Autoenroll Users for Self-Password Reset
If the Security Question & Answers verification option is enabled for Self-Service Password Reset, users need to enroll for password self-service. Enrollment is a one-time process where users provide answers to security questions. If your organization stores employee data such as social security numbers, places of birth, ID numbers, or similar, you can enroll users automatically by preloading the data into their Q&A profiles.
In this tutorial, you will learn how to enroll users for Password Self-Service using PowerShell cmdlets, and how to configure Adaxes to automatically enroll new users and update enrollment data for already enrolled users.
PowerShell Cmdlets for Enrollment
To enroll and cancel enrollment for Password Self-Service, you can use the following PowerShell cmdlets:
To use the cmdlets, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.
New-AdmPasswordSelfServiceEnrollment
The New-AdmPasswordSelfServiceEnrollment cmdlet enrolls an Active Directory user for Password Self-Service.
Required Parameters:
- Identity - specifies the Active Directory user to be enrolled. You can identify a user by the distinguished name (DN), GUID, security identifier (SID), full name and Security Accounts Manager (SAM) account name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
- QuestionsAndAnswers - specifies a hash table that maps security questions to answers.
- AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute the cmdlet.
Example 1 - Enroll a user with hard-coded questions and answers.
Import-Module Adaxes $question1 = "What are the last 4 digits of your credit card?" $answer1 = "1234" $question2 = "What is your social security number?" $answer2 = "987654321" New-AdmPasswordSelfServiceEnrollment JohnSmith ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost
Example 2 - Enroll users using a CSV file.
Import-Module Adaxes $question1 = "What are the last 4 digits of your credit card?" $question2 = "What is your social security number?" foreach ($line in (Import-Csv c:\qa.csv)) { $answer1 = $line.CardDigits $answer2 = $line.SSN New-AdmPasswordSelfServiceEnrollment $line.User ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost }
The example assumes that a CSV file with the following content is used:
User,CardDigits,SSN JohnSmith,1234,654321 JimWillis,1122,332211
Remove-AdmPasswordSelfServiceEnrollment
The Remove-AdmPasswordSelfServiceEnrollment cmdlet cancels Password Self-Service enrollment for an Active Directory user account.
Required Parameters:
- Identity - specifies the Active Directory user to be disenrolled. You can identify a user by the distinguished name (DN), GUID, security identifier (SID), full name and Security Accounts Manager (SAM) account name. You can also set the parameter to an object variable (e.g. $myUser) or pass a user object through the pipeline to the Identity parameter.
- AdaxesService - specifies the DNS name of an Adaxes service that will be used to execute the cmdlet.
Example:
Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost
Permissions
By default, users are allowed to perform the enroll and disenroll operations only for themselves. The permissions to enroll and disenroll other users are granted with the help of Security Roles. To allow enrolling and disenrolling users, a Security Role must contain the Enroll/Disenroll User permission.
Adaxes Service Administrators have full control over all objects, and thus have the right to enroll and disenroll other users.
- Launch Adaxes Administration Console.
- Expand Adaxes service \ Configuration \ Security Roles.
-
Select the Security Role you want to modify.
-
In the Permissions section located to the right, click Add.
-
Select User in the list of object types on the left. In the General permissions list, check the Enroll/Disenroll User (Password Self-Service) permission in the Allow column.
-
Click OK and then click Save changes.
To enroll users for Password Self-Service using a PowerShell script, the script must be executed under an account that has the permissions necessary to read data from the data source (CSV file, HR database, etc.) and enroll users for Password Self-Service in Adaxes.
Enrollment by Schedule
You can configure Adaxes to automatically enroll new users and update Q&A profiles of existing ones if the information used for their enrollment changes. For this purpose, you can use the built-in Scheduled Task called Self-Password Reset Enroller. The task automatically runs a PowerShell script for user enrollment on a predefined schedule.
By default, the task is disabled. Before enabling it, you need to modify the PowerShell script it executes to get enrollment data from your data source.
To activate the Self-Password Reset Enroller task:
-
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin and select Self-Password Reset Enroller.
-
Right-click the Run PowerShell script action, and select Edit Action in the context menu.
-
Click the Edit button and modify the PowerShell script to get data from your data source.
By default, the script gets enrollment data from a Microsoft SQL Server database. If your data is stored in an MS SQL database, you just need to specify your database host, change the database name, table, fields, etc.
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting. -
If necessary, change the user account used to run the script.
The user account must have the rights to read data from the data source and enroll users for Password Self-Service in Adaxes. By default, the script is executed using the Adaxes service account that has the rights needed to enroll users for Password Self-Service.
-
Click OK and then click Save changes.
-
To enable the Scheduled Task, right-click it, point to All Tasks, and click Enable.
