In this blog post I will show you how you can setup password reset with the self-service portal, Service Manager and Orchestrator. The scenario is that a manager should be enable to reset password for colleagues reporting to he or she. The manager could also be something like instructor or teacher for a class. The request offering for password reset should only be shown to members of the “Manager” user role, and the manager should only be enable to reset password for members of their team. To make this work you need to configure the manager attribute on your users in Active Directory, as shown in the image below. We will use a dynamic query based list to show only people reporting direct to the manager. In this example I use Orchestrator to generate a 10 characters complex password, but you could also add “New Password” as a parameter to the service request. Then you input the new password in the service portal. You could also configure the runbook to check the “User must change password at next logon” checkbox on the user account. That check box sometimes result in issues for some applications so I have not included it in this demo.
- Get Runbook Activity. Gets the runbook activity, we submit the ID as a input parameter to the runbook from Service Manager
- Get Related Service Request. We pickup the service request from the runbook activity, by the relationship
- Get Related User. When we configured the query list in Service Manager we configured that the user should be set as a related item to the runbook activity. This activity gets the related user
- Get Service Request. Read the Service Request item
- Get User. Read the User object
- Generate New Password. Generates a 10 characters complex password
- Reset User Password. Set the password to the generated complex password
- Update Service Request. Update the description field on the service request with the new password and account information
The runbook is quite simple, we start with the runbook activity as we get it from Service Manager as ObjectID. We then pickup related service request and user. We generate a new password and set it on the user. We then update the service request with new description, including the new password.
Service Manager Side
- Start the Service Manager console
- Synchronize the runbook over to Service Manager by using the Orchestrator connector
- Navigate to Library/Runbooks, select the runbook (2.2.1 Password Reset) and click Create Runbook Automation Activity Template in the Tasks pane
- Create Template,
- Input a name, for example Contoso – Runbook Activity – 2.2.1 Password Reset.
- Create a new management pack, for example Contoso Password Reset.
- Click OK
- Runbook Activity Template,
- Navigate to Library/Templates. Click Create Template from the Tasks pane
- Create Template,
- input name, for example Contoso – Service Request Template – Password Reset
- Select Service Request as Class
- Select the Contoso Password Reset management pack
- Click OK
- Service Request Template,
- Navigate to Library/Service Catalog/Request Offerings
- Click Create Request Offering in the Tasks pane
- Create Request Offering – General, input title, for example Password Reset
- Create Request Offering – General, select Contoso – Service Request Template – Password Reset as template
- Create Request Offering – User Prompts, add one prompt named User and configure it as query result
- Create Request Offering – Configure Prompts, select the User prompt and select Configure
- Configure Query Results,
- Select Class, change to Combination classes and select User (advanced)
- Configure Criteria, select Manages User and select Pager, click Add Constraint. Configure as image below. Use “Set Token”. Why do we use Pager? The Token: Portal User Name is in format CONTOSO\leni (DOMAIN\username). We don’t store that on a user CI in Service Manager, we store username and domain, but not in that format. Instead I have updated each manager with that information in the Pager attribute, as we don’t use it for anything else in this environment. You can easy update the Pager attribute with a runbook, the export file includes a example of that.
- Display Columns. select User (advanced), the Object/DisplayName and Domain User or Group/User Name
- Options, select “Add User-selected objects to template objects as related item: select the Runbook Automation Activity
- Click OK
- Create Request Offering – Map Prompts,
- Create Request Offering – Publish, change offering status to Published
- Create the request offering
- Navigate to Library/Service Catalog/Service Offering
- Click Create Service Offering from the Tasks pane
- Create Service Offering
- General, fill in title for example Manager
- Request Offerings, add the Password Reset request offering
- Publish, change offering status to Published
- Finish the wizard and create the service offering
- Navigate to Library/Groups. Click New Catalog Group
- Create Catalog items group,
- General, group name, for example Contoso Managers
- Included Members, click Add, add the Password Reset request offering and the Manager Service offering
- Finish the wizard and create the group
- Navigate to Administration/Security/User Roles
- Click Create User Role > End User
- Create User Role,
- General, Name, for example Contoso Managers
- Management Packs, select the Contoso Password Reset management pack
- Catalog item Groups, select Contoso Managers
- Users, add managers
- Finish the wizard and create the user role
You can download my example runbook here, 20120617_PasswordReset_WOLF
Please note that this is provided “as is” with no warranties at all.
Hi, I have followed this however when resetting the password it resets both the requesting manager and the user you select??
Thanks for a very nice write-up. I am having the issue that some others are having with no users displaying in the portal. I have configured the user’s Manager and also the Pager field as DOMAIN\managername with no avail. When I imported your runbook, I noticed a tab called “2.2.2 Update Mangers (demo)”. Do I need to do anything with that runbook?
a object that you pick from a Query based list is attached to either the runbook activity or the service request Work item. You can select that when building the offering in Service Manager. Then from the runbook you need to get the related user for the service request.
It’s actually a cool and useful piece of information. I
am glad that you just shared this useful info with us.
Please keep us up to date like this. Thanks for sharing.
my website – webpage (Hazel)
Spot on with this write-up, I honestly believe
that this amazing site needs a lot more attention. I’ll probably be back again to read more,
thanks for the info!
I´m creating a runbook that change the attribute account expires date. Basically the responsable for contractors will open the Service Manager Portal, by query result will list all contractor that is managed by user that is logged on portal. I was using this post as example because coud be very similar, my intencion is
1.List of contractors under the manager.
2.With their expiration date.
3.Ability to extend the date for next 30 days.
4.Confirmation on the screen.
5.Confirmation Email to manager, employee and IT.
6.Manager can only update his contractors.
My question is: how get the user login from user selected on query result and pass to orchestrator, because if keep the map in blank, the orchestrator does not receive any information about the user, the only option showed for me is token: Portal user Name, but with this will pass the information who is logged on portal and not the user that was selected on the query.
Please attach the screenshots of run book objects in run book configuration .
I, too, am not seeing a list of users when attempting the password reset. I have verify that several users have the pager attribute populated with the manager’s username in DOMAIN\username format. Any suggestions?
Hi, I think you need to figure out a way to filter down the query. It is impossible to pick from 2000 objects. Maybe you can filter on some extra attributes.
Hi, I have not really found another good way.
Exists other method of implement DOMAIN\MANAGER without use the attribute PAGER ?
I need convince my boss that this is not a workaround, is there another way to implement by default ?
thanks so much
Hi,Anders,Thanks for your sharing.
when I search a user on SM portal,The search box prompts “From 2000 objects”.
our AD have more than 7000 users,but I just see 2000 users, I can not search for many users.Our domain controllers queries limit is 20,000 objects.
Could you offer some suggest to solve this problem?
Thanks for your help.
Can you see in your runbook that you have a username, that you get a username from Service Manager?
In the post I use the Pager attribute to store the manager user name and domain. Have you done that too? The portal will show all users from the CMDB where pager = DOMAIN\username of the current portal user. The pager attribute on each user should contain the manager in format DOMAIN\username
Hi! Thank you for sharing! I follow your instructions, but I can’t see users , when I request Service Offering from my Self Service Portal. Please let me know where is problem?
Hi, All seems to be working ok but I get error with the runbook at reset User password
“The user ” was not found.”
There is no username displayed. Any Ideas?
Hi, verify that you have the same IP in your new Environment as in the old one, and that you have distributed the IPs around the different Orchestrator Components. The new SP1 IP for system center is a upgrade of the old ones, so all runbooks that worked previous should work now too.
Hi, it has to be for the users… the query based list will ask for all users that have “PORTAL TOKEN” as pager.
just a small question. Do I have to set the pager attribute for every user or just for the managers? your example Runbook seems to set it only for the manager and not for the normal user. How can it work?
We just upgraded to SC 2012 SP1 – I am importing the password script into Runbook Designer and I am getting this error. “The activity may not be installed or was not converted from an Opalis v4 configuration” In my lab prior version, I did not have this issue.
If you select multiple groups in the self service portal, then each group will be related to the service request or the runbook activity, depending on your service request settings. In this example we make it related to the runbook automation activity. In this example, in the runbook, where we do Get Related User, you will then get multiple answers as you have selected multiple groups. You can then have a add user to group activity that will run for each answer, then you might want to use a junction activity to merge back to one thread for the rest of the runbook.
The Token: Portal User Name is in format CONTOSO\leni (DOMAIN\username). We don’t store that on a user CI in Service Manager, we store username and domain, but not in that format. Instead I have updated each manager with that information in the Pager attribute, as we don’t use it for anything else in this environment. When the Manager goes in to the portal it will list all Managed Users where the PAGER attribute is equals to the current portal user (Token: Portal User Name). So on each user you need to update the Pager attribute with the manager ID in format DOMAIN\username.
Hi Nelson, take a look at http://technet.microsoft.com/en-us/library/hh770170.aspx and http://blogs.technet.com/b/servicemanager/archive/2012/08/13/3479165.aspx and http://blogs.technet.com/b/servicemanager/archive/2012/01/05/custom-silverlight-module-for-service-manager-2012-portal.aspx
Also, I updated the Pager attribute of the manager I’m testing with
Where do you assign the end user’s to the manager who users the Service Request. I tried the Manager attribute under the Organization tab in Active Directory but had no luck. Thanks
Hi, I think you should look into deploying Orchestrator too. Orchestrator will bring a lot of value. I guess you can solve it without Orchestrator too, but it will require some custom workflows and dev skills.
Hi, thanks. Seems like a location issue, but I have not seen that before, sorry
Thanks for your very useful post. I’m facing a strange issue with the user picker in the request offer.
I user your workbook to insert DOMAIN\user in the pager attribute.
If I configure the query result in step 15 with the SCSM console in English it will work perfectly an my manager will be able to choose a user. If I do exactly the same thing with the console in french the query won’t show any result.
Do you have any idea on the subject ?
Is it possible to add the user to multiple groups using the same Service Request and Runbook? If the service request has multiple groups related to it by the service offering using a query prompt, how can Orchestrator process them all and add the user to all of them?
I can’t seem to crack this nut.
I would like to configure our self-service portal similar to the image in the URL below:
Can someone help me out ?
I am quite new with SC Service Manager, I don’t have the Orchestrator installed, can I accomplish the password reset without the Orchestrator ? How can I customized the look of the self-service portal ? I would also like to add offerings in the self-service portal as the only thing being offered is to create a generic incident request.
[…] Password reset with the Service Manager self-service portal […]
Hi, it seems like you are trying to update a Service Request that dont exist. You tell Service Manager to update service request “[CN=Username,CN=Users,DC=SystemCenterLab,DC=local]”, but that will not work. Instead you need to pass the SC Object GUID from earlier activities.
I am using the “Password reset with the Service Manager self-service portal” code and recieving a different error. In orchestrator the last process, “Update Service Request” I recieve the following error – “Error parsing value [CN=Username,CN=Users,DC=SystemCenterLab,DC=local] to type [guid]. ”
Not sure where to look for the issue. Can you help?
Hi, you can extend the class in service manager, seal that MP, and then you will see that in Orchestrator too.
Hi, sorry there is not. You could of course build any kind of UI that kicks off a Orchestrator runbook. If you build a small HTA or something that generates a file in a folder, Orchestrator can pick it up and execure the runbook. You could also build a custom web page that do that.
Hi, you can build as you suggest, but then you need to start it from the web based Orchestrator console and you cant use it as a service request. Also you dont get any audit or logging, who reseting what. But it will work.
Why can’t I simply create a workflow with the following options:
1) Initialize Data (I will read the user id here)
2) Generate New Password
3) Reset Password
3) Send Email
Do I really need to create the entire workflow to extract the user id and Service Request etc
Is it possible to use extensionAttribute instead if you would like to have more than one manager?
How did you resolve this issue? I’m also unable to list the users. Everything is configured as explained…
“Hiren Tataria says:
“… on my environment service manager 2012, but when i open portal using manager id i cant see users in list.”
Thanks — I just implemented something like this for student password resets. Trouble is the query results are horrific. We had to increase the number of objects returned…for large queries it locks the entire silverlight app while it loads the 29,000 students.
Is there any query-result like form for the portal where the LDAP lookup occurs after a search only?
Hi, have you imported all the integration packs needed in the runbook? I think you need to import the ones for System Center 2012 and also the one for Active Directory. After that, delete and re-import the export file.
Hi, not sure I follow, is it not working for you?
Hi, thanks for reading my blog. Have you updated each user pager attribute with the manager login? Look at step 15.2 and see how we use the pager attribute.
Hi Anders , thansk for sharing, i have applied that on my environment service manager 2012, had user lists as well but unable to find way to put password reset for managers in service request
Hi Anders , thansk for sharing, i have applied that on my environment service manager 2012, but when i open portal using manager id i cant see users in list.
could you please guide me where i m doing wrong
Hi when i import runbooks i get error saying @The properties for this activity cannot be viewed. The activity may not be installed or was not converted@
sorry i m very new with orchestrator, can i have step by step to create runbooks please
[…] Offering with approval in SCSM and a couple of activities in Orchestrator. Read the full article here. Share this:MoreLike this:LikeBe the first to like […]
[…] Password reset with the Service Manager self-service portal […]
[…] Read it: Password reset with the Service Manager self-service portal […]