One of the products offered by Cireson is their Password Reset application, which is a great tool for users to reset their own Active Directory account password.  It is simple interface for users in that all they need to do is enter their username, pick a method in which to receive their token, and then enter their token and new password… Password is reset!

As an added plus, it is possible to connect Password Reset to service management products such as SCSM in order to record every successful or failed password reset.

What I believe is missing though is the ability to register for self-service password reset.  In order for Password Reset to work, a personal phone number and/or email address must be stored in AD, as these will be used to send the user their password reset token.  In my experience, most organisations do not store this data in AD.

Further, by making users register for self-service password reset, it is possible to provide information on what their data will be used and that they are happy to provide the information.  And, with each registration being logged, it will then be possible to report on who and has not registered.

 

Submit PWR

 

 

So, what did I do??

Well, before I start, this solution requires an installation of SCSM and the Cireson Portal.

If you have both, keep on reading…..

Here is an overview of what I did:

  1. Created a Service Request template which includes a workflow containing a Review Activity and a Manual Activity.
  2. Created a Service Offering for Identity Management.
  3. Created a Request Offering called “Submit Your Password Reset Details” with two user prompts.  One for Mobile Phone Number and one for Email Address.
  4. Implemented a workflow to make the Affected User a reviewer in the review activity.
  5. Implemented a workflow to update Active Directory with the user data when the Manual Activity moves to an In Progress state (which can only happen if the Review Activity has been approved).
  6. Linked the new Request Offering with the new Service Offering.
  7. Re-sync the portal cache and use your new offering!

I know that can seem like a lot, so here is a breakdown of each step:

1 – Create a basic Service Request template…. The RA and MA in the activities just need to be blank with a friendly Title.

SR Template General

SR Template Activities

 

2 – A new Service Offering is only required if you don’t already have one that’s appropriate for the Request Offering.

Service Offering

 

3 – With the Cireson Portal comes the Advanced Request Offering management pack.  I would recommend having this MP installed and creating an Advanced Request Offering rather than a standard Request Offering.

RO General

RO User Prompts

RO Map Prompts

 

The reason I recommend using the Advanced Request Offering is because you can configure the prompt types to be Email and International Phone Number, rather than just free text where anything can be entered.

 

4 and 5 – This is the most complicated part of the process.  Create two PowerShell workflows, one for auto reviewer assigning, and one for updating AD, using the Service Manager Authoring Tool.  Both scripts will also require SMLets on your workflow management server.

This is the PowerShell script required to assign the affected user as a reviewer.  The trigger condition for this is when an object of the System.WorkItem.ServiceRequest class is created and title of the SR is whatever you defined in the template created earlier.

The Title of the Review Activity is “PWR Password Reset Contact Update – User Confirmation” in my example.

 

This is the PowerShell script to update the user account in Active Directory.  The trigger condition for this script is when an object of class System.WorkItem.Activity.ManualActivity is updated and the Title is the same as whatever was set when the template was made, in my case “PWR Perform Contact Information Update”.

I use the otherMobile and otherMailbox attributes in AD to store the user data.  You would need to change this if you are using different attributes.

 

Once you’ve saved your management pack containing the workflows, the DLL’s that are created need to be saved to the Service Manager installation directly on the workflow management server and the management pack imported.

NOTE:  I prefer not to seal management packs that only contain workflows so they can be enabled or disabled in the console.

 

6 – Open the Service Offering and add the new Request Offering.

RO SO

 

7 – Restart the Cireson Cache Builder service on the server hosting the Cireson portal installation.

Service

 

Now it’s good to go… Open the portal home page and register for Password Reset!

Submit PWR

 

Submit PWR

 

 

One click, enter details, Save… DONE!  The user will have a review activity that they need to approve to confirm that they entered the details, and that they are correct.  Once done, the details in AD will be updated appropriately.

As an added extra, you could also set up email notifications for the approval piece where the user can approve straight from the mail (if you have the Exchange Connector running), as I documented here.

There’s a lot there I know, but if you are looking to implement something similar and need some help, feel free to leave a comment.

David