If the Security Question & Answers verification option is enabled for Self-Service Password Reset, users need to enroll for password self-service. Enrollment is a one-time process where users provide answers to security questions. If your organization stores employee data such as social security numbers, places of birth, ID numbers, or similar, you can enroll users automatically by preloading the data into their Q&A profiles.
In this tutorial, you will learn how to enroll users for Password Self-Service using PowerShell cmdlets, and how to configure Adaxes to automatically enroll new users and update enrollment data for already enrolled users.
To enroll and cancel enrollment for Password Self-Service, you can use the following PowerShell cmdlets:
To use the cmdlets, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.
The New-AdmPasswordSelfServiceEnrollment cmdlet enrolls an Active Directory user for Password Self-Service.
Required Parameters:
Example 1 - Enroll a user with hard-coded questions and answers.
Import-Module Adaxes $question1 = "What are the last 4 digits of your credit card?" $answer1 = "1234" $question2 = "What is your social security number?" $answer2 = "987654321" New-AdmPasswordSelfServiceEnrollment JohnSmith ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost
Example 2 - Enroll users using a CSV file.
Import-Module Adaxes $question1 = "What are the last 4 digits of your credit card?" $question2 = "What is your social security number?" foreach ($line in (Import-Csv c:\qa.csv)) { $answer1 = $line.CardDigits $answer2 = $line.SSN New-AdmPasswordSelfServiceEnrollment $line.User ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost }
The example assumes that a CSV file with the following content is used:
User,CardDigits,SSN JohnSmith,1234,654321 JimWillis,1122,332211
The Remove-AdmPasswordSelfServiceEnrollment cmdlet cancels Password Self-Service enrollment for an Active Directory user account.
Required Parameters:
Example:
Remove-AdmPasswordSelfServiceEnrollment JohnSmith -AdaxesService localhost
By default, users are allowed to perform the enroll and disenroll operations only for themselves. The permissions to enroll and disenroll other users are granted with the help of Security Roles. To allow enrolling and disenrolling users, a Security Role must contain the Enroll/Disenroll User permission.
Adaxes Service Administrators have full control over all objects, and thus have the right to enroll and disenroll other users.
Select the Security Role you want to modify.
In the Permissions section located to the right, click Add.
Select User in the list of object types on the left. In the General permissions list, check the Enroll/Disenroll User (Password Self-Service) permission in the Allow column.
Click OK and then click Save changes.
To enroll users for Password Self-Service using a PowerShell script, the script must be executed under an account that has the permissions necessary to read data from the data source (CSV file, HR database, etc.) and enroll users for Password Self-Service in Adaxes.
You can configure Adaxes to automatically enroll new users and update Q&A profiles of existing ones if the information used for their enrollment changes. For this purpose, you can use the built-in Scheduled Task called Self-Password Reset Enroller. The task automatically runs a PowerShell script for user enrollment on a predefined schedule.
By default, the task is disabled. Before enabling it, you need to modify the PowerShell script it executes to get enrollment data from your data source.
To activate the Self-Password Reset Enroller task:
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin and select Self-Password Reset Enroller.
Right-click the Run PowerShell script action, and select Edit Action in the context menu.
Click the Edit button and modify the PowerShell script to get data from your data source.
By default, the script gets enrollment data from a Microsoft SQL Server database. If your data is stored in an MS SQL database, you just need to specify your database host, change the database name, table, fields, etc.
If necessary, change the user account used to run the script.
The user account must have the rights to read data from the data source and enroll users for Password Self-Service in Adaxes. By default, the script is executed using the Adaxes service account that has the rights needed to enroll users for Password Self-Service.
Click OK and then click Save changes.
To enable the Scheduled Task, right-click it, point to All Tasks, and click Enable.