Automatic AD Password Updates

orchestrator
i_considering
activedirectory
password

#1

Hi all,

Again this may have already been requested so please merge if needed.

Would it be possible to integrate AD password resets within Orchestrator to automatically manage password updates in production? This is a way it could be done…

We shouldn’t access the AD password programatically for obvious reasons, i.e. never Get Credentials but passwords need to be changed from time to time and many clients won’t allow a non-changing password (i.e. it has to be reset after X days).

By running the update functionality as an administrator we can update the AD password first by creating a randomly generated password and running the update command. So…we can take that password (without ever seeing what it is) and then update Orchestrator robot credentials to ensure that the two are always matching.

@ClaytonM @sfranzen I saw a similar topic that you were discussing so keen to get your thoughts. At the moment password resets are a very manual task. Also @Florent_Salendres has some useful insight here.

RD


#2

Yessss, this is always a major challenge managing password updates. Seems to me like this could be possible since the user ids in Orchestrator have network access to the server which means it should be able to control the Change Password feature within Windows, per Robot (it would need to connect to the server though)… I would think.

I’m sure IT Security will cringe, though!

I wish there was also a good way to determine if a password is expiring before it does or without needing some reminder that relies on a password manager being on the ball all the time. Because, when the passwords expire everything just stops working.

I would also add to this that there should be an Orchestrator feature that shows that the user id has access to the server, whether its password works or has remote authorization. I do have a test workflow but would need to schedule it and have email notification set up.


#3

Well I think as long as it requires a Super Douper High Level Admin (e.g. IT admin only) then IT functions will be happy with this approach. It’s from conversations with IT departments that this idea has come about.

In terms of expiry date we could include this within the feature -e.g. setting to say what is the password expiry duration “90 days”, then use that to control when passwords are due to expire. Are we sure we can’t get the expiry date programatically? That would be less of a security issue surely?