Advanced policy configuration: Password Sync tab

Advanced policy configuration: Password Sync tab

Password Sync tab

Password Synchronizer

  • Automate password synchronization with users' linked accounts after the performed self-service action (password reset or password change) is reflected in AD.
  • Automate the unlocking of accounts for users' linked accounts after the performed unlock action is reflected in AD.
  • Force password synchronization with the users' linked accounts. They cannot deselect any of their linked accounts during password synchronization.
  • Enable users to exempt their AD account from password synchronization.
  • Example: Say users want to maintain separate passwords for their Windows and non-Windows accounts; with this option, the administrator can enable users to deselect AD from the list of accounts available for password synchronization. They will be able to reset the passwords of their non-Windows account (Google apps accounts, Microsoft 365 accounts, etc.) without affecting their Windows password.

  • Allow users to select the required linked accounts for password synchronization by having the accounts deselected by default while performing self-service actions (password reset, account unlock, and password change).
  • Check the box next to Hide the Application tab when automatic account-linking option is enabled to remove the application tab from the user's self-service portal when the user has no access to any enterprise application for SSO and account linking is enabled for password synchronization.

Password-Sync

Post Action

Under Post Action, you can:
  • Synchronize users' passwords with other providers by running a custom script.
  • Synchronize account lockout statuses with other providers by running a custom script.

Post Action

Important security considerations

The steps mentioned below must be adhered to while implementing custom scripts:

  • The script file must be placed inside the [Installation_Directory]/Scripts. References to subfolders are not allowed.
  • The script command must only contain the filename and arguments.
  • The first argument must be a filename with its extension. Only VBScript (.vbs) and PowerShell script (.ps1) are allowed.
  • The use of '..' is restricted in the script command.
  • Arguments passed to the script will be encoded in Base64 to prevent command injection attacks.

Decoding Arguments

Insufficient input validation of command line commands allows a threat actor to execute arbitrary commands on the host operating system. To protect users from these attacks, all arguments to the script will be encoded in Base64. These arguments should be decoded in the script before they are executed.

Note: To facilitate the above, the scripts folder comes with two files - sample-base64.vbs and sample-base64.ps1. These files contain sample code to decode from Base64.

Decoding Base64 in VBScript:

A helper file present in [Installation Directory]/Scripts/utils/Base64Decoder.vbs contains the Base64Decode function. You can utilize this function in your scripts to decode Base64 value.

  • Import the Base64Decoder.vbs file into your script.
  • Pass the encoded value to the Base64Decode function. The function will decode the value and return the UTF-8 string.

Decoding Base64 in VBScript

Include("utils\Base64Decoder.vbs")
For Each arg In WScript.Arguments
   	Dim decodedArg
   	decodedArg = Base64Decode(arg)
   	f.WriteLine("Before decoding: " + arg)
   	f.WriteLine("After decoding: " + decodedArg)
Next

Decoding Base64 in PowerShell script:

  • Pass the encoded string to the [System.Convert]::FromBase64String function. This will return the decoded value as a byte array.
  • Pass the byte array to the [System.Text.Encoding]::UTF-8.GetString function. This will convert the byte array into an UTF-8 string.

Decoding Base64 in PowerShell script

foreach ($arg in $args) {
	$decodedArg = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($arg))
   	Add-Content -Path sample-base64-test.txt -Value "Before decoding: $arg"
	Add-Content -Path sample-base64-test.txt -Value "After decoding: $decodedArg"
}

                  New to ADSelfService Plus?

                    • Related Articles

                    • Advanced policy configuration: General tab

                      General Tab: The General tab contains settings related to CAPTCHA verification, personalization link and tab customization. These are the settings that come under the General tab: Hide CAPTCHA: CAPTCHA is a security measure against bot-based attacks. ...
                    • ADSelfService Plus self-service password reset configuration: Reset & Unlock tab

                      Reset & Unlock tab The Reset & Unlock tab consists of settings related to the self-password reset and account unlock features. Learn how to configure these settings to suit your requirements. Here are the settings under the Reset & Unlock tab: Unlock ...
                    • Password Policy Enforcer configuration

                      ADSelfService Plus' Password Policy Enforcer empowers administrators to implement advanced password policy controls, such as banning weak passwords and disallowing keyboard sequences, for users' on-premises AD accounts and cloud accounts, including ...
                    • Modify the password policy requirements text displayed on screen in ADSelfService Plus

                      Description ADSelfService Plus, by default, displays the password policy requirements (domain or fine-grained password policies) of a user in the change password and reset password screen. If you prefer to customize the password policy messages to ...
                    • Advanced policy configuration: Block User tab

                      Block User tab: This tab allows you to block users who failed at the identity verification step. If a user attempts to use more than a few unsuccessful reset password attempts by providing the wrong answers to security questions or verification ...