What the best solution for your environment is depends on your business requirements and also on your preferences.
The objective of this article is to introduce you to a solution that is based on a random password calculated by FIM that is communicated in form of an automated email.
Implementing a fully automated process for an initial password consists of two main building blocks:
FIM provides a function called "RandomNum", which is helpful in the context of calculating a random password.
To generate a strong password with this function, you should concatenate a random number with some string components.
You can implement this method to calculate a random password in a synchronization rule.
To initialize a user's password in ADDS, the calculation result is used to initialize the unicodePwd attribute.
The following illustration shows an example for this:
Using a concatenation of some string components with a random number solves the problem of calculating a random password; however, the password is useless if nobody knows the actual value.
In the next section, you will be introduced to a method to calculate and communicate a random password
The objective of this section is to introduce you to a method to calculate and communicate a random password by using workflows.
In a previous section, you have been introduced to a method to calculate a random password in a synchronization rule.
The method consists of the concatenation of a string with a random number.
However, this method does neither give you access to the actual password nor does it provide you with an option to communicate the value.
FIM provides the concept of workflows to perform external activities such as sending emails and to calculate attribute values.
In addition to this, you can also pass attribute values that were calculated by a workflow to a synchronization rule.
Implementing this technique requires you to define a name for the related parameters in your outbound synchronization rule and a data type.
For example, for the scenario in this article, you could define in your synchronization rule a workflow parameter called "InitialPassword".
The following screenshot shows an example for the related configuration dialog in an outbound synchronization rule:
You can use your workflow parameters in your outbound attribute flow mappings as source to set attribute values on a destination attribute.
In the list of source attributes, workflow parameters are prefixed with a "$".
To initialize a user's password with your workflow parameter, you need to perform the following steps in the related outbound attribute flow mapping:
The following screenshot shows an example for this:
In the previous section, you have been introduced to method that enables you to establish a data link between an outbound synchronization rule and a workflow.
The objective of this section is to show you, how you can fill the workflow parameter with data.
In FIM, you can use the Function Evaluator of an Action Workflow to calculate attribute values:
A Function Evaluator supports the concept of Functions and Custom Expressions to calculate attribute values.
When you configure a Function Evaluator, you need to specify a Destination for the calculated attribute value.
The objective of the calculation result is to be passed to the parameter attribute InitialPassword that is exposed as workflow data.
To indicate this, you:
Like in the case of the synchronization rule example in a previous section, you can define a concatenation of a string with a random number to calculate a random password.
In FIM, sending notification emails by using workflows is a relatively simple task because it is a built-in workflow activity:
Before you configure a Notification activity, you should first create a related Email Template by using the related wizard.
In your new template, you need to specify value for the following attributes:
The following screenshot shows an example for a template that creates an email, which contains the user's first- and lastname, sAMAccountName and the password to use for the first logon:
After you have defined your notification email, you can configure your notification activity.
To configure this activity, you need to specify the following parameters:
Using this template in your environment, results in an email message like this:
To bring a resource into the scope of a synchronization rule, you need to configure a workflow that includes a Synchronization Rule Activity.
After you have selected the related outbound synchronization rule, the FIM service retrieves the list of workflow parameters that are configured in it.
In your workflow configuration, you link the workflow parameters from your outbound synchronization rule with the workflow parameter attribute.
In the previous sections, you have been introduced to the ingredients that are required to calculate and communicate a random password by using a workflow.
The required workflow components are:
You can include all three components into one workflow.
The following screenshot shows an example for this:
In the previous sections, you have been introduced to the ingredients that are required to implement the calculation and notification of a random password.
The objective of this section is to give you a brief summary of the required components.
To implement an automated password initialization and notification solution, you need to configure the following components: