Password Management script

This script is called on password changes and sets received from Password Change Notification Service (PCNS). If you do not use this, you should specify path to an empty script (script must exist).

The password change script is called once for each user that change or have their password reset. If the password change/set is unsuccessful, the script should throw an error, i.e. throw "Failed". This error will be logged in the event log.

Below is a sample of a script that is called for password changes and sets -

param
(
 $Username,
 $Password,
 $Credentials,
 $Action, # will be set to either 'Set' or 'Change'
 $OldPassword,
 $NewPassword,
 [switch] $UnlockAccount,
 [switch] $ForceChangeAtLogOn,
 [switch] $ValidatePassword
)
BEGIN
{
}
PROCESS
{
  # grab the sAMAccountName value for use with this
  # strange system, that we are sync'in passwords
  # with using this MA
  $AccountName = $_["samaccountname"].Value
  "Action: $Action" | Out-File "C:\Temp\_Options.txt"
  "Old pwd: $OldPassword" | Out-File "C:\Temp\_Options.txt" -Append
  "New pwd: $NewPassword" | Out-File "C:\Temp\_Options.txt" -Append
  "Unlock: $UnlockAccount" | Out-File "C:\Temp\_Options.txt" -Append
  "Force change: $ForceChangeAtLogOn" | Out-File "C:\Temp\_Options.txt" -Append
  "Validate: $ValidatePassword" | Out-File "C:\Temp\_Options.txt" -Append
  "$AccountName - $NewPassword" | Out-File "C:\Temp\_PasswordSets.txt"
  # just throw an exception if the password set/change is unsuccesful
}
END
{
}

The $_ object passed in the pipeline for this script is of type CSEntry and you should use this object to get attribute value for the object that should have password changed/set.

The 'Action' parameters allows you to act to either a password reset or a password change accordingly. If it is a password reset, you should not receive a value in the parameter 'OldPassword'.
There are a few parameters that is controlled through the FIM Synchronization Manager and the configuration is passed to the script -
*If the $UnlockAccount switch is true, an account unlock should be performed by the script.
  • If the $ForceChangeAtLogOn switch is true, the script should configure the account to change its password at next logon (if possible)
  • If the $ValidatePassword is set, the script should validate that the password is set correctly, if possible.

Last edited Feb 26 at 9:15 AM by Granfeldt, version 2