Symantec IGA

 View Only
  • 1.  how to check for Active Directory account password change

    Posted Jul 11, 2019 10:52 AM
      |   view attached

    I have created a PX to send an SMS message with a temporary password when a reset password task is submitted  the problem is that if the password change fails for the Active Directory account the message is sent anyways this is not the desired outcome

    Is there a way to check for the password change at the endpoint or to check for the event status?

    P.S.  I have tried to check for password change in the AD but so far it doesn't seem to work


  • 2.  RE: how to check for Active Directory account password change

    Broadcom Employee
    Posted Jul 11, 2019 12:06 PM
    If you're changing the password directly against AD or your endpoint it is not guaranteed that a PX policy will be able to determine when the attribute value has changed due to possible timing issues.

    If AD is your corporate user store, use a PX to first check whether the task/event is successful and then send the SMS message.




  • 3.  RE: how to check for Active Directory account password change

    Posted Jul 11, 2019 01:55 PM
    Thanks for the tip Larry, can you tell me how to check whether the task/event was successful?


  • 4.  RE: how to check for Active Directory account password change

    Posted Jul 18, 2019 02:06 PM
    Is this PX firing during the UI phase?
    If it fires after the task has completed, then it won't fire if the task fails?
    You may need to set/use the |confirmPassword| logical attribute to actually read the password value in a PX in the submitted task phase (assuming your task sets it)


  • 5.  RE: how to check for Active Directory account password change

    Posted Jul 19, 2019 04:45 PM
    Hi Pearse

    thanks for your help,  I will try to answer your questions and explain the problem:

    Is this PX firing during the UI phase?
    A: yes

    If it fires after the task has completed, then it won't fire if the task fails?
    A:  I don't think I understand this question very well but I believe that the completed status means that the task should end successfully and this triggers
    the sending of the SMS but this is not what is happening even though the task fails the SMS is sent anyways 

    You may need to set/use the |confirmPassword| logical attribute to actually read the password value in a PX in the submitted task phase (assuming your task sets it)

    A:
    there are 2 PX related to this task:

    the 1st PX is Policy Type UI, it generates a temporary password and sets this password in the user attributes
    %Password% and
    |confirmPassword|


    the 2nd PX tries to check (unsuccessfully) weather the password change was effective at the endpoint
    and if so, it sends an SMS message with the temporary password

    I have tried 4 different options in this second PX

    1) the PX is Policy Type Submitted Task and it fires after the Reset Password task is complete

    outcome: the SMS message is sent anyways even thought the task has failed

    2) the PX is Policy Type Event and it fires after the "ResetPasswordEvent"
    Comments: with this type of PX I need to set a rule
    outcome: the SMS is never sent the rule is never satisfied

    3) the PX is Policy Type Event and it fires after the "SynchronizeAttributesWithAccountsEvent"
    Comments: with this type of PX I need to set a rule but I cannot find the right one
    Outcome1: the SMS is never sent when I set a rule
    Outcome2: without any rules the SMS is sent but without the temporary password, it seems I cannot use the |confirmPassword| value

    4) the PX is Policy Type UI and the event that fires it is "Validate on Submit"

    Comments: with this type of PX it seems to me I cannot do much
    Outcome: The SMS is sent anyways even though the password at the endpoint has not changed


    Problem: I cannot determine weather the password has been successfully changed at the endpoint (AD account)


    QUESTION: is there any way to ask about the event status?  maybe via BLTH?


  • 6.  RE: how to check for Active Directory account password change
    Best Answer

    Posted Jul 23, 2019 10:42 AM
    I would have expected with option 1 that the PX would not fire as the task is marked as failed.

    How is the task status displayed in "view submitted tasks"?

    Can you also try to configure the task so that "account synchronization" is "on every event". This may force the failure to occur earlier, thus preventing the PX from firing.