Reset Password with Service Manager

Posted: 21st June 2010 by Anders Bengtsson in System Center Service Manager

A common task for service desk is to reset an end-user password. A common scenario is that the operator has to fill in an incident form, start Active Directory Users and Computers console, find the user, reset the password, notify the password over the phone or send it in a e-mail to the end-user. There are a lot of steps; the operator sees the password and it is not good practise to give out passwords over the phone. In this post I will show you one solution to this issue. I will use a vbscript, a powershell script and the updated version of Patrik’s cmdlets for Service Manager.

The first script, resetpassword.vbs1, will ask the operator for a username and an e-mail address. The username is the user that needs a new password. The e-mail address is the mailbox that will receive the new e-mail. This could be a colleague e-mail address or a private e-mail address of the affected user.

The second script, password.ps1, is a powershell script that will create a closed incident for this task. This script is started by the vbscript resetpassword.vbs. For many service desks it is important to track all calls, and with this powershell script a new incident will be created and closed in the background.

You need to create a task in the console. This task will be used to trigger resetpassword.vbs. Create the task with the following settings:

  • Task Name: Contoso – Reset Password
  • Description: A task to quick reset a password
  • Target class: Incident
  • Management Pack: for example Service Manager Incident Management Configuration Library
  • Categories: Incident Support Groups Folder Tasks
  • Command Line – path: C:\windows\system32\cscript.exe
  • Command Line – parameters: C:\scripts\resetpassword.vbs
  • Command Line – Working directory: %windir%\system32
  • uncheck, log in action log when this task is run
  • check, show output when this task is run

This task will trigger the vbscript and will then show the operator two dialog boxes, one for an e-mail and one for a username.

the next dialogue box will ask for an e-mail.

the task will run and after a minute you get

in the console you will see an incident which is closed with some default information

the e-mail with the new password is delivered to the e-mail address

You create a task, the task triggers the vbscript resetpassword.vbs. The vb script asks for a username and an e-mail address. The script will then generate a complex password (thanks to Martijn Haverhoek). The new password will be sent in an e-mail to the specified e-mail address.

You can download my scripts here.

To get this to work in your environment you need to customize the scripts a bit. You first need to download the Service Manager cmdlets from Codeplex and install them. In the resetpassword.vbs script you will need to change the domain LDAP path (around line 20), e-mail settings (around line 62), domain name (around line 82) and script paths (around line 90).

  1. Hi,
    For end-users… I think that is a feature that FIM will bring. It is another product, but it is very good at that kind of tasks. A problem for end-users to reset password is if their account is locked out. Then they cant access the portal anyway. So I know some customers where managers can reset passwords for their team. Could that be a solution? We could build that with a runbook, I will put that on my “to blog list”.

  2. Yogita says:

    Hi Anders,

    I have edit the script as you suggested and created the task also as mentioned. I can understand that script will be triggered by Task which in turn call password script and reset the script. But my question is how to run the task or how to use it for end user portal. Your help is very much required.

    Thanks

  3. Hi, thanks for reading my bloig. You can change resetpassword.vbs to set a fixed password. And also to configure any other attribye of the account, like “user must change password”

  4. Ahmed Ali says:

    Hi i need to know to make the password fixed and also if i can make the user change his password on first logon with new password.

    thanks

  5. Gertjan Maeckelbergh says:

    Hello Anders,

    I have your scripts implemented with minor changes (such as ‘Renew password at next logon’) and they work, if ran on the scsm server.
    If an analyst tries to run it on the console on his pc, the task link won’t work, I think because of the scripts residing on the server and the link refering to a local directory.
    When I change the directory in the task link to a network directory pointing to the scsm server (and also the link to the ps script inside the vb script), the vb script works, resetting the password, but the powershellscript does not work, not creating the incident ticket, probably because I don’t have the cmdlets from codeplex on the analyst’s local pc.
    Is this correct? Or should it work with the local server directories?

    tx in advance

  6. Marcus says:

    Hey guy very good your script!
    I go to implementation in my company!

    A hug!

    Marcus P. Gioscia
    MCP/MCSA/MCSE/MCTS

  7. Umar Khan says:

    Hi Guys,

    Could any one explain how to attach RESETPASSWORD.vbs sciprt to Service Portal

  8. Alex says:

    Hi,
    I’ve done the steps mentioned above but the incident is not created.
    I analyze that the following line is created from vb-script:

    powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SMLets\password.ps1 ‘New password for TESTDOM\testuser. Password sent to admin@testdom.local‘ ‘TESTDOM\testuser’

    The password.ps1 is saved in this directory:
    C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SMLets

    If I try to execute the command via command prompt I get the following error message:

    The term ‘New-SCSMIncident’ is not recognized as the name of a cmdlet, function
    , script file, or operable program. Check the spelling of the name, or if a pat
    h was included, verify that the path is correct and try again.
    At C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SMLets\password.ps1:3 cha
    r:17
    + New-SCSMIncident <<<< -Title "Password change" -Description $args[0] -Impact
    Low -Urgency Low -Status Closed -Classification Other -AffectedUser $args[1]
    + CategoryInfo : ObjectNotFound: (New-SCSMIncident:String) [], Co
    mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    If I try to executie New-SCSMIncident in a PS-Windows directly it works and the Incident is created.

    What am I doing wrong?

    Alex

  9. Kristin says:

    On the SCSM side you could create a new user Role and limit who can see that task in order to execute it. Haven’t tried that out yet but that should work.

    Folks here were more worried about the email with the password in it which at our shop will go to the HelpDesk and not the user. The HelpDesk would have access to user’s passwords. To address the concern our requirement would be that we’d alter to script to check that box that enforces that the user must change their password the next time they log in (so emails with passwords not security risk for very long).

    If the script doesn’t already have this is might be a good addition. Thanks !

  10. Not really, it all depends on the account running the script. So if you have permissions in AD you can reset the password with the script. You can of course also use a proxy account.

  11. Shahid says:

    seems like anybody can reset anybody’s password :) correct me if not

  12. […] the box, Service Manager 2010 gives you control over Active Directory (AD) account maintenance.  Take a look at Ander’s workflow for a password change request using SM 2010.   With his suggestion and […]

  13. […] can run MergeInc.vbs as a task from the console, the same way I do with a script in this post. You could of course pick up a incident ID from the console when you run the […]