Flexible Security For Your Peace of Mind

Custom Attribute Mobile

(Last updated on September 7, 2018)

Overview

Specops Password Reset (SPR) leverages mobile devices for resetting passwords, and receiving new, possibly temporary, passwords from the Service Desk. When organizations choose to use Mobile Devices, the mobile numbers must be available to the Service Desk. SPR looks to the mobile attribute of the user object for this information. This is the default location for mobile numbers. There are, however, reasons to store that data in different attributes. The primary reason to use an alternate AD attribute is to prevent the mobile number from being used by other communications systems such as Microsoft Lync. Imagine a scenario where users want to use their personal mobile device to unlock accounts and reset forgotten passwords. Using this possession factor as the second factor for authentication is a powerful tool in your arsenal to protect identity and ultimately your organization.

Configuring SPR to use a Custom Mobile Attribute takes three primary steps:

  1. Update User objects in AD
  2. Update Specops Password Reset Server to use the Custom Attribute
  3. Update the Specops Clients via Group Policy

Of course all of these items can be manually configured. The intent of this document is to begin working on developing a tool to automate all of these tasks in a single PowerShell function. Since this is the beginning of the development of this function, possibly multiple functions, it will explore each piece of the puzzle. A document presenting the complete solution may follow.


Update User Object in AD

Microsoft provides some great PowerShell cmdlets to help manage user objects in Active Directory. The Active Directory PowerShell module currently has 147 commands, all of which are cmdlets. The two cmdlets necessary for this scenario are Get-ADUser and Set-ADUser. The process is quite simple. Find the user object, figure out if there is a mobile attribute present, if so copy that to the new attribute, and optionally clear the mobile attribute.

$user= Get-ADUser–Identity <username> -Propertiesmobile,pager
$user.pager =$user.mobile
$user.mobile =$null

Set-ADUser–Instance $user

The above uses Get-ADUser to grab the user object along with the properties ‘mobile’ and ‘pager’. The pager attribute is the CustomAttributeMobile in this example. The next line copies the value from .mobile to .pager. Lastly the .mobile attribute is set to $null.

Now a few items to clarify here. $null is a special system variable used to tell PowerShell to wipe any value from a property. You can’t simply set .mobile to ‘’, that won’t work. There is no ‘delete’ or ‘remove’ method on these objects either. That is all it takes to update the object, but it updates the ‘temporary’ object in memory. Now it needs to be committed back to AD. That is where the Set-ADUser comes into play. Set-ADUser takes the object held in the variable $user and commits it back to the ADUser it represents.


Update SPR Server

The Specops Password Reset (SPR) Server needs to be configured to use the CustomAttributeMobile. This is simply stored as registry data on the SPR Server. The Property is stored in “HKLM:SOFTWARESpecopsSoftSpecops Password ResetServerDomains<domainName>”. The property is called CustomAttributeMobile, as you have most likely already figured out, and the data is a string representing the attribute to be used to look for the mobile number. In PowerShell you will use the Set-ItemPropertycmdlet to execute this portion of the task. Since you are likely to perform this configuration from another system you can use PowerShell remoting to execute commands on remote systems.

Invoke-Command -ComputerName<SPRServer Name>-ScriptBlock `
{Set-ItemProperty -Path‘HKLMSOFTWARESpecopssoftSpecops Password` ResetServerDomains<domainName>’ `

    -Name CustomAttributeMobile -Valuepager}

The above is all one line. The ‘`’ or ‘backtick’ mark at the end of the first and second lines is an artifact used in PowerShell to allow the line to continue. It is helpful for editing in the ISE but it is hard to read not a super common character, so it can cause confusion. For the purposes of documentation it can be very helpful.

The Invoke-Commandcmdlet is used to remotely execute the command in the –ScriptBlock on the remote system.


Update Password Policy Client

The Specops Password Reset (SPR) Client is responsible for checking to see if a user is ‘enrolled’ in the service. If a user has not enrolled in the system, they will receive an enrollment reminder from the Specops Password Client. The specific way it reminds the user is based on how the administrator chooses by way of policy. Configuring what enrollment reminder options are available can be found in the SPR administration guide.

In this scenario when a custom mobile attribute is in use, the SPR Client must know about it. When the client checks if the user is enrolled, it simply looks to that attribute. If the attribute populated that user is ‘enrolled,’ if the attribute is $null the user has not enrolled. Simple enough.

Using Group Policy and an administrative template setting, configurable through the Specops Password Reset ADMX file, you can easily do this. This setting must target SPR client computers, not users.

Keeping with the PowerShell theme and the end goal of automating this whole process we will find the proper cmdlet for this task. For this specific task we will use a cmdlet that Microsoft provides that allows us to add registry values directly to the registry.pol file in a GPO. This file is what gets processed by the client to actually perform the configuration. Set-GPRegistryValue is the proper cmdlet here. You must know the exact path in the registry, the name of the value and the type of data.

Set-GPRegistryValue -Name <GPOName> -Key‘HKLM:SOFTWAREPoliciesSpecopsSoft`
Specops Password PolicyClient’

       -ValueName CustomAttributeMobile-Type String-Value Pager

Now the client will know to look for the ‘pager’ attribute to determine if the user is enrolled in the system or not. If not, the user will be reminded.


Summary

In the next post I will bring these three pieces together into a script or advanced function to make the process of enabling an alternative mobile attribute simpler and more intuitive. There are three dependencies contained in this post:

  1.  ActiveDirectory cmdlets Get-ADUser and Set-ADUser
  2. Invoke-Command and Set-ItemProperty for remote registry updates
  3. Set-GPRegistryValue to update setting in GPO targeting client computers
  4. PowerShell makes performing these types of procedural tasks easier and more repeatable. Taking the time to understand the pieces is interesting and allows you even greater flexibility in managing your system.

Want to see? 

Tags: , , ,

>

Written by

Kevin Sullivan

Director of Sales Engineering, Specops Software

More Articles
Back to Blog