This password reset utility is intended to be used in case when there is a single AD domain and multiple Google Domains. The primary Google Domain can use Google Password Sync for password synchronization. The secondary would need to use a tool like this.
Set password website uses AD credentials to reset password in Active Directory Only. In order to be able to reset the password, a user must have permissions to reset passwords. This section will create and set the random password.
The users whose passwords needs to be sync need to be under the same organizational unit. This information needs to be placed in index.php file under LDAP_BASE_OU. The example of the line is
define('LDAP_BASE_OU', "OU=AdultEd,OU=Accounts,DC=PUHSD,DC=ORG");
All the users that need to have permissions to reset password need to be a part of the same group in AD. That group needs to have permissions to reset password on LDAP_BASE_OU.
Instruction on how to give password reset permissions
- Open Active Directory Users and Computers
- Navigate to the LDAP_BASE_OU
- Right click and click on Delegate Control...
- on Welcome to the Delegation of Control Wizard click Next >
- Click on Add... and select the group
- Click Next >
- On the Tasks to Delegate screen, check Reset user passwords and force password change at next logon and click Next >.
- Finish
This section allows users to resets their password in AD and Google. In order to work, the SELF permissions might need to be set on LDAP_BASE_OU to reset password.
Instruction on how to give password reset permissions in AD
- Open Active Directory Users and Computers
- Navigate to the LDAP_BASE_OU
- Right click and click on Delegate Control...
- on Welcome to the Delegation of Control Wizard click Next >
- Click on Add... and type SELF then click Check Name and OK
- Click Next >
- On the Tasks to Delegate screen, select Create a custom task to delegate and click Next >.
- Select Only the following objects in the folder and check account objects
- On Permissions screen, check Property-specific and select the following permissions
- Change Password
- Reset Password
- Read userAccountControl
- Write userAccountControl
- Click Next > and Finish
For this section to work GoogleAPI needs to be configured. Please refer to Google instructions on how to Turn on the Directory API
https://developers.google.com/admin-sdk/directory/v1/quickstart/php
For Google API to work php composer needs to be installed.
https://getcomposer.org/download/
Before using the website quickstart.php needs to be run fist. On the server, navigate to google folder edit the file and towards the end of the file populate the test user and password. Make sure that test user exists in your environment.
$testUser = "test@example.com";
$testUserPassword = "Password123";
After modifying the file, run the
php quickstart.php
This file is checking for existence of .credentials/admin-directory_v1-php-quickstart.json. If the file does not exist it will provide a URL. Copy the link into the browser and follow the instructions. Make sure you login with Domain Admin User.
As a root folder in Nginx config file, please set passwordreset folder as a root. For example,
root /var/www/sturesetadulted/passwordreset
In this way, google and .credentials folder will not be accessible directly through the webpage.
if you see the message file does not exist it means that .credentials/admin-directory_v1-php-quickstart.json does not exists.