnswer; $i++)
{
    $question = $passwordResetManager.GetQuestion($i)
    if ($question -ine $questionText)
    {
        continue
    }
    try
    {
        # Check whether the Employee ID stored for Password Self-Service is correct
        $answer = $questionsWithAnswersInfo[$question]
        $passwordResetManager.AnswerQuestion($i, $answer)
    }
    catch [Softerra.Adaxes.Adsi.PasswordSelfService.SelfPasswordResetException]
    {
        # Re-enroll the user with the new Employee ID
        $questionsWithAnswers = @()
        foreach ($question in $questionsWithAnswersInfo.Keys)
        {
            # Create an empty question-answer pair
            $questionWithAnswer = New-Object "Softerra.Adaxes.Adsi.PasswordSelfService.AdmPasswordSelfServiceQuestionWithAnswer"
            
            # Specify the question and the answer
            $questionWithAnswer.Question = $question
            $questionWithAnswer.Answer = $questionsWithAnswersInfo[$question]
            
            # Add the question-answer pair to the collection
            $questionsWithAnswers += $questionWithAnswer
        }
        
        # Specify enrollment parameters
        $enrollmentInfo = New-Object "Softerra.Adaxes.Adsi.PasswordSelfService.AdmPasswordSelfServiceEnrollmentInfo"
        
        # Add the secret questions and answers
        $enrollmentInfo.QuestionsWithAnswers = $questionsWithAnswers
        
        # Specify the Password Self-Service Policy effective for the user
        $enrollmentParameters = $Context.TargetObject.GetEnrollmentParameters("ADM_PSSPOLICYTYPE_ENROLLMENT")
        $enrollmentInfo.PolicyGuid = $enrollmentParameters.PolicyGuid
        
        # Enroll the user
        $Context.TargetObject.EnrollUser($enrollmentInfo)
    }
    return
}

Comments ( 0 )
No results found.
Leave a comment