Reset Active Directory Password Process
The Reset Password process enables a user to request another user's Active Directory password reset. A user cannot request his/her own password reset.
Prerequisites for implementing this process are to
In order for a user to have his/her password changed, the user must exist in Active Directory.
User accounts must be active in Active Directory (Account tab > Account is Disabled unchecked).
The account must be able to have password changed in Active Directory (Account tab > User Cannot Change Password unchecked).
The user’s manager must be designated within the Organization tab of Active Directory, or the user’s active and accurate phone number must be populated within the user account in the General tab > Telephone Number field. The manager must also have a valid e-mail address populated within the General tab > Email Address field within Active Directory.
From the Properties tab in the project in the Workflow Designer, set the desired group names and e-mail information, and Active Directory settings.
The group names and e-mail addresses are populated by these properties:
ADAdministrator (the e-mail address of the user responsible for notifying a user of a new password by phone).
GroupServiceManagers, ServiceManagerGroupEmail (the name and e-mail address of the group notified when there is a problem with notifying the user after both calling and unsuccessful e-mailing of the user’s manager).
AdministratorContactName, AdministratorContactInfo, AdministratorEmail (used when there is a failure with the process or if the user’s manager cannot be contacted by e-mail to approve a password reset request).
The e-mail server settings are populated by these properties: SMTPServer, MailFromAddress.
The AD settings are populated by these properties: ADDomainName, ADServer, ADDomainAdminUser, ADDomainAdminPassword.
6. Verify that you want the tasks/e-mails to go to the following users, and change the task assignment in the Dialog Workflow components as desired. No tasks are assigned, only e-mails are sent by default. The following users/groups are used:
AD Administrators - AD Administrators are tasked with contacting a user by phone to notify of a password reset. (Deliver via Contact model > Contact w/New Password – Phone Dialog Workflow component.)
Service Managers - When an AD Administrator cannot contact a user, Service Managers are tasked to figure out the issue. (Primary model > Determine Issue and Communicate New Password Dialog Workflow component.)
Administrators - Administrators are used when there is a failure with the process or if the user’s manager cannot be contacted by e-mail to approve a password reset request. (Determine Issue and Resolve it model > Determine Issue and Resolve It Dialog Workflow component. Also, Request Manager Approval Model > Need Administrator’s Approval Dialog Workflow component.)
If you wish to use Process Manager for task assignment, set up the task assignment in the Dialog Workflow components. The default setting is "DefaultTaskSource." Change this to "ProcessManagerTaskSource" and scroll down to the Task Assignments section and make the desired task assignments.
General process rules:
- Users cannot request own password reset
- Manager approval is required*
- New password is randomly generated
- User's account is updated with the new password
- User's account is set to require new password at next logon (which must be done before the user attempts to log in to the Process Manager portal)
- An e-mail with the temporary password is sent to the user's manager*
Requesters have two methods of performing the password reset:
If the requester is the user’s manager (determined by the manager set for the user on the Organization tab for the user in Active Directory), approval is assumed and the reset happens automatically. Otherwise, an e-mail/task goes to the user's manager to approve the reset. The e-mail to approve the reset goes to the e-mail address set on the manager’s record on the General tab > Email Address field in Active Directory.
Asking the AD Administrator to do the password reset (after getting manager approval from the user's manager), then calling the user to notify of the reset.
*If manager information is not found, meaning specific task assignment/email contact cannot be made to the manager, the process automatically emails Administrators for approval of a password reset.
Method 1
1. If manager name and/or e-mail address cannot be found, the requestor must use method #2.
2. The process checks to see if the requestor is the user's manager, and if not, the appropriate manager is looked up in Active Directory and tasked with approval.
3. Upon approval, the manager receives an e-mail containing the new password to share with the user. The user must change the password upon initial login.
Method 2
1. If no phone number for the user is found, the requestor must use method #1.
2. The process checks to see if the requestor is the user's manager, and if not, the appropriate manager is looked up in Active Directory and tasked with approval. If the manager email information is not found, the email approval message goes to the Administrator.
3. Upon approval, the AD Administrator receives an e-mail containing the new password to share with the user by phone. The user must change the password upon initial login.
4. If the user cannot be contacted, the AD Administrator completes a form stating unsuccessful contact. If the phone call is not successful, an e-mail goes to the manager of the user. If the e-mail fails, an e-mail/task then goes to the Service Managers to further attempt contact. If unsuccessful, Service Managers complete a form explaining why and the process ends.
|