Symantec IGA

Expand all | Collapse all

How to unlock an AD account upon resetting a password using Forgotten Password Reset task.

  • 1.  How to unlock an AD account upon resetting a password using Forgotten Password Reset task.

    Posted 05-07-2016 04:00 PM

    Team,

    Sometimes, the wheel has already been invented.   I see this question asked a few times a year.

    PX Rules is a great framework tool, to manage business logic.   This FPR task or other tasks may be used.

    Have used this process for IVR (phone/voice systems) to reset passwords.

    *** ***

     

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec583916.aspx

     

    How to get to unlock an AD account upon resetting a password using Forgotten Password Reset task.

    Document ID:  TEC583916
    Last Modified Date:  12/26/2012
      Hide Technical Document Details

    • Products
      • CA Identity Manager
      • CA Admin
      • CA Directory
      • CA Identity Suite
    • Releases
      • CA Identity Manager:Release:12.5
    • Components
      • IdentityMinder(Identity Manager)

     

     

    Description:

    In order to unlock the associated AD account you can implement a PX policy that will find and unlock the associated account.

    Solution:

    Forgotten Password Reset task will only reset an account's password. However, if the account is locked it will remain locked. This will still require an administrative intervention.
    In case you would like for the self service Forgotten Password Reset task to also unlock the associated AD account then you will need to explicitly work that out.
    Probably the most elegant way is to use PX and apply a policy to handle that.

    See the attached xml file, it contains a policy that will do that and is triggered on Forgotten Password Reset completion. You can see in the attached file that we retrieve the account information, then the account name by parsing the retrieved string, we then find out if it's locked. You can see the condition on the action rule that will invoke the action rule only if the account is locked and then the action rule will unlock it.

    You can actually use the attached xml file. You can import it from your management console (/iammanage -> IME -> roles and tasks -> import).
    You will then see that policy in PX and be able to update your local endpoint name to get it to work in your environment.

    <?xml version="1.0" encoding="UTF-8"?>
    <ims:ImsTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://imsenvironmentobjects/xsd imsconfig://schema/ImsEnvironmentObjects.xsd" xmlns:ims="http://imsenvironmentobjects/xsd" xmlns:imsrule=" http://imsmemberrule/xsd" xmlns:imsscope="http://imsscoperule/xsd" xmlns:imschange="http://imschangeaction/xsd">
    <ManagedObject type="POLICY XPRESS EXPORT" friendlyName="Unlock AD Account">
    <Attribute name="friendlyName">Unlock AD Account</Attribute>
    <Attribute name="enabled">true</Attribute>
    <Attribute name="category">User Account</Attribute>
    <Attribute name="description"></Attribute>
    <Attribute name="runOnce">false</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="system">false</Attribute>
    <Attribute name="template">PolicyXpress</Attribute>
    <Attribute name="templateData"></Attribute>
    <Attribute name="whenToRun"><![CDATA[<Related>
    <WhenToRun>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="step">TASK_COMPLETED</Attribute>
    <Attribute name="eventName">ForgottenPasswordReset</Attribute>
    </WhenToRun>
    </Related>
    ]]></Attribute>
    <Attribute name="dataElements"><![CDATA[<Related>
    <DataElement>
    <Attribute name="friendlyName">IsAccountLocked</Attribute>
    <Attribute name="elementType">element.type.account.values</Attribute>
    <Attribute name="subElement">element.ace.value.attribute.get</Attribute>
    <Attribute name="priority">4</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="SELECTED">locked</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">Account</Attribute>
    <Attribute name="elementType">element.type.accounts</Attribute>
    <Attribute name="subElement">element.accounts.get</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">colonIndex</Attribute>
    <Attribute name="elementType">element.type.string.searcher</Attribute>
    <Attribute name="subElement">element.string.index.of</Attribute>
    <Attribute name="priority">1</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">:</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">GetAccountName</Attribute>
    <Attribute name="elementType">element.type.string.parser</Attribute>
    <Attribute name="subElement">element.string.manipulation.substring</Attribute>
    <Attribute name="priority">3</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'ColonIndexPlusOne'}</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED"/>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">ColonIndexPlusOne</Attribute>
    <Attribute name="elementType">element.type.math</Attribute>
    <Attribute name="subElement">element.math.increment</Attribute>
    <Attribute name="priority">2</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'colonIndex'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">1</PxParameter>
    </DataElement>
    </Related>
    ]]></Attribute>
    <Attribute name="entryRules"><![CDATA[<Related/>
    ]]></Attribute>
    <Attribute name="actionRules"><![CDATA[<Related>
    <ActionRule>
    <Attribute name="friendlyName">Set unlock attr to 0</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">IsAccountLocked</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value">true</Attribute>
    </Condition>
    </Conditions>
    <AddActions>
    <ActionElement>
    <Attribute name="friendlyName">Set unlock attr</Attribute>
    <Attribute name="actionType">action.name.set.account.data</Attribute>
    <Attribute name="subAction">action.ace.accounts.set</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="SELECTED">%LOCKED_STATE%</PxParameter>
    <PxParameter extraInfo="" index="5" uiType="TYPED">0</PxParameter>
    </ActionElement>
    </AddActions>
    <RemoveActions/>
    </ActionRule>
    </Related>
    ]]></Attribute>
    </ManagedObject>
    </ims:ImsTemplate>

    Don't forget to replace the AD_ENDPOINT_NAME parameter with your Active Drectory endpoint name.

     

     

     

    *** ***

     

    Recommend saving the IMAG knowledge base as a favorites link.

     

    http://www.ca.com/us/support/ca-support-online/support-by-product/ca-identity-manager.aspx?d=t&language=en&type=ALL&type…



  • 2.  Re: How to unlock an AD account upon resetting a password using Forgotten Password Reset task.

    Posted 06-07-2016 04:52 PM

    Another great tip - Thanks Alan.

     

    Sagi