Symantec IGA

  • 1.  How to get an AD account unlocked at PW Reset

    Posted 02-27-2013 02:49 PM
    I have my password reset functionality working just fine and the tool being used only by the help desk right now.

    One use case that is problematic is when accounts are locked up and user calls to get their account's password reset. How do get the endpoint account unlocked at the same time as the reset?
    Right now the help desk resets then goes into Modify Endpoint accounts and unlocks, it would be easier to get it all on one screen.


  • 2.  RE: How to get an AD account unlocked at PW Reset

    Posted 02-28-2013 03:16 AM
    Hey,

    Can you give it a try with a PX after Password Reset Event and use the Accounts / Set / some field (i guess the "locked" one) to change it to the appropriate "unlocked" value?

    /Razvan


  • 3.  RE: How to get an AD account unlocked at PW Reset

    Posted 02-28-2013 07:56 AM
    Hi Drew,

    there is a technical doc about that question:

    Document ID: TEC583916

    Tech Document
    Title: How to get to unlock an AD account upon resetting a password using Forgotten Password Reset task.


    Description:

    In order to unlock the associated AD account you can implement a PX policy that will find and unlock the associated account.

    Solution:

    Forgotten Password Reset task will only reset an account's password. However, if the account is locked it will remain locked. This will still require an administrative intervention.
    In case you would like for the self service Forgotten Password Reset task to also unlock the associated AD account then you will need to explicitly work that out.
    Probably the most elegant way is to use PX and apply a policy to handle that.

    See the attached xml file, it contains a policy that will do that and is triggered on Forgotten Password Reset completion. You can see in the attached file that we retrieve the account information, then the account name by parsing the retrieved string, we then find out if it's locked. You can see the condition on the action rule that will invoke the action rule only if the account is locked and then the action rule will unlock it.

    You can actually use the attached xml file. You can import it from your management console (/iammanage -> IME -> roles and tasks -> import).
    You will then see that policy in PX and be able to update your local endpoint name to get it to work in your environment.

    <?xml version="1.0" encoding="UTF-8"?>
    <ims:ImsTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://imsenvironmentobjects/xsd imsconfig://schema/ImsEnvironmentObjects.xsd" xmlns:ims="http://imsenvironmentobjects/xsd" xmlns:imsrule=" http://imsmemberrule/xsd" xmlns:imsscope="http://imsscoperule/xsd" xmlns:imschange="http://imschangeaction/xsd">
    <ManagedObject type="POLICY XPRESS EXPORT" friendlyName="Unlock AD Account">
    <Attribute name="friendlyName">Unlock AD Account</Attribute>
    <Attribute name="enabled">true</Attribute>
    <Attribute name="category">User Account</Attribute>
    <Attribute name="description"></Attribute>
    <Attribute name="runOnce">false</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="system">false</Attribute>
    <Attribute name="template">PolicyXpress</Attribute>
    <Attribute name="templateData"></Attribute>
    <Attribute name="whenToRun"><![CDATA[<Related>
    <WhenToRun>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="step">TASK_COMPLETED</Attribute>
    <Attribute name="eventName">ForgottenPasswordReset</Attribute>
    </WhenToRun>
    </Related>
    ]]></Attribute>
    <Attribute name="dataElements"><![CDATA[<Related>
    <DataElement>
    <Attribute name="friendlyName">IsAccountLocked</Attribute>
    <Attribute name="elementType">element.type.account.values</Attribute>
    <Attribute name="subElement">element.ace.value.attribute.get</Attribute>
    <Attribute name="priority">4</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="SELECTED">locked</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">Account</Attribute>
    <Attribute name="elementType">element.type.accounts</Attribute>
    <Attribute name="subElement">element.accounts.get</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">colonIndex</Attribute>
    <Attribute name="elementType">element.type.string.searcher</Attribute>
    <Attribute name="subElement">element.string.index.of</Attribute>
    <Attribute name="priority">1</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">:</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">GetAccountName</Attribute>
    <Attribute name="elementType">element.type.string.parser</Attribute>
    <Attribute name="subElement">element.string.manipulation.substring</Attribute>
    <Attribute name="priority">3</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'Account'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'ColonIndexPlusOne'}</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED"/>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">ColonIndexPlusOne</Attribute>
    <Attribute name="elementType">element.type.math</Attribute>
    <Attribute name="subElement">element.math.increment</Attribute>
    <Attribute name="priority">2</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'colonIndex'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">1</PxParameter>
    </DataElement>
    </Related>
    ]]></Attribute>
    <Attribute name="entryRules"><![CDATA[<Related/>
    ]]></Attribute>
    <Attribute name="actionRules"><![CDATA[<Related>
    <ActionRule>
    <Attribute name="friendlyName">Set unlock attr to 0</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">IsAccountLocked</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value">true</Attribute>
    </Condition>
    </Conditions>
    <AddActions>
    <ActionElement>
    <Attribute name="friendlyName">Set unlock attr</Attribute>
    <Attribute name="actionType">action.name.set.account.data</Attribute>
    <Attribute name="subAction">action.ace.accounts.set</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="SELECTED">AD_ENDPOINT_NAME</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED">{'GetAccountName'}</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="SELECTED">%LOCKED_STATE%</PxParameter>
    <PxParameter extraInfo="" index="5" uiType="TYPED">0</PxParameter>
    </ActionElement>
    </AddActions>
    <RemoveActions/>
    </ActionRule>
    </Related>
    ]]></Attribute>
    </ManagedObject>
    </ims:ImsTemplate>

    Don't forget to replace the AD_ENDPOINT_NAME parameter with your Active Drectory endpoint name.


  • 4.  RE: How to get an AD account unlocked at PW Reset

    Posted 02-28-2013 11:24 AM
    You have this for Forgotten PW reset, but I assume I can modify this and add it to any task. I would need this for self servce Forgot and through the Service Desk reset task when they call in to have it done.


  • 5.  RE: How to get an AD account unlocked at PW Reset

    Posted 03-19-2013 07:30 PM
    yes, the Forgotten PW reset is the self servce Forgot and it shoud work with any reset task.


  • 6.  RE: How to get an AD account unlocked at PW Reset

    Posted 03-20-2013 03:19 AM
    You can configure GINA or Credention Provider and the users can reset their password through the Windows Authentication screen.
    Forgetten User Password task generates a temporary password and this is not propagated to the accounts. It changes only the IM password.

    Only Modify My Password task generates Password Services process which will propagate the password to the endpoint.


  • 7.  RE: How to get an AD account unlocked at PW Reset
    Best Answer

    Posted 08-21-2013 03:18 PM
    In the schema.ext file add the attribute "LockOutTime".
    After that, restart the provisioning server service, this attribute will be listed in the CUSTOM tab of an account template.
    Set its value to a custom field ex: %UCU10% (CustomField 10).

    Now you can create a new policy xpress to be executed after the Reset Password task, and set the Customfield10 to '0'.

    This attribute is for Unlock AD Account, and not to enable/disable AD Account.

    Thanks.