Reference Material | Administrator Enrollment

Specops uReset allows administrators to enroll users to the password reset system, without requiring users to go through the enrollment process. This can be achieved with any identity service that has identifier information stored in Active Directory.

Before using this guide, you need:

  • Basic knowledge of PowerShell
  • PowerShell 4.0 or later
  • uReset configured with an active Gatekeeper
  • uReset admin group membership
  • The uReset PowerShell module – installed with the administration tools (C:\Windows\system32\WindowsPowerShell\v1.0\Modules\uReset.Gatekeeper)

The identity services that lend themselves to administrator enrollment include:

  • AOL
  • Duo Security
  • GitHub
  • Manager Identification
  • Mobile Bank ID (Sweden)
  • Mobile Code
  • SITHS (Sweden)
  • Symantec
  • Tumblr

To enroll with the aforementioned social identities, an enrollment proof value is required when running the cmdlet.

  • AOL: AOL username
  • GitHub: “[{“”email””:””Example@gmail.com””,””primary””:true,””verified””:true}]”
  • Tumblr: Name of blog

Enroll

Note: The –Username value is the Active Directory username that the enrollment will be added to.

To enroll users with Mobile Verification Code, SITHS, and Manager Identification, you can use Set-ADuser cmdlet.

Set-ADUser

Note: The mobile number must contain “+” as the first character.

Questions identity service

This section describes how an administrator can enroll uReset users, with the Questions identity service, using information that is available about users, such as employee number(s).

Note: Administrator enrolled questions/answers could be a security risk. For best practice:

  • Avoid questions with answers available to other users
  • Combine the Questions identity service with additional identity services, for instance Manager Identification.

Administrator enrollment is available through the Specops uReset PowerShell module. It is recommended to run the PowerShell command on the same computer where the Specops uReset Gatekeeper is installed.

The Cmdlet

Administrator enrollment with security questions is performed with the Add-uResetQAEnrollment cmdlet. The aforementioned cmdlet has the following required, and optional parameters.

Required parameters

-sAMAccountName : The name of the user you want to enroll with QA.

-Answers : A list of answers. Each answer consists of the question-ID and the corresponding answer.

The Powershell syntax for a single answer:

@{id=”guid“;answer=”an answer” }
Example: @{id=”{6AE0CB0A-7DB2-4AEC-BAE6-FA3B46352AC5}”;answer=”12345″ }

A list of multiple answers is @(answer1; answer2)  where each answer adheres to the syntax above.

Note: You can find the question ID(s) in the Specops uReset Administration tool when setting up the policy configuration.

Optional parameters

-Language : If the policy for security questions contains multiple languages, the question language for enrollment can be specified.

-Gatekeeper : If more than one Gatekeeper is installed, the name of the server can be specified with this parameter.

Using a CSV file

In a real world scenario, the above information will derive from a data source, such as a text file, a SQL database or Active Directory. Here is an example using a CSV-file (a comma separated text file).

Let’s assume there is a file called C:\Temp\Users.csv that contains the following information.

The first line, should contain header names. The first header name should be “sAMAccountName”, the other headers should represent the questions selected.

The following line, should be 1 line per user, with the user’s sAMAccountName followed by anwers to the selected questions.

In the example below, each user is enrolled with two questions/answers – employee number and home street address. The csv file could look like this:

sAMAccountName,EmployeeNumber,HomeStreetAddress
JohnDoe,17,Nice Street 1
JaneDoe,4711,New Street 25B

The following PowerShell snippet, will read the file, and for each user, update the user’s enrollment information in Active Directory. If other columns are chosen in the csv file, the script below must be adjusted accordingly.

$ErrorActionPreference = 'Stop'
$VerbosePreference = 'Continue'

[array]$users = Import-Csv -Delimiter ',' C:\temp\users.csv

foreach ($user in $users) {
    $status = "Writing enrollment for user '$($user.sAMAccountName)'"
    Write-Progress -Activity 'Writing enrollments' -Status $status
    Write-Verbose $status
    $answers = @(
        # id:     From uReset Admin tool, edit the policy's questions to see the IDs
        # answer: The user's properties are taken from the CSV header name
        @{ id="{9341BC38-0267-4FC4-91E2-F79EEFAC7493}"; answer=$($user.EmployeeNumber) },
        @{ id="{2B21E33B-4C48-433D-95C8-1AAD0BFAEC75}"; answer=$($user.HomeStreetAddress) }
    )
    Add-uResetQAEnrollment -Username:$($user.sAMAccountName) -Answers:$answers -Language:'en'
}
Write-Progress -Completed -Activity 'Writing enrollments'

If more than one language has been added to the policy, the –Language parameter can be used to specify which language should be used for the questions in the enrollment. This is also the language that the user will see when authenticating with security questions. The language name that needs to appear following –language on the command line, is the short form of the language name. For example, if you look at the Selected Languages field in the first screenshot, you will see that the short form of Swedish is sv.

If the policy contains multiple languages and no language is specified, the default language, will be used.