Password Reset Application

Jim Coyne · ‎08-13-2014

Anyone try using the new Password Reset application in Dublin / Eureka? I was wondering how easy it is to integrate with AD. How long did it take to get up and running? Pros? Cons? Any hidden issues?

I'm also wondering if the "Password Reset - Orchestration Add-on" requires the Orchestration plugin as well. I would assume so, the wiki does not explicitly say so, but I don't like to assume anything with SN licensing anymore.

Thanks

Jim

TrevorK · ‎08-19-2014

One of the challenges we found with the AD Password Reset is that, using the built-in ServiceNow workflow items, the account needed to be a Domain Administrator (which our AD Team would not allow). We ended up having to develop our own powershell command to do the password reset on the MID Server, rather than using the SN way of calling out to the DC. Not hard, but frustrating. It appears that those who do Discovery had the same sort of issues when I did a search at the time.

You can do the AD Password Reset without Orchestration as far as I recall when you write your own commands to work with the Powershell probe on the MID Server. We had to do this and I seem to recall thinking that it is a loophole or something, because you can write everything through the MID Server without much trouble.

One other thing we also found is that the ServiceNow SMS feature did not text to phone number, it texted to 11122233333@att.com, and thus required the carrier information to be present. We ended up just coding a call to Twilio, which was easy enough, and it handles the text to phone number (as our phone numbers sync from an external system).

We really found it was shoe-horning ServiceNow into a world where we could perform the tasks we need much better without ServiceNow (we need to share data with ERPs), and just use a web service to feed the data into ServiceNow about what is being done (failed attempts, successful attempts, etc). I also seem to recall that SN had a Password Reset app (above and beyond Orchestration) but you paid a monthly fee for each user in your system, and with 180,000+ users, that was not going to work too well for us.

I am using words like "I recall" and a lot of past tense because we are going a different route for password reset. But I have it all developed (without the use of Orchestration workflow items even though we have Orchestration) and such in our instance to demo the functionality of it.

Oh - I should also state I have only used this in Dublin/Calgary, not Eureka. We do not have that loaded yet.

Hopefully that helps. As you can tell, sometimes I ramble on too much.

View solution in original post

TrevorK · ‎03-01-2017

Here are some resources from SN:

Video: http://www.youtube.com/watch?v=IakvJpNGpZ4%7C

Wiki: http://wiki.servicenow.com/index.php?title=Password_Reset#gsc.tab=0

AD Orchestration Info: http://wiki.servicenow.com/index.php?title=Orchestration_Active_Directory_Activities#gsc.tab=0

The key to remember is that to do AD Password Reset you need the orchestration add-on (which costs money), or you need to be willing to do all the heavy lifting through your own custom code on the MID server.

Therefore I would first explore whether you have this as part of your licensing because if you do not, and you are not willing to purchase it, your only option is to develop your own integration through the MID server which will require much custom work on your part. Doable of course, not a problem, but there is no "click here, place a checkmark here" tutorial that I know of (but check Share and the Store).

No NaME · ‎03-01-2017

Thanks TrevorK!

I believe we can go with the orchestration plugin, so anything which talks how to do that using the plugin would be more helpful. I tried searching videos on you tube but no luck. May be I get some document from Servicenow when I'll purchase the plugin. In case you have any please share with me.

Thanks!

TrevorK · ‎03-02-2017

Sorry, I know of no documentation that specifically relates to the AD Orchestration plugin, only to the Password Reset tool itself.

VivekSattanatha · ‎03-17-2017

Hi All,

We are trying to implement this ServiceNow Password reset solution to one of our client. But they have a complex password policy like you cannot set your last 24 passwords, some list of dictionary words you cannot use, you cannot use the sAMAccount name in the password if my account name is Sam I cannot set $am or 5am and much more rules.

Right now they have some third party tool which is doing these job and they want to implement these solution from ServiceNow. I know its complex but my question whether it is possible for ServiceNow to do all these tasks like checking the passwords before sending it to AD.

I would appreciate your opinions.

Regards,

Vivek

moses5 · ‎03-17-2017

The simple answer to this is YES. Note that all that ServiceNow is doing is passing to AD the new password. When the new password reaches AD, AD will still do its checking to ensure policies are enforced. If any of the policy set in AD is violated, the password will be rejected and user will get an error message.

It is also worth noting option called "Enforce history policy" within the AD credential settings. Checking the option implies all your AD settings is enforced. See details Here - https://docs.servicenow.com/bundle/helsinki-it-service-management/page/administer/login/task/t_CreateACredentialStore.html

<https://community.servicenow.com/?et=watches.email.thread>

Password Reset Application

reply from Vivek Sattanatha<https://community.servicenow.com/people/vivek5239?et=watches.email.thread> in IT Operations Management - View the full discussion<https://community.servicenow.com/message/1106757?et=watches.email.thread#1106757>