Introduction
The following information details how to perform a fully automated Active Directory password from a Service Desk process utilising the integrations available with LANDesk's Management Automation Platform (MAP). This serves are a real life example of how Service Desk and MAP can be combined to achieve full round trip automation in your Service Desk processes. In this case we will use the built-in integration between MAP and Active Directory but this could instead use the many other available actions in MAP to perform any other IT function using tools such as LANDesk Management Suite, SQL scripts, Powershell, Batch files, Web Services, etc.
Assumptions
This document does not give step by step instructions on a lot of the work required and assumes you are familiar with process design in Service Desk as well as the architecture of the round trip integration with MAP. For a full overview and instructions of the integration please see Chapter 3 - Automated round trip request fulfillment (pages 23-35) in the Event Manager manual available here: Service Desk 7.4 Event Manager Manual.
Note that Service Desk 7.4 or higher and MAP are both required.
Process Overview
The steps in the process are as follows:
1. An analyst creates an incident in Service Desk using the Active Directory Password Reset process and selecting the user whose password is to be reset in the Raise User field.
2. On saving the incident the process sits at an In Progress status. The following also occurs:
a. An email notification is sent to the Raise User to confirm the password reset is being processed.
b. A temporary password is randomly generated within Service Desk in the format temp12345 where 12345 is a random 5 digit number.
c. The Raise User's Active Directory username and the temporary password are passed to MAP for the next stage in the process.
3. A MAP workflow is triggered and performs the following steps:
a. With the username and password provided by Service Desk the relevant user account in Active Directory is updated with the new password.
b. The Active Directory account is updated again to set the User must change password at next login flag - this is to ensure that the username we have generated is definitely only temporary.
c. The Service Desk Event Manager web service is called to inform Service Desk the workflow has completed.
4. When the Event Manager web service is called the following occurs on the incident in Service Desk:
a. An email notification is sent to the Raise User to confirm the new password.
b. The incident is closed.
The round trip can take up to 2 minutes but requires no human interaction past logging the initial incident. You could also allow the end users to log this themselves via Self Service to completely remove the need for an analyst however chances are if they need their Active Directory password reset they won't be able to access Self Service.
The incident "Active Directory Password Reset" process
The diagram below shows the incident process in Service Desk:
Creating the "Initiate Password Reset" action
Before building the process the Initiate Password Reset action needs to be created. This is a collection object on Incident that needs to be created with the Event Generator behaviour and with String attributes called Username and Password with Event Attribute Index values set so their values are passed to MAP. For more information on how to create and configure this object see the section Creating The Service Request object in the Event Manager manual linked at the top of this document.
The final step in creating the object is to create a window. Do this within Windows Manager and add on both the Username and Password attributes.
Creating the temporary password
In this example the temporary password will be randomly generated every time a reset is requested. If you are happy to have your passwords always reset to the same thing you can skip this part but it is likely that for added security you will want the password to be unique with each request. This is achieved via a calculation formula put directly into the "Initiate Password Reset" action. This will be added as part of building the process but this section describes how the calculation itself works so you can modify it to suit your own needs.
The calculation is as follows:
import System
static def GetAttributeValue(_InitiatePasswordReset): Prefix = 'temp' MinimumNumber = 10000 MaximumNumber = 99999 return Prefix + Random().Next(MinimumNumber, MaximumNumber)
This results in a password such at "temp12345" where the 5 digit number is randomly generated. You can easily modify the first three lines of the calculation formula to alter the prefix and the range used to randomly generate the number in case you want more or less digits. You could also modify the formula further if desired to create all manner of randomly generated strings with prefixes, suffixes, random characters, etc. however this is out of the scope of this document.
Building the process
Now we have the custom action created and know the calculation required for generating the temporary password you can build the process itself.
1. Within Process Designer select Incident Management -> Incident from the Process tree and click New Process.
2. Add the Open status, the Status is OPEN pre-condition, and an automatic assignment. Populate the assignment with the text to send to your user and tick the Notify Originator checkbox to specify the notification should go to the Raise User.
3. Add an automatic action and select Initiate Password Reset and the object's window will appear.
4. Right-click on the Username field and select Value Type. From the tree that appears select Incident -> Raise User -> Name and press OK.
5. Right-click on the Password field and select Calculation. In the window that appears enter the calculation formula from above and press OK.
6. Press OK on the action.
7. Add the In Progress status, the Close action, and an automatic Add Reminder action - the object's window will appear.
8. Populate the reminder details with whatever information you want to go to the user to confirm the password has been reset. Include in the text the placeholder to reference the temporary password. To do this you can right-click in the text field and select Insert placeholder and find the collection and attribute in the tree that appears. Tick the Notify Originator checkbox to specify the notification should go to the Raise User.
9. Add the Closed status.
Note: In step 4 the runtime value we have specified is the Name attribute on the user record. This much match the domain user name in Active Directory and if this is held in a different attribute you should adjust the runtime value accordingly.
The MAP database listener
For instructions on setting up MAP to listen for the Service Desk outgoing events see the section Designing the MAP workflow in the Event Manager manual linked at the top of this document.
The MAP workflow
The diagram below shows the workflow in MAP:
Integrating with Active Directory
To modify the Active Directory account you must first have a connection set up to the domain controller. To do this from MAP go to the Settings option under the Tools menu and add the details to the Users/Groups tab.
There are two actions in the workflow that call Active Directory. Both can be found in the Actions panel to the right of the workflow diagram under the Active Directory section. They are:
Reset password
This does as the name suggests and will change the password for the user of your choice. Drag this onto the diagram and set the properties as follows:
1. Connection - Select the Active Directory connection to use (which refers to the connection you create in the Settings window of MAP).
2. User name - Press the "..." button and find the field mapping associated with the database listener called tps_attributeX where X matches the Event Attribute Index of the Username attribute on the event generator object created in Service Desk, ie. tps_attribute1.
3. Password - As above press the "..." button and find the field that matches the Password attribute in the object created in Service Desk.
Get/set user information
This action will update the user record again, this time to set the User must change password at next login flag. You can use this action to update other attributes on the user, however it can't update the password which is why there is a separate action for this.
Set the properties as follows:
1. Connection, User name - use the same values as in the Reset password action.
2. Attributes - Click the "..." button and here we can set which attributes we want to update. Click the Add button then from the dropdown list select pwdLastSet. In the Value box enter 0. This field normally holds the date the password was last changed but setting it to zero is what forces it to be changed at next login. Note if the zero appears in quotes after you press OK go back and remove these.
The final step in the workflow calls the Event Manager web service to tell Service Desk it has completed the operations. For full instructions on this see the section Designing the MAP workflow in the Event Manager manual linked at the top of this document. When setting the attributes set a value for the Title attribute that can be used in the Close action in the incident process, ie. The password has been reset.
The Event Manager mapping
When the MAP workflow calls the Event Manager web service this will trigger the Close action on the incident process. In turn this sends the email notification to the user with the temporary password and moves the process on to the final Closed status. For full instructions on this see the section Creating the Integration Process Source in the Event Manager manual linked at the top of this document. When mapping the event attribute map the source Title to the target Title so that the title of the closure record gets set with the text from the web service call in the MAP workflow.