Allowing AD users to change password (Self-service). Setup and end-user process?

[Seizure1990]

Hey all,

 

Pretty much what the title says. I've tried searching online, but most of what I get is just people suggesting enterprise full-management systems that happen to include this one feature as well. I found one article explaining how to do it with Windows Server only, but it seemed like it was outdated, or for a very specific scenario, or overkill for what I need, or a combination of those.

 

How does it work to allow ActiveDirectory users to set/change their own password without having to tell it to an administrator who then changes the password manually?

 

Thanks for the help!

[Powerless]

Unless I've misunderstood...

AD users can set their own passwords upon entering a password that you give you to them. As long you don't uncheck 'User must change password at next logon'.

 

For an AD user to change password on the fly; Ctrl-Alt-Delete and take the option to Change Password.

[Nick H. Supervisor]

I'm very confused about the question aswell. The Active Directory does this by default, doesn't it?

 

I've worked in plenty of jobs, and it was the only the most recent one where I was expected to ask the user for their password. I turned around and told them that it goes against IT security 101 to ask such a question.

 

The system should be: user hits ctrl+alt+delete, selects "change password" and the AD gets updated with the new password. I'm confused on why the Active Directory (something that should be used for educational/enterprise situations) wouldn't contain that as a basic feature?

[xendrome]

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

[Nick H. Supervisor]

  On 22/05/2018 at 19:43, xendrome said:

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

Expand  

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

[Brandon H Supervisor]

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their own AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password

[Nick H. Supervisor]

  On 22/05/2018 at 19:51, Brandon H said:

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password

Expand  

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

[xendrome]

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

[Nick H. Supervisor]

  On 22/05/2018 at 19:57, xendrome said:

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

Expand  

Urgh, ManageEngine. I've had bad experiences with them, although that is due to the way they offer customization on all of their products and the company took it live too soon.

 

But fair play, I didn't know about that option. Cheers.

[Seizure1990]

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN, which don't really require domain connections, and a lot of our staff use personal computers, laptops that go abroad, etc etc so requiring a solution that only works when on the domain isn't very effective.

[+John. Subscriber¹]

Where we work, if you forget your password? Tough. 

 

We reset your password in AD, and you have to enter a new one. If you're not on site we give you a temporary one to log in with once, but you have to change it as soon as you enter it. 

 

We remember the last 10 hashes too, so no switching between a few that you use everywhere else.

[Brandon H Supervisor]

  On 22/05/2018 at 19:57, Nick H. said:

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

Expand  

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

[Brandon H Supervisor]

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN.

Expand  

there you get to the problem i mentioned with laptops above.

 

there's not really an easy way around it that I am aware of.

1 option I could think of is you could have the authentication for the network drives separate from the AD login so it always prompts user/password when they connect to it.

[Nick H. Supervisor]

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

Expand  

That's a bit crucial. 

 

So you want someone that is logging in via VPN on a computer that isn't in the domain the reset their password? It's doable, but now we're starting to get outside of my expertise.

  On 22/05/2018 at 20:08, Brandon H said:

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

Expand  

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. 

[Seizure1990]

Requiring a prompt every time isn't really the issue. I just want to provide a way for users to set their own password, so that they can set it to something personal (and hopefully secure), without them having to give me their chosen password directly. Otherwise, I am stuck assigning everyone crazy passwords that I am 100% sure they will never remember, because I'm the one who set it, and I'll have to reset it for them weekly, or, will be forced to ask users what their password should be which is sort of an issue as well for obvious reasons.

 

Anyways, it's starting to sound like without the Domain connection, there isn't a "vanilla" way to do this, and I'll have to find some software after all?

 

If so, I came across this earlier: https://github.com/pwm-project/pwm/

Thoughts?

[Brandon H Supervisor]

  On 22/05/2018 at 20:11, Nick H. said:

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. 

Expand  

It is when the automated system sounds so garbled that you can't understand the password lmao 

 

actually they've recently disabled the automated system while they review new code options so you may be right that it's not very secure in the long run

[ITOps]

You could try the following if you system is also integrated with AzureAD - https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/ for users connecting through your network if they are on a domain.

 

If they are not on the domain you would be best off creating a custom web application that users can access to reset their accounts.  The application could be setup to conduct some sort of Two-Factor or higher authentication and then reset their password.  You would have to have some system that the user interacts with that can access Active Directory or LDAPS if it is configured.

[Seizure1990]

Alright, so it's as I said. No way to do this "Vanilla". Guess I will try that open-source PWM thing out, so that people can access it via some local URL and do it there. Thanks all.

[sc302 Veteran]

my helpdesk system allows the use of a self service portal.   This will allow them to unlock their accounts and reset passwords after answering a predefined amount of questions (3, 5, 7, etc).  I would not advise putting that on the internet to be accessible, but it is better than nothing.