Targeting the same user account with a provisioned user policy and randomize password policy
Problem
With account provisioning and password randomization policies, it is a matter of last policy to apply wins. Therefore if the provisioning policy applies last, you will have the common password or if the randomization applies last it will be unique. This creates an undesired state in the environment.
Solution
Arellia recommends using a custom filter to control when a policy is applied to a computer, thus making it so the policies are mutually exclusive and are never targeting the same resources.
- Download the attached Filter
- Navigate to Resource Filters and Import the attached filter
- Change all references of "LocalAdmin" to the name of the account that is being targeted by the provisioning and randomization policies
- Save the filter
- Navigate to the Randomize Password Policy
- Delete the current Applied To target filter
- Add a new Target Filter
- Name the Target Filter "Computers with the LocalAdmin Account"
- Select Add Rule
- Choose the "Computers with the LocalAdmin provisioned account" filter
- Click Ok
- Save the Policy
- Navigate to the User Provisioning Policy
- Delete the current Applied To target filter
- Add a new Target Filter
- Name the Target Filter "Computers without the LocalAdmin Account"
- Select Add Rule
- Choose the "Computers with the LocalAdmin provisioned account" filter
- Change "exclude computers not in" to "exclude computers in"
- Select Ok
- Save the Policy