Custom Password Generation Policy

Hi all,

We are looking for some help with a policy script that we plan to use for generating passwords with configurable length and complexity.  We basically took the built-in password generation policy script, converted it to PowerShell, set it to return a static password value, and applied it to a single OU.  So far the custom password generation policy only works when we either disable the built-in password generation policy or if we enable script debugging.

I assume that our attempt to override the built-in policy is failing which explains why the custom policy does work when we disable the built-in policy.  I'd appreciate any feedback that would help override the built-in policy so our implemenation is a little more straight forward. 

I cant explain why this policy magically starts working when we enable script debugging.  What changes in the scripting environment which would allow the new policy to work as expected?

Below is a copy of a watered down version of the script.  We've removed our password generation code and anything that was specific to our environment.  To test the script, we basically applied it as a provisioning policy to a single OU.  We then test password resets (using the generate password button) to see what password value is displayed.  We also test using the new account wizard (also leveraging the generate password button).

Any feedback would be helpful.  We didnt have any luck finding examples of others doing the same thing so I hope the eventual solution will benefit others.  Thanks!

function onGetEffectivePolicy($Request)
{
    $errcount = $Error.count

# Include script library
    $context.UseLibraryScript("PowerShell Best Practices")

    if (($Request.Class -ne "inetOrgPerson") -AND ($Request.Class -ne "user") ) {$Request.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE, "CustomPasswordPolicy-Wrong object type-exit"); return }

# Mark password as server-side generated.
    $Request.SetEffectivePolicyInfo("edsaPassword",$Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
   
# Determine whether server-side generation is requested (button pressed).
    $controlFullPolicyInfo = $Request.GetInControl($constants.EDS_CONTROL_FULL_EFFECTIVE_POLICY_INFO)
    if ($Error.count –ne $errcount)
    {
       $controlFullPolicyInfo = ""
    }

    if ($controlFullPolicyInfo -ne "edsaPassword") { return }

# Return static password value
    $Request.SetEffectivePolicyInfo("edsaPassword",$Constants.EDS_EPI_UI_GENERATED_VALUE, "123456789")
}

function onGetPolicyMarker()
{

# Override built-in Generate User Password Policy
    return "Generate User Password"
}