Allowing AD users to change password (Self-service). Setup and end-user process?


Recommended Posts

Hey all,

 

Pretty much what the title says. I've tried searching online, but most of what I get is just people suggesting enterprise full-management systems that happen to include this one feature as well. I found one article explaining how to do it with Windows Server only, but it seemed like it was outdated, or for a very specific scenario, or overkill for what I need, or a combination of those.

 

How does it work to allow ActiveDirectory users to set/change their own password without having to tell it to an administrator who then changes the password manually?

 

Thanks for the help!

Unless I've misunderstood...

AD users can set their own passwords upon entering a password that you give you to them. As long you don't uncheck 'User must change password at next logon'.

 

For an AD user to change password on the fly; Ctrl-Alt-Delete and take the option to Change Password.

I'm very confused about the question aswell. The Active Directory does this by default, doesn't it?

 

I've worked in plenty of jobs, and it was the only the most recent one where I was expected to ask the user for their password. I turned around and told them that it goes against IT security 101 to ask such a question.

 

The system should be: user hits ctrl+alt+delete, selects "change password" and the AD gets updated with the new password. I'm confused on why the Active Directory (something that should be used for educational/enterprise situations) wouldn't contain that as a basic feature?

  On 22/05/2018 at 19:43, xendrome said:

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

Expand  

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their own AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

  On 22/05/2018 at 19:51, Brandon H said:

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

Expand  

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

  On 22/05/2018 at 19:57, xendrome said:

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

Expand  

Urgh, ManageEngine. I've had bad experiences with them, although that is due to the way they offer customization on all of their products and the company took it live too soon.

 

But fair play, I didn't know about that option. Cheers. (Y)

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN, which don't really require domain connections, and a lot of our staff use personal computers, laptops that go abroad, etc etc so requiring a solution that only works when on the domain isn't very effective.

Where we work, if you forget your password? Tough. 

 

We reset your password in AD, and you have to enter a new one. If you're not on site we give you a temporary one to log in with once, but you have to change it as soon as you enter it. 

 

We remember the last 10 hashes too, so no switching between a few that you use everywhere else.

  On 22/05/2018 at 19:57, Nick H. said:

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

Expand  

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN.

Expand  

there you get to the problem i mentioned with laptops above.

 

there's not really an easy way around it that I am aware of.

1 option I could think of is you could have the authentication for the network drives separate from the AD login so it always prompts user/password when they connect to it.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

Expand  

That's a bit crucial. :laugh:

 

So you want someone that is logging in via VPN on a computer that isn't in the domain the reset their password? It's doable, but now we're starting to get outside of my expertise.

  On 22/05/2018 at 20:08, Brandon H said:

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

Expand  

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Requiring a prompt every time isn't really the issue. I just want to provide a way for users to set their own password, so that they can set it to something personal (and hopefully secure), without them having to give me their chosen password directly. Otherwise, I am stuck assigning everyone crazy passwords that I am 100% sure they will never remember, because I'm the one who set it, and I'll have to reset it for them weekly, or, will be forced to ask users what their password should be which is sort of an issue as well for obvious reasons.

 

Anyways, it's starting to sound like without the Domain connection, there isn't a "vanilla" way to do this, and I'll have to find some software after all?

 

If so, I came across this earlier: https://github.com/pwm-project/pwm/

Thoughts?

  On 22/05/2018 at 20:11, Nick H. said:

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Expand  

It is when the automated system sounds so garbled that you can't understand the password lmao :laugh:

 

actually they've recently disabled the automated system while they review new code options so you may be right that it's not very secure in the long run

You could try the following if you system is also integrated with AzureAD - https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/ for users connecting through your network if they are on a domain.

 

If they are not on the domain you would be best off creating a custom web application that users can access to reset their accounts.  The application could be setup to conduct some sort of Two-Factor or higher authentication and then reset their password.  You would have to have some system that the user interacts with that can access Active Directory or LDAPS if it is configured.

my helpdesk system allows the use of a self service portal.   This will allow them to unlock their accounts and reset passwords after answering a predefined amount of questions (3, 5, 7, etc).  I would not advise putting that on the internet to be accessible, but it is better than nothing.  

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • OnlyOffice 9.0.0 by Razvan Serea OnlyOffice Desktop Editors is an open-source office suite distributed under AGPL v.3 that combines text, spreadsheet and presentation editors allowing to create, view and edit documents stored on your computer. The application does not require constant connection to the Internet and allows youto create, edit, save and export text, spreadsheet and presentation documents. It is fully compatible with Office Open XML formats: .docx, .xlsx, .pptx. One pack - five editors - multiple features Create, view and edit text documents, spreadsheets and presentations of any size and complexity. Work on documents of most popular formats: DOCX, ODT, XLSX, PDF, ODS, CSV, PPTX, ODP, etc. Deal with multiple files within one and the same window thanks to the tab-based user interface. Highest compatibility with Microsoft Office formats. Real-time collaboration within your favorite cloud Connect ONLYOFFICE Desktop Editors to the cloud platform of your choice: ONLYOFFICE, Nextcloud or ownCloud to collaborate on documents with your team – co-edit in real time, review, comment and interact using chat. Extending your editing capabilities Take the most of your editing with the collection of third-party plugins. Insert a YouTube video, add special symbols or a ClipArt object, automatically translate any word or sentence, highlight code, etc. Do even more! Create your own plugin using the API documentation and ready-to-use examples available on GitHub. OnlyOffice key features: View, edit, and collaborate on docs, sheets, slides Build fillable PDF forms and fill them in online Read and edit PDFs, export/import to/from PDF Convert docs to Markdown and HTML Turn your textbooks into e-books Generate texts with the AI helper OnlyOffice 9.0 changelog: New features All Editors Redesigned interface of the main application window Added new interface themes: Modern Light and Modern Dark Added saving of the last selected languages in spellcheck lists Added Arabic spellcheck dictionary used in sixteen dialects Added AI-powered macro generation from descriptions and VBA-to-JavaScript conversion Added the interface translation into Urdu (ur-PK, Urdu (Pakistan)) Added support for TextArt text settings inside chart labels Added support for drawing the Up/Down Bars chart elements Merged local and cloud template lists into a unified view The list of templates is now processed on the client side, not on the server The installed system languages are now displayed at the top of the text/document/dictionary list Added a contrast-reducing effect for control buttons in inactive windows Added the option to select a printer in the print preview menu The Print using the system dialog option has been added to the print preview menu The ability to configure format associations for modern Windows OS in the EXE package installation wizard has been unlocked Document Editor Added correct display of previews for paragraph numbers for RTL Improved positioning and settings of TextArt for RTL Improved drawing of borders and fill for paragraphs with RTL direction Enabled accurate cursor navigation with arrow keys based on the paragraph's text direction Added the ability to display numbers using Hindi digits Added a setting in the File menu for selecting the preferred font size: Western/Chinese for the Chinese interface language (Chinese (Simplified)) Added a Borders button to the Home toolbar to quickly set paragraph settings Added support for the MD format for reading Spreadsheet Editor Added support for displaying bidirectional text Added the ability to select external data from another spreadsheet Presentation Editor Added the ability to set the paragraph direction (Text Direction > RTL) on the toolbar and in the advanced settings Added the ability to view animations with text Added the "Preserve" option to the Slide Master context menu Forms Changed the appearance of the Signature and Image fields: the placeholder and signature icon are now always displayed Improved user experience when filling in the Signature and Image fields Added a new "type": "signature" for the Signature field, used in the process of filling out forms PDF Editor Added the ability to set RTL direction for text The Edit Text option is available in the Community Edition build Implemented a PDF form editor Added copying pages between PDF files Diagrams Release of the first version of the Diagram Viewer with the ability to open VSDX files for viewing Convert Added conversion of the XLSB format to the editor's internal format, allowing editing and saving in XLSX without preliminary conversion Download: OnlyOffice 64-bit | 273.0 MB (Open Source) Download: OnlyOffice 32-bit | 252.0 MB Download: Windows XP 64-bit | 467.0 MB Download: Windows XP 32-bit | 457.0 MB View: OnlyOffice Website | Screenshot | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Awesome! Can't wait to get the stable version on my Surface Pro.
    • Welcome to our cozy corner of the internet!
    • XnView Shell Extension 4.2.0 by Razvan Serea XnView Shell Extension is a powerful Windows Explorer add-on that enhances file management by providing quick image previews, thumbnails, and context menu tools without launching XnView. It supports over 500 image formats including RAW (CR2/NEF), WebP, HEIC, TIFF, and vector formats (PSD/SVG), allowing users to resize, convert, edit, and optimize images directly from the right-click menu. The lightweight integration streamlines workflows, enabling batch processing, metadata viewing (EXIF/IPTC), and seamless format conversion—ideal for photographers, designers, and casual users who need efficient file handling. Beyond basic previews, the extension offers advanced features like image rotation, format adjustments, and plugin support. Its intuitive interface ensures fast access to editing tools while maintaining system performance. XnView Shell Extension key features: 500+ Format Support – Opens and converts RAW, WebP, HEIC, TIFF, PSD, SVG, and more Batch Processing – Convert, resize, or rename multiple images at once Lossless JPEG Editing – Rotate, flip, and adjust without quality loss Metadata Preservation – Retains EXIF, IPTC, and XMP data during conversions Advanced Compression – Customize JPEG quality, PNG optimization, and WEBP settings Color Management – Handles ICC profiles, bit-depth (8/16/32-bit), and CMYK-to-RGB conversion PDF & GIF Support – Extract images from PDFs or create animated GIFs High-Speed Previews – Fast thumbnails and image previews in Windows Explorer Right-Click Actions – Quick access to resize, rotate, and convert without opening apps Plugin Extensibility – Add support for niche formats like DDS, HDR, or DICOM Download: XnShell 64-bit | Portable 64-bit | ~10.0 MB (Freeware) Download: XnShell 32-bit | Portable 32-bit | ~3.0 MB Links: XnView Shell Extension Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Another win for EU users? Ads in WhatsApp won't be coming this year by David Uzondu You might have heard that ads are making their way to WhatsApp after years of the company promising it would never happen. If you are in the EU (lucky you), you won't be seeing ads until 2026 at the earliest. A new report from POLITICO confirms that Meta, which owns the messaging service, has informed Ireland's privacy regulator that the new advertising model will not roll out in the European Union for quite some time, even as it appears elsewhere in the coming months. This is not some charitable act, of course. The delay gives European regulators time to scrutinize the plan, which involves using ad preferences from linked Facebook and Instagram accounts to target users. This situation follows a pattern of other "wins" for EU users, like the changes in iOS 17.4 that finally enabled sideloading. This opened the door for alternative app stores and the (temporary) return of games like Fortnite to iPhones in the region. Similarly, we are seeing Microsoft finally back off from shoving Edge down the throats of EU users, all thanks to the Digital Markets Act. This legislation has put pressure on big tech companies to operate more "fairly" within the bloc, leading to changes that users everywhere else can only dream of for now. These regulations are precisely what companies like Apple hate. Remember, Apple has issued a warning to Australia, telling the country not to follow Europe's lead on these matters because it would create massive security and privacy risks. Apple argues that its control over the ecosystem keeps users safe, so any attempt to break that open is dangerous. The Irish Data Protection Commission will be meeting with WhatsApp to discuss the matter further. According to Commissioner Des Hogan, they plan to discuss the ad model with other European data protection authorities to gather any collective concerns. Commissioner Dale Sunderland noted that discussions with the company are "still early days", and it is too soon to identify what, if any, specific "red line issues" might exist with Meta's advertising plans. For now, Europeans can continue using their ad-free messenger, while the rest of the world prepares for the inevitable.
  • Recent Achievements

    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later
    • Week One Done
      Karan Khanna earned a badge
      Week One Done
    • First Post
      MikeK13 earned a badge
      First Post
    • Week One Done
      OHI Accounting earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      688
    2. 2
      ATLien_0
      265
    3. 3
      Michael Scrip
      204
    4. 4
      +FloatingFatMan
      170
    5. 5
      Steven P.
      145
  • Tell a friend

    Love Neowin? Tell a friend!