Symantec IGA

Hey,

Can you give it a try with a PX after Password Reset Event and use the Accounts / Set / some field (i guess the "locked" one) to change it to the appropriate "unlocked" value?

/Razvan

Hi Drew,

there is a technical doc about that question:

Document ID: TEC583916

Tech Document
Title: How to get to unlock an AD account upon resetting a password using Forgotten Password Reset task.


Description:

In order to unlock the associated AD account you can implement a PX policy that will find and unlock the associated account.

Solution:

Forgotten Password Reset task will only reset an account's password. However, if the account is locked it will remain locked. This will still require an administrative intervention.
In case you would like for the self service Forgotten Password Reset task to also unlock the associated AD account then you will need to explicitly work that out.
Probably the most elegant way is to use PX and apply a policy to handle that.

See the attached xml file, it contains a policy that will do that and is triggered on Forgotten Password Reset completion. You can see in the attached file that we retrieve the account information, then the account name by parsing the retrieved string, we then find out if it's locked. You can see the condition on the action rule that will invoke the action rule only if the account is locked and then the action rule will unlock it.

You can actually use the attached xml file. You can import it from your management console (/iammanage -> IME -> roles and tasks -> import).
You will then see that policy in PX and be able to update your local endpoint name to get it to work in your environment.

<?xml version="1.0" encoding="UTF-8"?>
<ims:ImsTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://imsenvironmentobjects/xsd imsconfig://schema/ImsEnvironmentObjects.xsd" xmlns:ims="http://imsenvironmentobjects/xsd" xmlns:imsrule=" http://imsmemberrule/xsd" xmlns:imsscope="http://imsscoperule/xsd" xmlns:imschange="http://imschangeaction/xsd">
<ManagedObject type="POLICY XPRESS EXPORT" friendlyName="Unlock AD Account">
<Attribute name="friendlyName">Unlock AD Account</Attribute>
<Attribute name="enabled">true</Attribute>
<Attribute name="category">User Account</Attribute>
<Attribute name="description"></Attribute>
<Attribute name="runOnce">false</Attribute>
<Attribute name="priority">0</Attribute>
<Attribute name="type">SUBMITTED_TASK</Attribute>
<Attribute name="system">false</Attribute>
<Attribute name="template">PolicyXpress</Attribute>
<Attribute name="templateData"></Attribute>
<Attribute name="whenToRun"><![CDATA[<Related>
<WhenToRun>
<Attribute name="type">SUBMITTED_TASK</Attribute>
<Attribute name="step">TASK_COMPLETED</Attribute>
<Attribute name="eventName">ForgottenPasswordReset</Attribute>
</WhenToRun>
</Related>
]]></Attribute>
<Attribute name="dataElements"><![CDATA[<Related>
<DataElement>
<Attribute name="friendlyName">IsAccountLocked</Attribute>
<Attribute name="elementType">element.type.account.values</Attribute>
<Attribute name="subElement">element.ace.value.attribute.get</Attribute>
<Attribute name="priority">4</Attribute>
<PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
<PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
<PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
<PxParameter extraInfo="" index="4" uiType="SELECTED">locked</PxParameter>
</DataElement>
<DataElement>
<Attribute name="friendlyName">Account</Attribute>
<Attribute name="elementType">element.type.accounts</Attribute>
<Attribute name="subElement">element.accounts.get</Attribute>
<Attribute name="priority">0</Attribute>
<PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
</DataElement>
<DataElement>
<Attribute name="friendlyName">colonIndex</Attribute>
<Attribute name="elementType">element.type.string.searcher</Attribute>
<Attribute name="subElement">element.string.index.of</Attribute>
<Attribute name="priority">1</Attribute>
<PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
<PxParameter extraInfo="" index="2" uiType="TYPED">:</PxParameter>
</DataElement>
<DataElement>
<Attribute name="friendlyName">GetAccountName</Attribute>
<Attribute name="elementType">element.type.string.parser</Attribute>
<Attribute name="subElement">element.string.manipulation.substring</Attribute>
<Attribute name="priority">3</Attribute>
<PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
<PxParameter extraInfo="" index="2" uiType="TYPED">{'ColonIndexPlusOne'}</PxParameter>
<PxParameter extraInfo="" index="3" uiType="TYPED"/>
</DataElement>
<DataElement>
<Attribute name="friendlyName">ColonIndexPlusOne</Attribute>
<Attribute name="elementType">element.type.math</Attribute>
<Attribute name="subElement">element.math.increment</Attribute>
<Attribute name="priority">2</Attribute>
<PxParameter extraInfo="" index="1" uiType="TYPED">{'colonIndex'}</PxParameter>
<PxParameter extraInfo="" index="2" uiType="TYPED">1</PxParameter>
</DataElement>
</Related>
]]></Attribute>
<Attribute name="entryRules"><![CDATA[<Related/>
]]></Attribute>
<Attribute name="actionRules"><![CDATA[<Related>
<ActionRule>
<Attribute name="friendlyName">Set unlock attr to 0</Attribute>
<Attribute name="priority">0</Attribute>
<Attribute name="description"/>
<Conditions>
<Condition>
<Attribute name="dataElement">IsAccountLocked</Attribute>
<Attribute name="operator">EQUALS</Attribute>
<Attribute name="value">true</Attribute>
</Condition>
</Conditions>
<AddActions>
<ActionElement>
<Attribute name="friendlyName">Set unlock attr</Attribute>
<Attribute name="actionType">action.name.set.account.data</Attribute>
<Attribute name="subAction">action.ace.accounts.set</Attribute>
<Attribute name="priority">0</Attribute>
<PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
<PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
<PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
<PxParameter extraInfo="" index="4" uiType="SELECTED">%LOCKED_STATE%</PxParameter>
<PxParameter extraInfo="" index="5" uiType="TYPED">0</PxParameter>
</ActionElement>
</AddActions>
<RemoveActions/>
</ActionRule>
</Related>
]]></Attribute>
</ManagedObject>
</ims:ImsTemplate>

Don't forget to replace the AD_ENDPOINT_NAME parameter with your Active Drectory endpoint name.

You have this for Forgotten PW reset, but I assume I can modify this and add it to any task. I would need this for self servce Forgot and through the Service Desk reset task when they call in to have it done.

yes, the Forgotten PW reset is the self servce Forgot and it shoud work with any reset task.

You can configure GINA or Credention Provider and the users can reset their password through the Windows Authentication screen.
Forgetten User Password task generates a temporary password and this is not propagated to the accounts. It changes only the IM password.

Only Modify My Password task generates Password Services process which will propagate the password to the endpoint.

In the schema.ext file add the attribute "LockOutTime".
After that, restart the provisioning server service, this attribute will be listed in the CUSTOM tab of an account template.
Set its value to a custom field ex: %UCU10% (CustomField 10).

Now you can create a new policy xpress to be executed after the Reset Password task, and set the Customfield10 to '0'.

This attribute is for Unlock AD Account, and not to enable/disable AD Account.

Thanks.