Custom workflow - email user random generated password

 Hello guys,

 

I have just recently installed One Identity Password Manager version 5.7.0.1525 in our test-environment. We see that the existing workflows can not apply to our situation, and need to create a new simple custom workflow. We are looking for a self-selvice portal for our users where they simply can reset their password.

 

The workflow should consist of a user searching after his AD-user and then choose the custom workflow "Password email reset" workflow, a random generated password is set on the user account in AD (in addition: "user must change password at next logon" is checked), and an email is sent to the user with the password.

 

The best would be to email the user a link which he then access and set a new password - like the way facebook, gmail, etc do it. Is this possible? :)

 

Best regards

Bilal

  • In reply to Bilal:

    That result for the output of $global is fine, because it is a PowerShell object.

    Pipe it to get-member so that you can see the attributes and methods that it contains.

    It may also accept the -Passthru parameter, so that you can see if it is encountering an error at runtime.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Yeah, that worked. But how do I troubleshoot?

    The result is:


    Name MemberType Definition
    ---- ---------- ----------
    AddFailedAuthAttempt Method void AddFailedAuthAttempt(QPM.Common.Connections.DirectoryInfo directo...
    AddHistoryRecord Method void AddHistoryRecord(string message)
    AuthenticateWithPasscode Method bool AuthenticateWithPasscode(QPM.Common.Connections.DirectoryInfo dir...
    ClearFailedAuthAttempts Method void ClearFailedAuthAttempts(QPM.Common.Connections.DirectoryInfo dire...
    CreateDirectoryConnection Method QPM.Common.Connections.DirectoryInfo CreateDirectoryConnection(string ...
    EmailUser Method void EmailUser(string recipientAddress, string subject, string body)
    EmailUserHtml Method void EmailUserHtml(string recipientAddress, string subject, string body)
    Equals Method bool Equals(System.Object obj)
    GenerateLocalPasswordResetResponse Method string GenerateLocalPasswordResetResponse(QPM.Common.Connections.Direc...
    GeneratePasscode Method string GeneratePasscode(int length)
    GeneratePassword Method string GeneratePassword(QPM.Common.Connections.DirectoryInfo directory...
    GetConnections Method System.Collections.Generic.IEnumerable[QPM.Common.Connections.Connecti...
    GetCurrentHost Method QPM.Common.InfoClasses.HostSettingsInfo GetCurrentHost()
    GetDirectoryConnection Method QPM.Common.Connections.DirectoryInfo GetDirectoryConnection(string con...
    GetDirectoryConnectionByName Method QPM.Common.Connections.DirectoryInfo GetDirectoryConnectionByName(stri...
    GetDirectoryConnections Method QPM.Common.Connections.DirectoryInfo[] GetDirectoryConnections(System....
    GetFailedAuthAttempts Method System.Collections.Generic.List[QPM.Service.Storages.Helpers.AuthAttem...
    GetHashCode Method int GetHashCode()
    GetQAPolicies Method QPM.Common.QAPoliciesInfo GetQAPolicies(string configurationSetId)
    GetStorageContainerAttributeName Method string GetStorageContainerAttributeName()
    GetType Method type GetType()
    GetUserByAttribute Method string GetUserByAttribute(QPM.Common.Connections.DirectoryInfo directo...
    GetUserById Method string GetUserById(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    GetUserByName Method string GetUserByName(QPM.Common.Connections.DirectoryInfo directoryInf...
    GetUserConfigurationSetId Method string GetUserConfigurationSetId(QPM.Common.Connections.DirectoryInfo ...
    LdapEscape Method string LdapEscape(string str)
    LdapFindAll Method string[] LdapFindAll(QPM.Common.Connections.DirectoryInfo directoryInf...
    LdapFindOne Method string LdapFindOne(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    Localize Method QPM.Common.LocalizedItem Localize(string resourceId), QPM.Common.Local...
    Log Method void Log(string message)
    LogError Method void LogError(string message)
    LogEvent Method void LogEvent(string message)
    LogEventError Method void LogEventError(string message)
    LogEventWarning Method void LogEventWarning(string message)
    LogWarning Method void LogWarning(string message)
    QAProfileAssignPasscode Method void QAProfileAssignPasscode(QPM.Common.Connections.DirectoryInfo dire...
    QAProfileAuthenticate Method System.Collections.Generic.List[string] QAProfileAuthenticate(QPM.Comm...
    QAProfileClearForceEnrollStartDate Method void QAProfileClearForceEnrollStartDate(QPM.Common.Connections.Directo...
    QAProfileLock Method void QAProfileLock(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    QAProfileRead Method QPM.Common.QAProfileInfo QAProfileRead(QPM.Common.Connections.Director...
    QAProfileSetForceEnrollStartDate Method void QAProfileSetForceEnrollStartDate(QPM.Common.Connections.Directory...
    QAProfileUnlock Method void QAProfileUnlock(QPM.Common.Connections.DirectoryInfo directoryInf...
    QAProfileUpdate Method void QAProfileUpdate(QPM.Common.Connections.DirectoryInfo directoryInf...
    SearchUser Method string[] SearchUser(QPM.Common.Connections.DirectoryInfo directoryInfo...
    ToString Method string ToString()
    UserChangePassword Method void UserChangePassword(QPM.Common.Connections.DirectoryInfo directory...
    UserEnableAccount Method void UserEnableAccount(QPM.Common.Connections.DirectoryInfo directoryI...
    UserResetPassword Method void UserResetPassword(QPM.Common.Connections.DirectoryInfo directoryI...
    UserSetChangePasswordAtNextLogon Method void UserSetChangePasswordAtNextLogon(QPM.Common.Connections.Directory...
    UserUnlockAccount Method void UserUnlockAccount(QPM.Common.Connections.DirectoryInfo directoryI...
  • In reply to Bilal:

    This method is prepended with "QAProfile". Are you using a test User with a populated Questions and Answers profile?

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Hi Terrance,

    None of our users have created QA profile and we do not want to introduce and force users to create QA. Is it way to to not require users to create QA. Our need is simply;

    • User have forgotten his password and get a passcode sent to his email.
    • set a new password on his account after the passcode is verified.

    Can I use another function to make this work? To set a passcode on a user without QA profile?

    Kind regards
    Bilal
  • In reply to Bilal:

    I believe that this method requires that a profile be present, but I'm not sure. Try testing it with an account which has one.

    If it works, there should be a way to programmatically populate the profile, as a pre-requisite for this method.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Tried to set QA on the account, by using the built-in workflow: "My questions and Answars profile". I authenticated and everything, but get "Access is denied" even though my password is correct. So not completely sure what the error is. Tried to check the logs, but nothing useful to found.

    Kind regards
    Bilal
  • In reply to Bilal:

    Is the Password Manager service account a Domain Administrator, or did you use the minimum permissions guide?

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Hi,

    It seemed like giving the service account more permissions solved the issue. It did not require that QA profile was created for the user and the same function could be used.

    Kind regards
    Bilal
  • In reply to Bilal:

    That's good to know, thanks.

    If you can scrub and/or comment your final script, please post it back to the community for feedback and for future use.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Hi,

    Thanks a lot for your support and help. I will firstly try to comment in the code as much as possible so it will make sense to everyone, secondly it will be posted here afterwards.

    Do you know if its possible to import password policy from a GPO to Password manager?
  • In reply to Bilal:

    Thanks, I am very interested to see your solution for this problem.

    To my knowledge, it is not possible to programmatically build-out the Password Manager Password Policy, so, no, I don't think that this is possible.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Hello Terrence!

    Sorry, I have been on vacation, but now back. To finalize everything I have one question, is there anyway I can retrieve the value of a extentionAttribute/or any attribute in AD in the code?

    Right now I retrieve the email-attribute like this:

    $userName = $PMUser.id
    #Find user by name in the specified domain
    $user = $global.GetUserById($connection, $userName, [string[]]("objectGUID", "mail"))
    # Users e-mail attribute in AD
    $user.mail

    Kind regards

    Bilal

  • In reply to Bilal:

    This is built-in.

    Use something like this:

    $pmUserMail = $workflow.Userinfo.AccountInfo.Mail

    Be sure to have a catch for objects without mail addresses assigned.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity