Request Approval for Self-Password Reset


Adaxes enables users to reset their passwords themselves by answering predefined security questions and submitting a verification code sent via SMS or email. To increase the security of privileged accounts, you can go further and add an approval step to the process. Approval can be requested from the user's manager, fellow employees, administrators, etc.

In this tutorial, you will learn how to create a Business Rule to request an approval for self password reset.

  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.



    Enter a name for the new Business Rule and click Next.

  2. To trigger the Business Rule before self-resetting passwords:

    • Select User in the Object Type list.
    • Select Before and then select Self-resetting password.


    Click Next.

  3. Click Add an action and select the Send this operation for approval action.

  4. In the Action Parameters section specify the approvers for the operation.

    • Click Add to select specific users and groups.
    • Select Manager of the requestor to allow the manager of the user whose password is reset to approve or deny the operation. The manager is specified in the Manager property of user accounts.
    • Select Owner of the requestor's OU to allow the owner of the Organizational Unit where the user's account is located to approve or deny the operation. The owner is specified in the Managed By property of Organizational Units.
    • When done, click OK.

    Adaxes service administrators have the rights to approve or deny any request.

    Using Scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.

    • In the Add Action dialog, select the Run a program or PowerShell script action.
    • Click the Edit button.

      Click the button to provide a custom description for the action.
    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a user and members of a group.

      $approvers = @(
      		"CN=John Smith,CN=Users,DC=example,DC=com",
      		"CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      • Launch Adaxes Administration Console.
      • Right-click the object you need.
      • In the context menu, open the submenu of the Copy item.
      • Click Copy DN. The DN of the selected object will be copied to the clipboard.

      You can use value references in the script (e.g. %department%). Value references will be replaced with corresponding property values of the user whose password is reset.

      The following example submits an approval request to the members of a group with the name consisting of the name of the user's department plus Managers.

      $approvers = @("CN=%department%Managers,CN=Users,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)

      The following example submits an approval request to the user's secretary and members of group Admins located in the user's Organizational Unit.

      $approvers = @(
      		"%secretary%",
      		"CN=Admins,%adm-InitiatorParentDN%")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)

      For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.

  5. To request an approval only if certain conditions are met, right-click the action and select Add Condition.


    For example, an approval can be requested only if the user is a member of a specific group or Business Unit, located in a specific Organizational Unit, the Job Title property of the user's account contains the word Manager.

    When done, click Next.

  6. To define the scope of activity for the Business Rule, click Add.

    In the Activity Scope dialog, select the following items:

    • All Objects - select to execute the Business Rule for all user accounts in all domains managed by Adaxes.

    • Specific Domain - select to execute the Business Rule for all user accounts within an AD domain.

    • OU or Container - select to execute the Business Rule for the user accounts located under an Organizational Unit or container.

    • Group - select to execute the Business Rule for the user accounts that are members of a group.

    • Business Unit - select to execute the Business Rule for the user accounts that are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific users, groups, Organizational Units and Business Units from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over all objects in a domain, but do not want it to be executed for members of a certain group, you can exclude the group from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.

    When done, click OK and then click Finish.


See Also



Open tutorial filtering

Got questions?
Support Forum