Password reset sco

In this blog post I will show you how you can setup password reset with the self-service portal, Service Manager and Orchestrator. The scenario is that a manager should be enable to reset password for colleagues reporting to he or she. The manager could also be something like instructor or teacher for a class. The request offering for password reset should only be shown to members of the “Manager” user role, and the manager should only be enable to reset password for members of their team. To make this work you need to configure the manager attribute on your users in Active Directory, as shown in the image below. We will use a dynamic query based list to show only people reporting direct to the manager. In this example I use Orchestrator to generate a 10 characters complex password, but you could also add “New Password” as a parameter to the service request. Then you input the new password in the service portal. You could also configure the runbook to check the “User must change password at next logon” checkbox on the user account. That check box sometimes result in issues for some applications so I have not included it in this demo.



  • Start
  • Get Runbook Activity. Gets the runbook activity, we submit the ID as a input parameter to the runbook from Service Manager
  • Get Related Service Request. We pickup the service request from the runbook activity, by the relationship
  • Get Related User. When we configured the query list in Service Manager we configured that the user should be set as a related item to the runbook activity. This activity gets the related user
  • Get Service Request. Read the Service Request item
  • Get User. Read the User object
  • Generate New Password. Generates a 10 characters complex password
  • Reset User Password. Set the password to the generated complex password
  • Update Service Request. Update the description field on the service request with the new password and account information

The runbook is quite simple, we start with the runbook activity as we get it from Service Manager as ObjectID. We then pickup related service request and user. We generate a new password and set it on the user. We then update the service request with new description, including the new password.


Service Manager Side

  1. Start the Service Manager console
  2. Synchronize the runbook over to Service Manager by using the Orchestrator connector
  3. Navigate to Library/Runbooks, select the runbook (2.2.1 Password Reset) and click Create Runbook Automation Activity Template in the Tasks pane
  4. Create Template,
    1. Input a name, for example Contoso – Runbook Activity – 2.2.1 Password Reset.
    2. Create a new management pack, for example Contoso Password Reset.
    3. Click OK
  5. Runbook Activity Template,
    1. Check Is Ready For Automation
    2. Input title, for example Contoso – Runbook Activity Template – 2.2.1 Password Reset
    3. Click the Runbook tab
    4. Map ObjectID to Object/ID
    5. Click OK

  6. Navigate to Library/Templates. Click Create Template from the Tasks pane
  7. Create Template,
    1. input name, for example Contoso – Service Request Template – Password Reset
    2. Select Service Request as Class
    3. Select the Contoso Password Reset management pack
    4. Click OK
  8. Service Request Template,
    1. Input title, for example Contoso – Service Request – Reset Password
    2. Click the Activities tab
    3. Add “Contoso – Runbook Activity – 2.2.1 Password Reset” as activity
    4. Runbook Activity Template, click OK

    5. Click OK
  9. Navigate to Library/Service Catalog/Request Offerings
  10. Click Create Request Offering in the Tasks pane
  11. Create Request Offering – General, input title, for example Password Reset
  12. Create Request Offering – General, select Contoso – Service Request Template – Password Reset as template
  13. Create Request Offering – User Prompts, add one prompt named User and configure it as query result

  14. Create Request Offering – Configure Prompts, select the User prompt and select Configure
  15. Configure Query Results,
    1. Select Class, change to Combination classes and select User (advanced)
    2. Configure Criteria, select Manages User and select Pager, click Add Constraint. Configure as image below. Use “Set Token”. Why do we use Pager? The Token: Portal User Name is in format CONTOSO\leni (DOMAIN\username). We don’t store that on a user CI in Service Manager, we store username and domain, but not in that format. Instead I have updated each manager with that information in the Pager attribute, as we don’t use it for anything else in this environment. You can easy update the Pager attribute with a runbook, the export file includes a example of that.
    3. Display Columns. select User (advanced), the Object/DisplayName and Domain User or Group/User Name

    4. Options, select “Add User-selected objects to template objects as related item: select the Runbook Automation Activity

    5. Click OK
  16. Create Request Offering – Map Prompts,

  17. Create Request Offering – Publish, change offering status to Published
  18. Create the request offering
  19. Navigate to Library/Service Catalog/Service Offering
  20. Click Create Service Offering from the Tasks pane
  21. Create Service Offering
    1. General, fill in title for example Manager
    2. Request Offerings, add the Password Reset request offering
    3. Publish, change offering status to Published
    4. Finish the wizard and create the service offering
  22. Navigate to Library/Groups. Click New Catalog Group
  23. Create Catalog items group,
    1. General, group name, for example Contoso Managers
    2. Included Members, click Add, add the Password Reset request offering and the Manager Service offering
    3. Finish the wizard and create the group
  24. Navigate to Administration/Security/User Roles
  25. Click Create User Role > End User
  26. Create User Role,
    1. General, Name, for example Contoso Managers
    2. Management Packs, select the Contoso Password Reset management pack
    3. Catalog item Groups, select Contoso Managers
    4. Users, add managers
    5. Finish the wizard and create the user role

Now, navigate to the Service Manager portal with a manager and try the new server, password reset. As you can see in the images below members of the Managers user role can see Manager service offering, and in it there is the Reset Password request offering. When the manager go to the request form a dynamic list of all user that report to the manager is shown. The manager can select one account and click Next, Submit. The runbook execute and reset the password and update the service request. The manager can then look under “My Requests” in the portal and see the new password.


You can download my example runbook here, 20120617_PasswordReset_WOLF

Please note that this is provided “as is” with no warranties at all.

Leave a Comment

Your email address will not be published. Required fields are marked *