When you provision new users to the Active Directory Domain Services (ADDS), one common challenge you need to address is the definition of a communication plan for the initial password of newly provisioned user objects.

There are various options you have for a implementation strategy.

 

Some examples are:

  1. Use an unknown, dummy password and provision user accounts as disabled. Let the end-user contact the helpdesk which can enable and set a password at that time
  2. Use a well-known password and provision user account as enabled but with must change password at first logon enabled
  3. Use a completely random password and communicate it using an email notification triggered by FIM.

    While the password cannot be emailed to the user, you can, for example, configure FIM to send an email to a user's manager.

What the best solution for your environment is depends on your business requirements and also on your preferences.

The objective of this article is to introduce you to a solution that is based on a random password calculated by FIM that is communicated in form of an automated email.

Implementing a fully automated process for an initial password consists of two main building blocks:

  1. The calculation of a random password
  2. The communication of the newly calculated password

Calculating a Random Password in a Synchronization Rule

FIM provides a function called "RandomNum", which is helpful in the context of calculating a random password.

To generate a strong password with this function, you should concatenate a random number with some string components.

You can implement this method to calculate a random password in a synchronization rule.

To initialize a user's password in ADDS, the calculation result is used to initialize the unicodePwd attribute.

The following illustration shows an example for this:

Using a concatenation of some string components with a random number solves the problem of calculating a random password; however, the password is useless if nobody knows the actual value.

In the next section, you will be introduced to a method to calculate and communicate a random password

Calculating and Communicating a Random Password By Using Workflows 

 The objective of this section is to introduce you to a method to calculate and communicate a random password by using workflows.

Passing Workflow Data to a Synchronization Rule

In a previous section, you have been introduced to a method to calculate a random password in a synchronization rule.

The method consists of the concatenation of a string with a random number.

However, this method does neither give you access to the actual password nor does it provide you with an option to communicate the value.

FIM provides the concept of workflows to perform external activities such as sending emails and to calculate attribute values.

In addition to this, you can also pass attribute values that were calculated by a workflow to a synchronization rule.

Implementing this technique requires you to define a name for the related parameters in your outbound synchronization rule and a data type.

For example, for the scenario in this article, you could define in your synchronization rule a workflow parameter called "InitialPassword".

The following screenshot shows an example for the related configuration dialog in an outbound synchronization rule:

You can use your workflow parameters in your outbound attribute flow mappings as source to set attribute values on a destination attribute.

In the list of source attributes, workflow parameters are prefixed with a "$".

To initialize a user's password with your workflow parameter, you need to perform the following steps in the related outbound attribute flow mapping:

  • Select the IntialPassword Parameter on the Source tab.
  • Select the unicodePwd attribute on the Target tab.

The following screenshot shows an example for this:

 

Using Workflows to Calculate Data for a Workflow Parameter

In the previous section, you have been introduced to method that enables you to establish a data link between an outbound synchronization rule and a workflow.

The objective of this section is to show you, how you can fill the workflow parameter with data.

In FIM, you can use the Function Evaluator of an Action Workflow to calculate attribute values:

A Function Evaluator supports the concept of Functions and Custom Expressions to calculate attribute values.

note Note
While it is not a required attribute, you should define a Display Name for your Activity.

When you configure a Function Evaluator, you need to specify a Destination for the calculated attribute value.

The objective of the calculation result is to be passed to the parameter attribute InitialPassword that is exposed as workflow data.

To indicate this, you:

  • Select WorkflowData as Workflow Parameter
  • Enter name for the Parameter Attribute
note Note
The name of the parameter attribute does not have to be the same as the name of the Workflow Parameter in your outbound synchronization rule.

Later in this article, you will learn how you can link the workflow parameter with your outbound synchronization rule.

Like in the case of the synchronization rule example in a previous section, you can define a concatenation of  a string with a random number to calculate a random password.

The following screenshot shows an example for this:

 

Using Workflows to Send Notification Emails

In FIM, sending notification emails by using workflows is a relatively simple task because it is a built-in workflow activity:

 

Before you configure a Notification activity, you should first create a related Email Template by using the related wizard.

In your new template, you need to specify value for the following attributes:

  • Display Name
  • Template Type
  • Subject
  • Body

The following screenshot shows an example for a template that creates an email, which contains the user's first- and lastname, sAMAccountName and the password to use for the first logon:

 

After you have defined your notification email, you can configure your notification activity.

To configure this activity, you need to specify the following parameters:

  • Recipients - Depending on your requirements, this could be //Target/Manager or a specific recipient such as the helpdesk.
  • Email Template - The Display Name of your notification email.

The following screenshot shows an example for this:

Using this template in your environment, results in an email message like this:

Linking Synchronization Rules to Workflows

To bring a resource into the scope of a synchronization rule, you need to configure a workflow that includes a Synchronization Rule Activity.

After you have selected the related outbound synchronization rule, the FIM service retrieves the list of workflow parameters that are configured in it.

In your workflow configuration, you link the workflow parameters from your outbound synchronization rule with the workflow parameter attribute.

The following screenshot shows an example for this:

Configuring a Workflow to Calculate and Communicate a Random Password 

In the previous sections, you have been introduced to the ingredients that are required to calculate and communicate a random password by using a workflow.

The required workflow components are:

  1. A function that calculates a random password and stores the value in a parameter.
  2. A synchronization rule activity that that ties the password value and your synchronization rule together.
  3. A notification that sends the new password to the defined recipients.

You can include all three components into one workflow.

The following screenshot shows an example for this:

 

Initializing User Passwords by Using Workflows

 In the previous sections, you have been introduced to the ingredients that are required to implement the calculation and notification of a random password.

The objective of this section is to give you a brief summary of the required components.

Ingredients for an Automated Password Initialization and Notification

To implement an automated password initialization and notification solution, you need to configure the following components:

  • Outbound Synchronization Rule
    • Define a workflow parameter that receives the attribute value from a workflow
  • Email Template
    • Create an email template that is used in a notification email when a new password has been calculated
  • Workflow
    • Configure a Function Evaluator that calculates a random password
    • Configure a Synchronization Rule Activity to
      • Bring a resource into the scope of a synchronization rule
      • Link the workflow parameters in your synchronization rule to the workflow parameters calculated by your Function Evaluators
    • Configure a Notification activity to send an email

 

Recommended Reading

Related FIM Forum Posts

 

note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.