topic New hire passwords in Midwest User Group

New hire passwords

walker_pa — Tue, 16 Aug 2022 14:11:51 GMT

Hey everyone,

Reaching out to see how folks are handling distribution of first-time passwords. Our current process is not the best. The manager receives the email and has to distribute it to the new hire either via phone or email. I was wondering if someone had a more elegant solution.

Thanks,

Pamela

Re: New hire passwords

mkscarberry — Tue, 16 Aug 2022 14:25:40 GMT

We built a custom "Account Claiming" application that sits on top of our OUD instance. A new hire must claim their own account by entering 4 pieces of data about themselves (first, last, DOB, last 4 of NID/SSN) that came from our HR system. (The DOB/NID in OUD is secured to only the directory administers since it is PII). The user then is presented with their UPN and UID, and proceeds to set up their own password and security challenge questions and MFA choices. From there we sync the password from OUD to AD and Azure AD and the user is sent to Azure to complete their SSPR/MFA set up. We have had great success with it since it's original launch in 2005.

Re: New hire passwords

walker_pa — Tue, 16 Aug 2022 14:46:47 GMT

This is awesome, thanks so much for the fast reply! Is OUD your directory? I'm not familiar with that acronym. I'm guessing the HR system syncs with your OUD (either directly or via IDN/IIQ) and that the OUD is the authoritative source for your IDN/IIQ instance?

Re: New hire passwords

mkscarberry — Tue, 16 Aug 2022 14:51:52 GMT

Oracle Universal Directory (which was our primary LDAP until we shifted to AD for the enterprise). We do not put any private data into AD since too many employees have access to read it.

Our HR system is authoritative for all human records in iDN. IDN then creates the AD and OUD record as birthright.

Re: New hire passwords

sathieshg — Tue, 16 Aug 2022 15:01:47 GMT

We use similar approach, <character><NID><special char> and we set the password a day before start date. If the user doesn't change the password in 3 days, we reset it. After which, they have to reach to the help desk to reset their password (the user will be forced to reset their password at next login).

Re: New hire passwords

walker_pa — Tue, 16 Aug 2022 16:18:30 GMT

Thank you for the reply! It sounds like you have an algorithm for creating the password for the identity. I just want to make sure I'm understanding. I think we are looking for more of a "claiming" approach.

Re: New hire passwords

swcoleman — Mon, 30 Mar 2026 18:38:31 GMT

Is anyone doing account claiming with just ISC? the last post to this thread was almost 3 years ago.

Re: New hire passwords

TomNimmo — Mon, 30 Mar 2026 19:23:08 GMT

You could probably find a way to do this with workflows and forms, but I don't think it would be very secure and it would heavily rely on your identity data being complete and accurate.

Check out this article on provisioning new account passwords. Specifically, options 2 and 3.

Re: New hire passwords

swcoleman — Mon, 30 Mar 2026 19:44:03 GMT

Tom, we are currently doing option 2. The challenge is that nothing is really secret anymore. Birthdays, addresses, mother's maiden name, etc. you can find on social media and almost everyone's SSN is on the dark web.

We are getting personal mobile and personal email from HR. Assuming that those haven't been compromised and that they can't be changed in ISC then emailing a password reset link there is potentially more secure than a known formula.

Re: New hire passwords

TomNimmo — Mon, 30 Mar 2026 20:18:29 GMT

Sorry, I misunderstood your post.

I agree that the scope of applying option 2 is more limited now, for the reasons you outlined in your post.

Off the top of my head, you could consider creating a workflow with the "interactive trigger" to trigger a workflow with an interactive form that collects and tests the end-user's responses. The main caveat here is that it relies on your end-users being invited to their ISC accounts. If you're already leveraging something like request center, then this could be an easy expansion of what people do in ISC.