Cmdlet to Perform Bulk Creation of Questions and Answers Profiles (128944)

Using the provided PowerShell cmdlet, an administrator can automatically create Questions and Answers (Q&A) profiles for Password Manager users.

The zip archive contains a number of DLLs. The QPM.Service.Modules.PowerShell.dll provides the cmdlet that performs bulk creation of Q&A profiles.

To create Q&A profiles using the cmdlet, prepare a data input file for the cmdlet. The cmdlet can process two file formats: a plain text file and a CSV file.

System Requirements

Run the cmdlet on the server where Password Manager Service (QPM Service) runs.

Note, after you download the archive with the DLLs and extract the archive contents, unblock the QPM.Service.Modules.PowerShell.dll file. To do this, right-click the QPM.Service.Modules.PowerShell.dll file, on the General tab in the Security area click the Unblock button and then click Apply.

Windows PowerShell 3.0 or later must be installed to run the cmdlet.

Preparing Text File

The text file must be a UTF-8 file (without BOM). The file consists of key-value pairs. A key must be separated from its value by a number of spaces or tab characters. You can use the following keys:

• sAMAccountName – user’s sAMAccountName.
• Domain – a fully qualified domain name to which a user belongs.
• UserName – optional. User name for the account that will be used to access the domain. If not specified, the access account specified in the user scope of the corresponding Management Policy will be used to access the domain.
• Password – optional. Password for the account that will be used to access the domain. If not specified, the access account specified in the user scope of the corresponding Management Policy will be used to access the domain.
• LID – language of secret questions. Language name accepted in the format -and . Example: en-US and en.
• Category – type of secret questions. Possible values: mandatory, optional, userdefined, helpdesk. The possible values are not case-sensitive.
• Question – secret question text.
• Answer – answer to the corresponding question.

The sAMAccountName key identifies a section about a new user. You should write the keys in the following order:

1. sAMAccountName
2. Domain
3. UserName
4. Password
5. LID
6. Category
7. Question
8. Answer

If several identical sAMAccountName keys exist, the cmdlet will merge information specified for this user. If different answers are specified for the same question, the latest specified answer will be used.

Example of a text file:

sAMAccountName   test_user

Domain        mydomain

UserName     admin

Password      123456

LID     en-US

Category      Mandatory

Question      What is your mother’s maiden name?

Answer         Smith

Category      Mandatory

Question      What was the make and model of your first car?

Answer         Volkswagen Golf

Category      Optional

Question      In what city were you born?

Answer         Springfield

Category      Userdefined

Question      What is your favorite color?

Answer         Green

sAMAccountName   test_user_2

Domain        mydomain

…

Preparing CSV File

The CSV file must be a UTF-8 file (without BOM), with list separator as a delimiter. The first row must contain column headers. You can use the following columns:

• sAMAccountName – user’s sAMAccountName.
• Domain – a fully qualified domain name to which a user belongs.
• LID – language of secret questions. Language name accepted in the format -and . Example: en-US and en.
• Category – type of secret questions. Possible values: mandatory, optional, userdefined, helpdesk. The possible values are not case-sensitive.
• Question – secret question text.
• Answer – answer to the corresponding question.

The sAMAccountName value identifies a section about a new user. You should write the columns in the following order:

1. sAMAccountName
2. Domain
3. LID
4. Category
5. Question
6. Answer

If several identical sAMAccountName values exist, the cmdlet will merge information specified for this user. If different answers are specified for the same question, the latest specified answer will be used.

Example of a CSV file (semicolon as a list separator):

sAMAccountName;Domain;LID;Category;Question;Answer

test_user;mydomain;en-US;Mandatory;What is your mother’s maiden name?;Smith

test_user;mydomain;en-US;Mandatory;What was the make and model of your first car?;Volkswagen Golf

test_user;mydomain;en-US;Optional;What city were you born in?;Springfield

test_user;mydomain;en-US;Userdefined;What is your favorite color?;Green

test_user;mydomain;en-US;Helpdesk;What is your pet's name?;Tom

test_user_2;mydomain;en-US;Mandatory;What is your mother’s maiden name?;Black

test_user_2;mydomain;en-US;Mandatory;What was the make and model of your first car?;Seat Leon

test_user_2;mydomain;en-US;Optional;What city were you born in?;London

test_user_2;mydomain;en-US;Userdefined;What is your favorite color?;Blue

test_user_2;mydomain;en-US;Helpdesk;What is your pet's name?;Dingo

Running the Cmdlet

If you use a text file as a data input file, it is recommended to create Management Policies and configure user scopes before running the cmdlet.

If you use a CSV file as a data input file, it is required to create Management Policies and configure user scopes before running the cmdlet.

To run the cmdlet

1. Extract all files from the provided archive to the same folder.
2. Start Windows PowerShell by typing PowerShell at the command prompt.
3. Register the PowerShell module by using the following command:

Import-Module –Name "%PATH_TO_QPM.Service.Modules.PowerShell.dll%"

4. Prepare the data input file (text or CSV) as described above.
5. Run the cmdlet by entering the Set-Profiles command
6. Enter the path to the data input file when prompted.
7. To run the cmdlet in a verbose mode (information about processing each user will be displayed), use the Verbose parameter, i.e. enter the following command: Set-Profiles –Verbose.   
8. To hash user answers when creating Q&A profiles, enter “y” when prompted. If you do not want to use hash user answers, press ENTER.
9. Close the PowerShell window when the cmdlet finishes processing the data input file.

You can use the parameters ProfilesFilePath, Verbose, HashAnswers, and CsvSeparator when running the cmdlet.

ProfilesFilePath parameter specifies the path to the file with Q&A profile data.

Verbose parameter specifies whether the cmdlet will be run in the verbose mode.

HashAnswers parameter specifies whether user answers will be hashed.

CsvSeparator parameter specifies the list separator to be used. If this parameter is not specified, the default list separator will be used. It is recommended to use this parameter when running the cmdlet.

For example:

PS > Set-Profiles -ProfilesFilePath ".\Desktop\input.csv" -HashAnswers $false -CsvSeparator ';' –Verbose

Best Practices

Below are several best practices for running this cmdlet:

1. Use the Password Manager service account when running when running the Power Shell commands.
2. If you are using the CSV file method ensure the file extension is .csv
3. Use the provided examples when creating a data input file. A sample file can be downloaded from here.
   
4. Ensure the domain name in the data input text file is a fully qualified domain name. For example: corp.yourdomain.com.
5. It is advisable to cut and paste questions from the Password Manager Administration site where they were configured. It would alleviate any issues with the questions being entered in the input file incorrectly.