Bulk password reset using a CSV using a workflow

Hi,

We have a situation where we need to have techs submit a csv file listing users and passwords that need to be reset. We currently have a single script in a workflow that does this but since the script uses the service account and not the techs account. They can reset  passwords of users out side the OUs they have rights to.   I was told we need to use a workflows to correct this.  Can you provide any guidance around this?

Thanks much

Tony

Parents
  • Hello, how is the password reset workflow initiated? Does it run on a scheduled basis or do these techs have the ability to run the automation workflow whenever they have a csv file ready?

    If the workflow is running on a scheduled basis, the workflow will always run as the service account. There isn't a way around this, and the process of kicking off the workflows may need to be altered as indicated below.

    If the techs are manually kicking off the workflows, there is a "Run As" setting within the workflow's Options and Start Conditions, to have it run as "The account of the user who started the workflow". This may solve the issue of the techs being able to reset passwords in OUs they are not delegated access. Additional rights will probably need to be granted to the techs to be able to see and run automation workflows.

  • One more question on this topic. We have multiple forests in ARS.  We are only successful in one domain even if we specify another domain in our script.  We can create in ForestA but even if we use the  -server ForestB switch it fails.  Where as if we do this task manually we are successful. Only when running the script do we receive error going out side ForestA.   All that be said the application is running with a ForestA gmsa account. I am guessing that it is using that account when running the script. I do have different account for other Forests under Managed Domains. 

  • Hi, 
    I got this working for one forest which has a trust with the domain ARS is hosted in.  But I can not get it working another forest which has no trust. 

    As the accounts are rolling in from CSV I am looking a what forest/domain each account is in.    I am using get-aduser <name> -server <forest name> but I am getting "unable to contact the server" on one of the domains.     I see that get-Qaduser does not have the -Server option.  Is there a switch I can use to get user info for another forest within the script?  That way I can get the DN and process the password change like I can for 2 of the 3 forests?

  • The Get-ADUser '-Server' switch and Get-QADUser '-Service' switch do the same thing.

    If you have the DN of the user, what I have done in the past is extracted the DC=... bit of the DN and converted that to a domain FQDN for use in one of the switches above.

  • Further to my answer above, you always have the option of adding credentials i.e. '-Credentials' to any command but you will need figure out how you want to implement the creation of the credential object (the passing of the password is usually the sticking point).

    I'm not clear on whether you are running your script interactively or "inside" of Active Roles as a policy script and/or script activity in a workflow of some kind.

    If the latter, you can setup an untrusted domain with specific credentials for that domain  (a.k.a. "override account") specified in your Managed Domains in Active Roles.

    You can force the use of those credentials in a policy script something like this:

    $UntrustedDomainCreds = $DomainOverrideCredentials.Get($userDN) # $UserDN is the object that you will eventually modify

    Set-ADUser -identity $UserDN -Server $UserDomain -Credential $UnTrustedDomainCreds

  • This is what I have in my script to get the credentials to use to update the user in a foreign forest

    the samaccountname and domain are coming from my import-csv command. 

    $testuser=get-Qaduser $user.samaccountname -Service $user.domain
    $userDN = $testuser.DistinguishedName
    $credentials = $DomainOverrideCredentials.Get($userDN)

    I am now getting Logon failure: unknown user name or bad password. when running the get-Qaduser $user.samaccountname -Service $user.domain

  • You need to add the -Credentials switch to your Get and move the Get AFTER you obtain the credentials.

  • Hi,
    I am running the script inside of ARS it is being kicked off by a workflow.  I am using the $DomainOverrideCredentials.Get($userDN) and the set command using the -Credential.  Below is the full section 

    $testuser=get-qaduser $user.samaccountname -Service $user.domain
    $userDN = $testuser.DistinguishedName
    $credentials = $DomainOverrideCredentials.Get($userDN)
    Set-ADAccountPassword -Identity $user.samaccountname -Reset -NewPassword $newpass -server $user.domain -Credential $credentials

    This whole section works for another forest. But I am erroring out on the below. 
    $testuser=get-qaduser $user.samaccountname -Service $user.domain

     Since we have updates to multiple forests have included the "domain" in the csv file.

  • I am with you but I am failing on getting the info for the -Credentials. 
    Can I hard code the info in this line   -   $credentials = $DomainOverrideCredentials.Get(DC=....)

  • Per my previous note, you need to add the -Credentials

  • OK I got that. I am sorry, please bear with.  My problem here is getting the credentials needed for the -credentials switch

    I think I need to hard code the forest info that I am trying to get the credentials for.  What the below work?  I have tried a couple of things with no luck.

    $UnTrustedDomainCreds = $DomainOverrideCredentials.Get("DC=xyz,DC=com")

    After I have the above I understand I need to add the -Credentials $UnTrustedDomainCreds  to my other commands

  • The easiest way to get the right credentials is to use the DN of the object that you are trying to process with the $DomainOverrideCredentials.Get method

     It's smart enough to extract the domain name from the DN of your target object.

    So, for example

    $UserDN = "CN=John Smith, OU=People,DC=MyDomain,DC=Com"

    $UnTrustedDomainCreds = $DomainOverrideCredentials.Get($UserDN)

    ...will obtain the creds for "DC=MyDomain, DC=Com"

    So there's no harm in doing this for each object you process in a loop.

    'Hope that makes sense

Reply
  • The easiest way to get the right credentials is to use the DN of the object that you are trying to process with the $DomainOverrideCredentials.Get method

     It's smart enough to extract the domain name from the DN of your target object.

    So, for example

    $UserDN = "CN=John Smith, OU=People,DC=MyDomain,DC=Com"

    $UnTrustedDomainCreds = $DomainOverrideCredentials.Get($UserDN)

    ...will obtain the creds for "DC=MyDomain, DC=Com"

    So there's no harm in doing this for each object you process in a loop.

    'Hope that makes sense

Children
  • Hi, yeah that makes the issue was I had only the same account now.  I hardcoded an account for that domain so I am now getting past the credentials issue. Now I am getting "Unable to contact the server." even when I hard code the server that the ARS server is using under managed domains. When I manually change a users password in that domain I have no issue.