Targeting the same user account with a provisioned user policy and randomize password policy

Owned by Anonymous
Last updated: Nov 08, 2012 by AnonymousVersion comment
2 min read

Problem

With account provisioning and password randomization policies, it is a matter of last policy to apply wins. Therefore if the provisioning policy applies last, you will have the common password or if the randomization applies last it will be unique. This creates an undesired state in the environment.

Solution

Arellia recommends using a custom filter to control when a policy is applied to a computer, thus making it so the policies are mutually exclusive and are never targeting the same resources.

  1. Download the attached Filter
  2. Navigate to Resource Filters and Import the attached filter
  3. Change all references of "LocalAdmin" to the name of the account that is being targeted by the provisioning and randomization policies
  4. Save the filter
  5. Navigate to the Randomize Password Policy
  6. Delete the current Applied To target filter
  7. Add a new Target Filter
  8. Name the Target Filter "Computers with the LocalAdmin Account"
  9. Select Add Rule
  10. Choose the "Computers with the LocalAdmin provisioned account" filter
  11. Click Ok
  12. Save the Policy
  13. Navigate to the User Provisioning Policy
  14. Delete the current Applied To target filter
  15. Add a new Target Filter
  16. Name the Target Filter "Computers without the LocalAdmin Account"
  17. Select Add Rule
  18. Choose the "Computers with the LocalAdmin provisioned account" filter
  19. Change "exclude computers not in" to "exclude computers in"
  20. Select Ok
  21. Save the Policy