In this blog post I will show you how you can setup password reset with the self-service portal, Service Manager and Orchestrator. The scenario is that a manager should be enable to reset password for colleagues reporting to he or she. The manager could also be something like instructor or teacher for a class. The request offering for password reset should only be shown to members of the “Manager” user role, and the manager should only be enable to reset password for members of their team. To make this work you need to configure the manager attribute on your users in Active Directory, as shown in the image below. We will use a dynamic query based list to show only people reporting direct to the manager. In this example I use Orchestrator to generate a 10 characters complex password, but you could also add “New Password” as a parameter to the service request. Then you input the new password in the service portal. You could also configure the runbook to check the “User must change password at next logon” checkbox on the user account. That check box sometimes result in issues for some applications so I have not included it in this demo.

 

Runbook

  • Start
  • Get Runbook Activity. Gets the runbook activity, we submit the ID as a input parameter to the runbook from Service Manager
  • Get Related Service Request. We pickup the service request from the runbook activity, by the relationship
  • Get Related User. When we configured the query list in Service Manager we configured that the user should be set as a related item to the runbook activity. This activity gets the related user
  • Get Service Request. Read the Service Request item
  • Get User. Read the User object
  • Generate New Password. Generates a 10 characters complex password
  • Reset User Password. Set the password to the generated complex password
  • Update Service Request. Update the description field on the service request with the new password and account information

The runbook is quite simple, we start with the runbook activity as we get it from Service Manager as ObjectID. We then pickup related service request and user. We generate a new password and set it on the user. We then update the service request with new description, including the new password.

 

Service Manager Side

  1. Start the Service Manager console
  2. Synchronize the runbook over to Service Manager by using the Orchestrator connector
  3. Navigate to Library/Runbooks, select the runbook (2.2.1 Password Reset) and click Create Runbook Automation Activity Template in the Tasks pane
  4. Create Template,
    1. Input a name, for example Contoso – Runbook Activity – 2.2.1 Password Reset.
    2. Create a new management pack, for example Contoso Password Reset.
    3. Click OK
  5. Runbook Activity Template,
    1. Check Is Ready For Automation
    2. Input title, for example Contoso – Runbook Activity Template – 2.2.1 Password Reset
    3. Click the Runbook tab
    4. Map ObjectID to Object/ID
    5. Click OK
  6. Navigate to Library/Templates. Click Create Template from the Tasks pane
  7. Create Template,
    1. input name, for example Contoso – Service Request Template – Password Reset
    2. Select Service Request as Class
    3. Select the Contoso Password Reset management pack
    4. Click OK
  8. Service Request Template,
    1. Input title, for example Contoso – Service Request – Reset Password
    2. Click the Activities tab
    3. Add “Contoso – Runbook Activity – 2.2.1 Password Reset” as activity
    4. Runbook Activity Template, click OK
    5. Click OK
  9. Navigate to Library/Service Catalog/Request Offerings
  10. Click Create Request Offering in the Tasks pane
  11. Create Request Offering – General, input title, for example Password Reset
  12. Create Request Offering – General, select Contoso – Service Request Template – Password Reset as template
  13. Create Request Offering – User Prompts, add one prompt named User and configure it as query result
  14. Create Request Offering – Configure Prompts, select the User prompt and select Configure
  15. Configure Query Results,
    1. Select Class, change to Combination classes and select User (advanced)
    2. Configure Criteria, select Manages User and select Pager, click Add Constraint. Configure as image below. Use “Set Token”. Why do we use Pager? The Token: Portal User Name is in format CONTOSO\leni (DOMAIN\username). We don’t store that on a user CI in Service Manager, we store username and domain, but not in that format. Instead I have updated each manager with that information in the Pager attribute, as we don’t use it for anything else in this environment. You can easy update the Pager attribute with a runbook, the export file includes a example of that.
    3. Display Columns. select User (advanced), the Object/DisplayName and Domain User or Group/User Name
    4. Options, select “Add User-selected objects to template objects as related item: select the Runbook Automation Activity
    5. Click OK
  16. Create Request Offering – Map Prompts,
  17. Create Request Offering – Publish, change offering status to Published
  18. Create the request offering
  19. Navigate to Library/Service Catalog/Service Offering
  20. Click Create Service Offering from the Tasks pane
  21. Create Service Offering
    1. General, fill in title for example Manager
    2. Request Offerings, add the Password Reset request offering
    3. Publish, change offering status to Published
    4. Finish the wizard and create the service offering
  22. Navigate to Library/Groups. Click New Catalog Group
  23. Create Catalog items group,
    1. General, group name, for example Contoso Managers
    2. Included Members, click Add, add the Password Reset request offering and the Manager Service offering
    3. Finish the wizard and create the group
  24. Navigate to Administration/Security/User Roles
  25. Click Create User Role > End User
  26. Create User Role,
    1. General, Name, for example Contoso Managers
    2. Management Packs, select the Contoso Password Reset management pack
    3. Catalog item Groups, select Contoso Managers
    4. Users, add managers
    5. Finish the wizard and create the user role
Now, navigate to the Service Manager portal with a manager and try the new server, password reset. As you can see in the images below members of the Managers user role can see Manager service offering, and in it there is the Reset Password request offering. When the manager go to the request form a dynamic list of all user that report to the manager is shown. The manager can select one account and click Next, Submit. The runbook execute and reset the password and update the service request. The manager can then look under “My Requests” in the portal and see the new password.

 

You can download my example runbook here, 20120617_PasswordReset_WOLF

Please note that this is provided “as is” with no warranties at all.

  1. Hi, is the correct information sync to Service Manager CMDB/DB?

  2. NJ says:

    I’m hoping you’re still somewhat supporting this. I downloaded the runbook you have linked, and then followed all the steps without issue. I have a weird issue though.

    I created 2 test users and made myself manager of both. I also added domain.local\my.account in their Pager field.

    When I login to our portal and go to the pass reset request, the only user I see is myself?

  3. Hi, thanks for reading my blog and taking the time to post comment. I am no longer working with Service Manager, sorry, so I am not really up to date here. But make sure you use the SC Object ID everywhere, it is easy to use wrong Id when working with related objects in a runbook.

  4. Steven Peterson says:

    Anders,

    Hoping for some assistance. We implemented the new HTML5 SSP with UR8 and the latest hotfixes. Portal has been running great, but having trouble introducing the Password Reset automation. Encountering two problems:

    1) Defining ‘Manages User – Pager’ during the Request Offering makes the list refresh, once published, spin endlessly as if it is unable to locate a suitable user. Subordinate users have their Manager’s Username in the format DOMAIN\Username in the AD Pager field. Orchestrator and AD Connectors synchronized prior to submitting ticket.

    2) If the above Criteria is removed the list displays all AD objects. Selecting a subordinate to my account and issuing the Password Reset the Runbook fails at ‘Get User’ with SC Object GUID is not valid for given criteria. Checking the logs it does have a username for Manager and has an ID for the ObjectID.

    We have been implementing all solutions System Center starting with Data Protection & Configuration Manager. We’re now redesigning our Helpdesk with the advent of Service Manager. I would be extremely grateful if you would assist reviewing the current issue and helping apply a fix for those of us using the new HTML5 SP. Please feel free to reach out at speterson@aiicfl.com when convenient. Thanks in advance, happy Holidays and I’ll hope to hear from you soon.

    – Steve

  5. Check what kind of input data that field has. It might be that there is no input data, for example if you use data form the data bus, maybe there is no value from the linked activity. You can use a write platform event activity to simple dump the value from the data bus before the activity with issues.

  6. Sebastian says:

    Hello

    Thanks your for sharing this guide. I was download the zip file and I export in Orchestrator, when I running a test in the Get Runbook Activity appears the error:

    The property SCObjectGuid is not valid for the given criteria.

    Who I can resolved the error?

    Thanks for your help.

    Regards

  7. Hi, all runbooks are in the ZIP file, in the end of the blogpost.

  8. Add logging to Your runbook to make sure that the Get Activity picks up a user. Maybe something wrong with the user format.

  9. Hi, no it will only reset the user I request password reset for.

  10. Rana says:

    I was able to execute the runbook, on Reset Password node, it gives the error that “The User ” was not found”?

    Any idea how I can fix this?

  11. Rana says:

    Hi

    Can you please put the screen shots of Runbook objects? means what you configured inside? I am facing some challenges in configuring the runbook.

  12. andresparnova says:

    Thank you for sharing this helpful guide.
    In the same scenario, we use Lepide active directory self service tool (http://www.lepide.com/active-directory-self-service/ ) that allows end-users to take control of their AD account by performing self password reset and self account unlock directly from the login screen. The tool also keep Windows Active Directory updated with their latest personal information without any assistance from the administrator/help desk personnel.