Allowing AD users to change password (Self-service). Setup and end-user process?


Recommended Posts

Hey all,

 

Pretty much what the title says. I've tried searching online, but most of what I get is just people suggesting enterprise full-management systems that happen to include this one feature as well. I found one article explaining how to do it with Windows Server only, but it seemed like it was outdated, or for a very specific scenario, or overkill for what I need, or a combination of those.

 

How does it work to allow ActiveDirectory users to set/change their own password without having to tell it to an administrator who then changes the password manually?

 

Thanks for the help!

Unless I've misunderstood...

AD users can set their own passwords upon entering a password that you give you to them. As long you don't uncheck 'User must change password at next logon'.

 

For an AD user to change password on the fly; Ctrl-Alt-Delete and take the option to Change Password.

I'm very confused about the question aswell. The Active Directory does this by default, doesn't it?

 

I've worked in plenty of jobs, and it was the only the most recent one where I was expected to ask the user for their password. I turned around and told them that it goes against IT security 101 to ask such a question.

 

The system should be: user hits ctrl+alt+delete, selects "change password" and the AD gets updated with the new password. I'm confused on why the Active Directory (something that should be used for educational/enterprise situations) wouldn't contain that as a basic feature?

  On 22/05/2018 at 19:43, xendrome said:

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

Expand  

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their own AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

  On 22/05/2018 at 19:51, Brandon H said:

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

Expand  

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

  On 22/05/2018 at 19:57, xendrome said:

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

Expand  

Urgh, ManageEngine. I've had bad experiences with them, although that is due to the way they offer customization on all of their products and the company took it live too soon.

 

But fair play, I didn't know about that option. Cheers. (Y)

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN, which don't really require domain connections, and a lot of our staff use personal computers, laptops that go abroad, etc etc so requiring a solution that only works when on the domain isn't very effective.

Where we work, if you forget your password? Tough. 

 

We reset your password in AD, and you have to enter a new one. If you're not on site we give you a temporary one to log in with once, but you have to change it as soon as you enter it. 

 

We remember the last 10 hashes too, so no switching between a few that you use everywhere else.

  On 22/05/2018 at 19:57, Nick H. said:

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

Expand  

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN.

Expand  

there you get to the problem i mentioned with laptops above.

 

there's not really an easy way around it that I am aware of.

1 option I could think of is you could have the authentication for the network drives separate from the AD login so it always prompts user/password when they connect to it.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

Expand  

That's a bit crucial. :laugh:

 

So you want someone that is logging in via VPN on a computer that isn't in the domain the reset their password? It's doable, but now we're starting to get outside of my expertise.

  On 22/05/2018 at 20:08, Brandon H said:

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

Expand  

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Requiring a prompt every time isn't really the issue. I just want to provide a way for users to set their own password, so that they can set it to something personal (and hopefully secure), without them having to give me their chosen password directly. Otherwise, I am stuck assigning everyone crazy passwords that I am 100% sure they will never remember, because I'm the one who set it, and I'll have to reset it for them weekly, or, will be forced to ask users what their password should be which is sort of an issue as well for obvious reasons.

 

Anyways, it's starting to sound like without the Domain connection, there isn't a "vanilla" way to do this, and I'll have to find some software after all?

 

If so, I came across this earlier: https://github.com/pwm-project/pwm/

Thoughts?

  On 22/05/2018 at 20:11, Nick H. said:

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Expand  

It is when the automated system sounds so garbled that you can't understand the password lmao :laugh:

 

actually they've recently disabled the automated system while they review new code options so you may be right that it's not very secure in the long run

You could try the following if you system is also integrated with AzureAD - https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/ for users connecting through your network if they are on a domain.

 

If they are not on the domain you would be best off creating a custom web application that users can access to reset their accounts.  The application could be setup to conduct some sort of Two-Factor or higher authentication and then reset their password.  You would have to have some system that the user interacts with that can access Active Directory or LDAPS if it is configured.

my helpdesk system allows the use of a self service portal.   This will allow them to unlock their accounts and reset passwords after answering a predefined amount of questions (3, 5, 7, etc).  I would not advise putting that on the internet to be accessible, but it is better than nothing.  

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools by Paul Hill Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word. The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows. Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment. This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension. The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace. Streamlined, secure, and compliant The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon. When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary. For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused. Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity history (audit trail) in the signed PDF to check who signed it and when. Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log. A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry. The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming. The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive. When and how your organization gets it SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July. People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year. To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365 Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel. The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all. Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word.
    • It's always good to have an option to secure your stuff to another medium. I did that with DVD/CD collection, and run my own media server now. It's more convenient that way and no need for separate players anymore.
    • Google Search AI Mode gets support for data visualization and custom charts by Aditya Tiwari Google announced it is rolling out support for data visualizations and graphs for finance-related queries in Google Search's AI Mode. Introduced last month at the Google I/O 2025 keynote, the feature lets you analyze complex datasets and create custom charts simply using natural language prompts. The updated AI Mode lets you compare and analyze information over a specific period, Google explained. It generates interactive graphs and provides a comprehensive explanation for your questions. AI Mode utilizes Gemini's multimodal capabilities and multi-step reasoning approach to comprehend the question's intent while accessing historical and real-time information relevant to the question. For instance, instead of manually researching individual companies and their stock prices, you can use AI Mode to compare the stock performance of different companies for a specific year. Once the graph is generated, you can choose the desired time period using the mouse cursor and ask follow-up questions based on the data presented. These new data visualizations for finance queries are available to users who have enabled the AI Mode experiment in Labs. AI Mode was introduced earlier this year as an experimental feature in the US. The feature is an upgraded version of AI Overviews, and Google closely worked with AI power users through the initial development process. It uses the “query fan-out” technique to perform multiple related searches across subtopics and different data sources, then combines them to come up with a comprehensive response. Google updated AI Mode last month to use a custom version of the latest Gemini 2.5 model. It added several new features, including Deep Search, live capabilities, agentic capabilities of Project Mariner, a new shopping experience, and the ability to add personal context by linking Google apps. The search giant is planning to turn AI Mode into its bread and butter. It has begun testing ads for the feature, which will appear below and be integrated into AI Mode responses where relevant.
    • Guys, you should find another way to promote your deals... It's the third article in the last months that promote this deal for an upgrade from 10. Considering that upgrade from 10 to 11 is free it's a total non-sense.
    • Store should be a shrine of useful applications, vetted and verified. Easily sorted by publisher. Windows should start with not much installed and have things as options in the store. Not the wild west mess that it is. You could delete 95%+ of the crap on there and no one would notice. They need to add a better UI to the updates, it's awful right now.
  • Recent Achievements

    • Week One Done
      luxoxfurniture earned a badge
      Week One Done
    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      432
    2. 2
      +FloatingFatMan
      239
    3. 3
      snowy owl
      213
    4. 4
      ATLien_0
      211
    5. 5
      Xenon
      157
  • Tell a friend

    Love Neowin? Tell a friend!