This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom workflow - email user random generated password

 Hello guys,


I have just recently installed One Identity Password Manager version in our test-environment. We see that the existing workflows can not apply to our situation, and need to create a new simple custom workflow. We are looking for a self-selvice portal for our users where they simply can reset their password.


The workflow should consist of a user searching after his AD-user and then choose the custom workflow "Password email reset" workflow, a random generated password is set on the user account in AD (in addition: "user must change password at next logon" is checked), and an email is sent to the user with the password.


The best would be to email the user a link which he then access and set a new password - like the way facebook, gmail, etc do it. Is this possible? :)


Best regards


  • Thank you for help. However, I have tried to hard-core both the $domain and $user as its defined in the
    $user = $global.GetUserByName($connection, $userName, [string[]]("objectGUID", "mail"))

    However, I have been triying to find out what the in-process variables is for the "logged in user". As for instance, domain, user name, mail, etc. I am just trying to make this code work so I have a proof-of-concept with Dell one password manager. :)

    I would like to appriciate your help until now.

    Here is my code until now:


    #Passcode length



    #Passcode lifetime in minutes

    $PASSCODE_LIFETIME = 1440 #(1 day)


    #Uncomment these lines to send e-mail to a user, if he has e-mail address

    #Variable $PASSCODE will contain user's passcode, all other variables are available too

    $EMAIL_SUBJECT = 'Passcode'

    $EMAIL_BODY = 'Your passcode is $PASSCODE'


    #Obtain Password Manager connection to the specified domain
    $connection = $global.GetDirectoryConnectionByName($domain)

    #If there is none, throw an exception
    if ("$connection" -eq "") {
    throw "Connection to domain $domain not found in Password Manager!"


    #Obtain user's GUID

    $userId = $user.objectGUID


    #Generate a passcode for a user

    $PASSCODE= $global.GeneratePasscode($PASSCODE_LENGTH)


    #Assign passcode to a user

    $global.QAProfileAssignPasscode($connection, $userId, $passcode, $PASSCODE_LIFETIME)


    if ($EMAIL_SUBJECT -ne "" -and $EMAIL_BODY -ne "")


    #Send e-mail with passcode, if user has an e-mail address

    if ($user.mail -ne "")


    $subject = $ExecutionContext.InvokeCommand.ExpandString($EMAIL_SUBJECT)

    $body = $ExecutionContext.InvokeCommand.ExpandString($EMAIL_BODY)

    $global.EmailUserHtml($mail, $subject, $body)




    $log +="User account has no mail, will not send e-mail with passcode"



    Kind regards

  • This script sample should be useful:

    function PostExecuting($workflow, $activity)
    if ($activity.State.IsSuccess)

    #gets the User from the Workflow context
    $PMUser = $workflow.Userinfo

    $PMUser | out-file c:\temp\scriptLogging.txt -append

    #gets the GUID of the User
    $UserGUID = $

    $UserGUID | out-file c:\temp\scriptLogging.txt -append


  • Hi Terrence,

    Thanks a lot for your time and help. I have managed to do a lot after your last post. I managed to retrieve the user information and domain. The passcode is being generated and sent to the email and logging is working. I have been debugging a lot to make it work.

    The only thing that is still not working is that the generated passcode is not assigned to the user-account. The following line does not seem to work:

    $global.QAProfileAssignPasscode($connection, $userId, $PASSCODE, $PASSCODE_LIFETIME)
    # Log to see if the passcode is set on the user
    "After the passcode is set:" | out-file d:\temp\scriptLogging.txt -append
    $PMUser | out-file d:\temp\scriptLogging.txt -append

    I also log to see if the passcode is set on the user, as you can see above. The result is:

    HasPasscode : False

    So my conclusion so far is that the "$global.QAProfileAssignPasscode" does not set the passcode on the user.

    What could be the reason for the passcode not being set? The passcode is being generated and sent to the users mail, and I have managed it to print out in the log. So that is not the issue.

    Kind regards
  • This sounds like great progress.

    Without seeing your code, i would try to output the values of following at runtime to a file to see what they contain:

  • Yeah, that what I did.

    Everything gets printed out and looks correct, without "@global"
    The result is: QPM.Service.PowerShell.Global

    Which does not look right?

    Kind regards
  • That result for the output of $global is fine, because it is a PowerShell object.

    Pipe it to get-member so that you can see the attributes and methods that it contains.

    It may also accept the -Passthru parameter, so that you can see if it is encountering an error at runtime.
  • Yeah, that worked. But how do I troubleshoot?

    The result is:

    Name MemberType Definition
    ---- ---------- ----------
    AddFailedAuthAttempt Method void AddFailedAuthAttempt(QPM.Common.Connections.DirectoryInfo directo...
    AddHistoryRecord Method void AddHistoryRecord(string message)
    AuthenticateWithPasscode Method bool AuthenticateWithPasscode(QPM.Common.Connections.DirectoryInfo dir...
    ClearFailedAuthAttempts Method void ClearFailedAuthAttempts(QPM.Common.Connections.DirectoryInfo dire...
    CreateDirectoryConnection Method QPM.Common.Connections.DirectoryInfo CreateDirectoryConnection(string ...
    EmailUser Method void EmailUser(string recipientAddress, string subject, string body)
    EmailUserHtml Method void EmailUserHtml(string recipientAddress, string subject, string body)
    Equals Method bool Equals(System.Object obj)
    GenerateLocalPasswordResetResponse Method string GenerateLocalPasswordResetResponse(QPM.Common.Connections.Direc...
    GeneratePasscode Method string GeneratePasscode(int length)
    GeneratePassword Method string GeneratePassword(QPM.Common.Connections.DirectoryInfo directory...
    GetConnections Method System.Collections.Generic.IEnumerable[QPM.Common.Connections.Connecti...
    GetCurrentHost Method QPM.Common.InfoClasses.HostSettingsInfo GetCurrentHost()
    GetDirectoryConnection Method QPM.Common.Connections.DirectoryInfo GetDirectoryConnection(string con...
    GetDirectoryConnectionByName Method QPM.Common.Connections.DirectoryInfo GetDirectoryConnectionByName(stri...
    GetDirectoryConnections Method QPM.Common.Connections.DirectoryInfo[] GetDirectoryConnections(System....
    GetFailedAuthAttempts Method System.Collections.Generic.List[QPM.Service.Storages.Helpers.AuthAttem...
    GetHashCode Method int GetHashCode()
    GetQAPolicies Method QPM.Common.QAPoliciesInfo GetQAPolicies(string configurationSetId)
    GetStorageContainerAttributeName Method string GetStorageContainerAttributeName()
    GetType Method type GetType()
    GetUserByAttribute Method string GetUserByAttribute(QPM.Common.Connections.DirectoryInfo directo...
    GetUserById Method string GetUserById(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    GetUserByName Method string GetUserByName(QPM.Common.Connections.DirectoryInfo directoryInf...
    GetUserConfigurationSetId Method string GetUserConfigurationSetId(QPM.Common.Connections.DirectoryInfo ...
    LdapEscape Method string LdapEscape(string str)
    LdapFindAll Method string[] LdapFindAll(QPM.Common.Connections.DirectoryInfo directoryInf...
    LdapFindOne Method string LdapFindOne(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    Localize Method QPM.Common.LocalizedItem Localize(string resourceId), QPM.Common.Local...
    Log Method void Log(string message)
    LogError Method void LogError(string message)
    LogEvent Method void LogEvent(string message)
    LogEventError Method void LogEventError(string message)
    LogEventWarning Method void LogEventWarning(string message)
    LogWarning Method void LogWarning(string message)
    QAProfileAssignPasscode Method void QAProfileAssignPasscode(QPM.Common.Connections.DirectoryInfo dire...
    QAProfileAuthenticate Method System.Collections.Generic.List[string] QAProfileAuthenticate(QPM.Comm...
    QAProfileClearForceEnrollStartDate Method void QAProfileClearForceEnrollStartDate(QPM.Common.Connections.Directo...
    QAProfileLock Method void QAProfileLock(QPM.Common.Connections.DirectoryInfo directoryInfo,...
    QAProfileRead Method QPM.Common.QAProfileInfo QAProfileRead(QPM.Common.Connections.Director...
    QAProfileSetForceEnrollStartDate Method void QAProfileSetForceEnrollStartDate(QPM.Common.Connections.Directory...
    QAProfileUnlock Method void QAProfileUnlock(QPM.Common.Connections.DirectoryInfo directoryInf...
    QAProfileUpdate Method void QAProfileUpdate(QPM.Common.Connections.DirectoryInfo directoryInf...
    SearchUser Method string[] SearchUser(QPM.Common.Connections.DirectoryInfo directoryInfo...
    ToString Method string ToString()
    UserChangePassword Method void UserChangePassword(QPM.Common.Connections.DirectoryInfo directory...
    UserEnableAccount Method void UserEnableAccount(QPM.Common.Connections.DirectoryInfo directoryI...
    UserResetPassword Method void UserResetPassword(QPM.Common.Connections.DirectoryInfo directoryI...
    UserSetChangePasswordAtNextLogon Method void UserSetChangePasswordAtNextLogon(QPM.Common.Connections.Directory...
    UserUnlockAccount Method void UserUnlockAccount(QPM.Common.Connections.DirectoryInfo directoryI...
  • This method is prepended with "QAProfile". Are you using a test User with a populated Questions and Answers profile?
  • Hi Terrance,

    None of our users have created QA profile and we do not want to introduce and force users to create QA. Is it way to to not require users to create QA. Our need is simply;

    • User have forgotten his password and get a passcode sent to his email.
    • set a new password on his account after the passcode is verified.

    Can I use another function to make this work? To set a passcode on a user without QA profile?

    Kind regards
  • I believe that this method requires that a profile be present, but I'm not sure. Try testing it with an account which has one.

    If it works, there should be a way to programmatically populate the profile, as a pre-requisite for this method.