In this blog post I will show you how you can setup password reset with the self-service portal, Service Manager and Orchestrator. The scenario is that a manager should be enable to reset password for colleagues reporting to he or she. The manager could also be something like instructor or teacher for a class. The request offering for password reset should only be shown to members of the “Manager” user role, and the manager should only be enable to reset password for members of their team. To make this work you need to configure the manager attribute on your users in Active Directory, as shown in the image below. We will use a dynamic query based list to show only people reporting direct to the manager. In this example I use Orchestrator to generate a 10 characters complex password, but you could also add “New Password” as a parameter to the service request. Then you input the new password in the service portal. You could also configure the runbook to check the “User must change password at next logon” checkbox on the user account. That check box sometimes result in issues for some applications so I have not included it in this demo.
- Get Runbook Activity. Gets the runbook activity, we submit the ID as a input parameter to the runbook from Service Manager
- Get Related Service Request. We pickup the service request from the runbook activity, by the relationship
- Get Related User. When we configured the query list in Service Manager we configured that the user should be set as a related item to the runbook activity. This activity gets the related user
- Get Service Request. Read the Service Request item
- Get User. Read the User object
- Generate New Password. Generates a 10 characters complex password
- Reset User Password. Set the password to the generated complex password
- Update Service Request. Update the description field on the service request with the new password and account information
The runbook is quite simple, we start with the runbook activity as we get it from Service Manager as ObjectID. We then pickup related service request and user. We generate a new password and set it on the user. We then update the service request with new description, including the new password.
Service Manager Side
- Start the Service Manager console
- Synchronize the runbook over to Service Manager by using the Orchestrator connector
- Navigate to Library/Runbooks, select the runbook (2.2.1 Password Reset) and click Create Runbook Automation Activity Template in the Tasks pane
- Create Template,
- Input a name, for example Contoso – Runbook Activity – 2.2.1 Password Reset.
- Create a new management pack, for example Contoso Password Reset.
- Click OK
- Runbook Activity Template,
- Navigate to Library/Templates. Click Create Template from the Tasks pane
- Create Template,
- input name, for example Contoso – Service Request Template – Password Reset
- Select Service Request as Class
- Select the Contoso Password Reset management pack
- Click OK
- Service Request Template,
- Navigate to Library/Service Catalog/Request Offerings
- Click Create Request Offering in the Tasks pane
- Create Request Offering – General, input title, for example Password Reset
- Create Request Offering – General, select Contoso – Service Request Template – Password Reset as template
- Create Request Offering – User Prompts, add one prompt named User and configure it as query result
- Create Request Offering – Configure Prompts, select the User prompt and select Configure
- Configure Query Results,
- Select Class, change to Combination classes and select User (advanced)
- Configure Criteria, select Manages User and select Pager, click Add Constraint. Configure as image below. Use “Set Token”. Why do we use Pager? The Token: Portal User Name is in format CONTOSO\leni (DOMAIN\username). We don’t store that on a user CI in Service Manager, we store username and domain, but not in that format. Instead I have updated each manager with that information in the Pager attribute, as we don’t use it for anything else in this environment. You can easy update the Pager attribute with a runbook, the export file includes a example of that.
- Display Columns. select User (advanced), the Object/DisplayName and Domain User or Group/User Name
- Options, select “Add User-selected objects to template objects as related item: select the Runbook Automation Activity
- Click OK
- Create Request Offering – Map Prompts,
- Create Request Offering – Publish, change offering status to Published
- Create the request offering
- Navigate to Library/Service Catalog/Service Offering
- Click Create Service Offering from the Tasks pane
- Create Service Offering
- General, fill in title for example Manager
- Request Offerings, add the Password Reset request offering
- Publish, change offering status to Published
- Finish the wizard and create the service offering
- Navigate to Library/Groups. Click New Catalog Group
- Create Catalog items group,
- General, group name, for example Contoso Managers
- Included Members, click Add, add the Password Reset request offering and the Manager Service offering
- Finish the wizard and create the group
- Navigate to Administration/Security/User Roles
- Click Create User Role > End User
- Create User Role,
- General, Name, for example Contoso Managers
- Management Packs, select the Contoso Password Reset management pack
- Catalog item Groups, select Contoso Managers
- Users, add managers
- Finish the wizard and create the user role
You can download my example runbook here, 20120617_PasswordReset_WOLF
Please note that this is provided “as is” with no warranties at all.
I’m now not certain the place you are getting your info, however good topic.
I must spend some time learning much more or working out more.
Thank you for wonderful information I was looking for this info for my mission.
Hi Sir ,Thanks for sharing such an amazing article.
I think you need to review the Reset User Password activity and see how it is configured. It sounds like you have select your manager there instead of your user.
Hi, that I have not built. Today I would look into AzureAD and the self-service password reset feature there.
An affordable AD password reset through email solution is found in WSPMS. You might also want to take a look at that one since its so easy to add to your Windows environment. https://wizardsoft.nl/passwordselfservice/passwordselfservice.html
Hi Anders. The runbook doesn’t work for me. Manager’s password gets reset not of the user he picked.
I’m trying to create a runbook to make a password reset , the idea is that the user enters the web portal and from there through a series of questions, this can reset your password .
you can tell me or guide me on this journey
Hi, is the correct information sync to Service Manager CMDB/DB?
Hi Anders, I am aware that you mentioned/notified us that you are currently working on other solutions…
I have followed all your steps but due to the difference in scenarios I am somehow getting a little challenged.
My Scenario is that everyone in the environment must be able to reset his/her password in the portal. I am now stuck cause i know with the Managers attribute that you have mentioned there should be something i replace that with, so the whole scenario changes and for that i am battling to get it work.
Also when tried to follow your scenario i did everything when i go to the portal I see my Password Reset Service Offering which works as a hyperlink when click on it opens a page where it reads “available requests on Password reset”
How do i get it to work…I mean to get a user start reset password?
Your Assistants will be highly appreciated…Thanking you in advance for considering my post.
I’m hoping you’re still somewhat supporting this. I downloaded the runbook you have linked, and then followed all the steps without issue. I have a weird issue though.
I created 2 test users and made myself manager of both. I also added domain.local\my.account in their Pager field.
When I login to our portal and go to the pass reset request, the only user I see is myself?
Hi, thanks for reading my blog and taking the time to post comment. I am no longer working with Service Manager, sorry, so I am not really up to date here. But make sure you use the SC Object ID everywhere, it is easy to use wrong Id when working with related objects in a runbook.
Hoping for some assistance. We implemented the new HTML5 SSP with UR8 and the latest hotfixes. Portal has been running great, but having trouble introducing the Password Reset automation. Encountering two problems:
1) Defining ‘Manages User – Pager’ during the Request Offering makes the list refresh, once published, spin endlessly as if it is unable to locate a suitable user. Subordinate users have their Manager’s Username in the format DOMAIN\Username in the AD Pager field. Orchestrator and AD Connectors synchronized prior to submitting ticket.
2) If the above Criteria is removed the list displays all AD objects. Selecting a subordinate to my account and issuing the Password Reset the Runbook fails at ‘Get User’ with SC Object GUID is not valid for given criteria. Checking the logs it does have a username for Manager and has an ID for the ObjectID.
We have been implementing all solutions System Center starting with Data Protection & Configuration Manager. We’re now redesigning our Helpdesk with the advent of Service Manager. I would be extremely grateful if you would assist reviewing the current issue and helping apply a fix for those of us using the new HTML5 SP. Please feel free to reach out at firstname.lastname@example.org when convenient. Thanks in advance, happy Holidays and I’ll hope to hear from you soon.
Check what kind of input data that field has. It might be that there is no input data, for example if you use data form the data bus, maybe there is no value from the linked activity. You can use a write platform event activity to simple dump the value from the data bus before the activity with issues.
Thanks your for sharing this guide. I was download the zip file and I export in Orchestrator, when I running a test in the Get Runbook Activity appears the error:
The property SCObjectGuid is not valid for the given criteria.
Who I can resolved the error?
Thanks for your help.
Hi, all runbooks are in the ZIP file, in the end of the blogpost.
Add logging to Your runbook to make sure that the Get Activity picks up a user. Maybe something wrong with the user format.
Hi, no it will only reset the user I request password reset for.
I was able to execute the runbook, on Reset Password node, it gives the error that “The User ” was not found”?
Any idea how I can fix this?
Can you please put the screen shots of Runbook objects? means what you configured inside? I am facing some challenges in configuring the runbook.
Thank you for sharing this helpful guide.
In the same scenario, we use Lepide active directory self service tool (http://www.lepide.com/active-directory-self-service/ ) that allows end-users to take control of their AD account by performing self password reset and self account unlock directly from the login screen. The tool also keep Windows Active Directory updated with their latest personal information without any assistance from the administrator/help desk personnel.