Allowing AD users to change password (Self-service). Setup and end-user process?


Recommended Posts

Hey all,

 

Pretty much what the title says. I've tried searching online, but most of what I get is just people suggesting enterprise full-management systems that happen to include this one feature as well. I found one article explaining how to do it with Windows Server only, but it seemed like it was outdated, or for a very specific scenario, or overkill for what I need, or a combination of those.

 

How does it work to allow ActiveDirectory users to set/change their own password without having to tell it to an administrator who then changes the password manually?

 

Thanks for the help!

Unless I've misunderstood...

AD users can set their own passwords upon entering a password that you give you to them. As long you don't uncheck 'User must change password at next logon'.

 

For an AD user to change password on the fly; Ctrl-Alt-Delete and take the option to Change Password.

I'm very confused about the question aswell. The Active Directory does this by default, doesn't it?

 

I've worked in plenty of jobs, and it was the only the most recent one where I was expected to ask the user for their password. I turned around and told them that it goes against IT security 101 to ask such a question.

 

The system should be: user hits ctrl+alt+delete, selects "change password" and the AD gets updated with the new password. I'm confused on why the Active Directory (something that should be used for educational/enterprise situations) wouldn't contain that as a basic feature?

  On 22/05/2018 at 19:43, xendrome said:

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

Expand  

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their own AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

  On 22/05/2018 at 19:51, Brandon H said:

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

Expand  

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

  On 22/05/2018 at 19:57, xendrome said:

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

Expand  

Urgh, ManageEngine. I've had bad experiences with them, although that is due to the way they offer customization on all of their products and the company took it live too soon.

 

But fair play, I didn't know about that option. Cheers. (Y)

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN, which don't really require domain connections, and a lot of our staff use personal computers, laptops that go abroad, etc etc so requiring a solution that only works when on the domain isn't very effective.

Where we work, if you forget your password? Tough. 

 

We reset your password in AD, and you have to enter a new one. If you're not on site we give you a temporary one to log in with once, but you have to change it as soon as you enter it. 

 

We remember the last 10 hashes too, so no switching between a few that you use everywhere else.

  On 22/05/2018 at 19:57, Nick H. said:

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

Expand  

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN.

Expand  

there you get to the problem i mentioned with laptops above.

 

there's not really an easy way around it that I am aware of.

1 option I could think of is you could have the authentication for the network drives separate from the AD login so it always prompts user/password when they connect to it.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

Expand  

That's a bit crucial. :laugh:

 

So you want someone that is logging in via VPN on a computer that isn't in the domain the reset their password? It's doable, but now we're starting to get outside of my expertise.

  On 22/05/2018 at 20:08, Brandon H said:

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

Expand  

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Requiring a prompt every time isn't really the issue. I just want to provide a way for users to set their own password, so that they can set it to something personal (and hopefully secure), without them having to give me their chosen password directly. Otherwise, I am stuck assigning everyone crazy passwords that I am 100% sure they will never remember, because I'm the one who set it, and I'll have to reset it for them weekly, or, will be forced to ask users what their password should be which is sort of an issue as well for obvious reasons.

 

Anyways, it's starting to sound like without the Domain connection, there isn't a "vanilla" way to do this, and I'll have to find some software after all?

 

If so, I came across this earlier: https://github.com/pwm-project/pwm/

Thoughts?

  On 22/05/2018 at 20:11, Nick H. said:

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Expand  

It is when the automated system sounds so garbled that you can't understand the password lmao :laugh:

 

actually they've recently disabled the automated system while they review new code options so you may be right that it's not very secure in the long run

You could try the following if you system is also integrated with AzureAD - https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/ for users connecting through your network if they are on a domain.

 

If they are not on the domain you would be best off creating a custom web application that users can access to reset their accounts.  The application could be setup to conduct some sort of Two-Factor or higher authentication and then reset their password.  You would have to have some system that the user interacts with that can access Active Directory or LDAPS if it is configured.

my helpdesk system allows the use of a self service portal.   This will allow them to unlock their accounts and reset passwords after answering a predefined amount of questions (3, 5, 7, etc).  I would not advise putting that on the internet to be accessible, but it is better than nothing.  

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Popular Now

  • Posts

    • Apple is making a scary move: a private company overchallenging a legit government and legislation. I am not a fan of democracy, but I am more scared of corporatism. The EU must take a strong stance now: Apple should comply with the law or face consequences, and it must do so immediately.
    • Intel LGA1700 14th Gen i5-14600K and 12th Gen 12600K are selling for great prices by Sayan Sen Intel is back again with another great CPU sale. We reported on the 14600K deal recently, which is now available for an even better price of just $195, and this includes a free AIO liquid cooler (purchase link under the specs list below). Aside from the 14th Gen i5, the 12th Gen 12600K is also available for just $125 (purchase link under the specs list below). Both chips are compatible with LGA1700 socket. First up, we have the Intel 14600K. The chip performs about as well as an AMD Ryzen 7600(X) in gaming and beats it in productivity. Since this is a socket LGA1700 SKU, buyers are advised to pair it up with a decent motherboard that has good VRM power delivery and cooling in place (ideally a Z790 chipset motherboard), plus you will need a good quality air cooler (and a complementary good case with excellent airflow) or a 240/280 mm AIO liquid cooler. The free MSI AIO cooler that comes with the bundle should suffice even for some moderate overclocking. Yes, overclocking is possible on both the 14600K and 12600K, as they are both K SKUs and thus are unlocked chips. The technical specs of the 14600K are given below: Core Count: 14 (6 Performance Cores + 8 Efficiency Cores) Thread Count: 20 Base Clock Frequency: 3.5 GHz (P-core), 2.6 GHz (E-core) Boost Clock Frequency: Up to 5.3 GHz Cache: 24 MB Cache Stock Memory Support: DDR4 (3200 MT/s) and DDR5 (5600 MT/s) Socket: LGA 1700 Base TDP: 125 W Integrated Graphics: Intel UHD Graphics 770 PCIe Support: PCIe Gen 5 and Gen 4 (16 lanes) Process Technology: Intel 7 (10 nm) Maximum Temperature: 100° C Get the 14600K at the link below: Intel Core i5-14600K BX8071514600K (additional $5 off w/ promo code SSET237, limited offer) + MSI MAG Coreliquid A13 240mm Liquid Cooler + Free Intel Spring Bundle (Civilization VII & Dying Light: The Beast): $194.99 (Sold and Shipped by Newegg US first-party seller) Up next we have the Core i5-12600K which tends to slot right in between Ryzen's 5000 series and 7000 series in gaming performance, typically trading blows with the 5800X3D. In productivity, it can get even with Ryzen's 7600(X) or a 5900X. The technical specs of the 12600K are given below: Core Count: 10 (6 Performance Cores + 4 Efficiency Cores) Thread Count: 16 Base Clock Frequency: 3.7 GHz (P-core), 2.8 GHz (E-core) Boost Clock Frequency: Up to 4.9 GHz Cache: 20 MB Cache Stock Memory Support: DDR4 (3200 MT/s) and DDR5 (4800 MT/s) Socket: LGA 1700 Base TDP: 125 W Integrated Graphics: Intel UHD Graphics 770 PCIe Support: PCIe Gen 5 and Gen 4 (16 lanes) Process Technology: Intel 7 (10 nm) Maximum Temperature: 100° C Get the 12600K at the link below: Core i5-12600K Processor Box, BX8071512600K: $125.33 (Amazon US) This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • Yes, this should have the Sponsored tag on it methinks.
    • Is there a conversion kit available so we can make it not look like something from a low-polygon video game from the 1990s?
    • "The company's core argument is that the changes mandated by the EU's DMA, which came into full effect in March 2024, introduce serious security and privacy risks for users. Apple claims that allowing sideloading and alternative app stores effectively opens the door for malware, fraud, scams, and other harmful content." I've heard this anti-sideloading argument a lot, but only from people who never wanted to sideload and will never do (so no risks for them), and from Apple themselves.
  • Recent Achievements

    • One Month Later
      EdwardFranciscoVilla earned a badge
      One Month Later
    • One Month Later
      MoyaM earned a badge
      One Month Later
    • One Month Later
      qology earned a badge
      One Month Later
    • One Year In
      Frinco90 earned a badge
      One Year In
    • Apprentice
      Frinco90 went up a rank
      Apprentice
  • Popular Contributors

    1. 1
      +primortal
      453
    2. 2
      +FloatingFatMan
      247
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      196
    5. 5
      Xenon
      142
  • Tell a friend

    Love Neowin? Tell a friend!