Allowing AD users to change password (Self-service). Setup and end-user process?


Recommended Posts

Hey all,

 

Pretty much what the title says. I've tried searching online, but most of what I get is just people suggesting enterprise full-management systems that happen to include this one feature as well. I found one article explaining how to do it with Windows Server only, but it seemed like it was outdated, or for a very specific scenario, or overkill for what I need, or a combination of those.

 

How does it work to allow ActiveDirectory users to set/change their own password without having to tell it to an administrator who then changes the password manually?

 

Thanks for the help!

Unless I've misunderstood...

AD users can set their own passwords upon entering a password that you give you to them. As long you don't uncheck 'User must change password at next logon'.

 

For an AD user to change password on the fly; Ctrl-Alt-Delete and take the option to Change Password.

I'm very confused about the question aswell. The Active Directory does this by default, doesn't it?

 

I've worked in plenty of jobs, and it was the only the most recent one where I was expected to ask the user for their password. I turned around and told them that it goes against IT security 101 to ask such a question.

 

The system should be: user hits ctrl+alt+delete, selects "change password" and the AD gets updated with the new password. I'm confused on why the Active Directory (something that should be used for educational/enterprise situations) wouldn't contain that as a basic feature?

  On 22/05/2018 at 19:43, xendrome said:

I think maybe he means if a user has locked themselves out or forgotten their password.. If this the case then I believe only a 3rd party utility will do this.

Expand  

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their own AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

  On 22/05/2018 at 19:51, Brandon H said:

usually the temp password is set with the 'must change on next login' so the user then has to change it to their own password

 

but yes unless OP is talking about locked/forgotten passwords then any user can change their AD password after logging in by doing ctrl+alt+del and selecting Change Password.
this only really gets muddied when on a laptop, you'll want to be sure you're connected to the AD network when changing password :)

Expand  

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

  On 22/05/2018 at 19:46, Nick H. said:

Surely that breaks the security front? You'd be allowing someone to enter a password incorrectly three times before the account gets locked, then allow that person to change the password to something they want without any verification?

Expand  

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

  On 22/05/2018 at 19:57, xendrome said:

No the 3rd party apps usually integrate with security questions to reset the password, it then shows up on the user login GUI like this one - https://www.manageengine.com/products/self-service-password/self-service-password-reset.html

Expand  

Urgh, ManageEngine. I've had bad experiences with them, although that is due to the way they offer customization on all of their products and the company took it live too soon.

 

But fair play, I didn't know about that option. Cheers. (Y)

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN, which don't really require domain connections, and a lot of our staff use personal computers, laptops that go abroad, etc etc so requiring a solution that only works when on the domain isn't very effective.

Where we work, if you forget your password? Tough. 

 

We reset your password in AD, and you have to enter a new one. If you're not on site we give you a temporary one to log in with once, but you have to change it as soon as you enter it. 

 

We remember the last 10 hashes too, so no switching between a few that you use everywhere else.

  On 22/05/2018 at 19:57, Nick H. said:

Oh, if we're talking about a first-time login then that is different. But I stand by the idea that for security reasons you would still be required to call your IT support to reset the password. Otherwise when IT support create a new account they generate the same first password every time, in which case the manager will know the default password after they've worked there a while. I don't agree with it, but again it's something I have come across.

Expand  

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

 

These logins would mainly be used for access to a network share, and to login to the VPN.

Expand  

there you get to the problem i mentioned with laptops above.

 

there's not really an easy way around it that I am aware of.

1 option I could think of is you could have the authentication for the network drives separate from the AD login so it always prompts user/password when they connect to it.

  On 22/05/2018 at 20:06, Seizure1990 said:

Hey guys, my bad. Realized I left out a pretty crucial detail, so sorry. Is there a way to do this without the user being on a computer that is attached to the domain? As far as I understand, the ctrl alt dlt -> change password method requires that, right?

Expand  

That's a bit crucial. :laugh:

 

So you want someone that is logging in via VPN on a computer that isn't in the domain the reset their password? It's doable, but now we're starting to get outside of my expertise.

  On 22/05/2018 at 20:08, Brandon H said:

oh my, no it's not quite that bad here.

 

here if we lock our account we call into our IT and there's an automated system on the phone that can reset and give you a temp pw (you have to enter your employee ID and a couple other details to confirm it's really you); or we can wait for a live agent as well but the automated system is preferred because our IT department can get busy to the point you're waiting 4 hours in queue on the phone.

Expand  

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Requiring a prompt every time isn't really the issue. I just want to provide a way for users to set their own password, so that they can set it to something personal (and hopefully secure), without them having to give me their chosen password directly. Otherwise, I am stuck assigning everyone crazy passwords that I am 100% sure they will never remember, because I'm the one who set it, and I'll have to reset it for them weekly, or, will be forced to ask users what their password should be which is sort of an issue as well for obvious reasons.

 

Anyways, it's starting to sound like without the Domain connection, there isn't a "vanilla" way to do this, and I'll have to find some software after all?

 

If so, I came across this earlier: https://github.com/pwm-project/pwm/

Thoughts?

  On 22/05/2018 at 20:11, Nick H. said:

That doesn't sound overly secure...but then again I am in Switzerland, the home of privacy and security. :laugh:

Expand  

It is when the automated system sounds so garbled that you can't understand the password lmao :laugh:

 

actually they've recently disabled the automated system while they review new code options so you may be right that it's not very secure in the long run

You could try the following if you system is also integrated with AzureAD - https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/ for users connecting through your network if they are on a domain.

 

If they are not on the domain you would be best off creating a custom web application that users can access to reset their accounts.  The application could be setup to conduct some sort of Two-Factor or higher authentication and then reset their password.  You would have to have some system that the user interacts with that can access Active Directory or LDAPS if it is configured.

my helpdesk system allows the use of a self service portal.   This will allow them to unlock their accounts and reset passwords after answering a predefined amount of questions (3, 5, 7, etc).  I would not advise putting that on the internet to be accessible, but it is better than nothing.  

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • PC gaming is stalling as well, recent analyst post I read is that it will stall for at least two years because of prices, tariffs and AI demand impacting GPU cost and availability. So far the only console to go up in price has been the Xbox. Which IMHO is just part of Microsoft’s plans to get out of the traditional insole market and move to a “Xbox” console that is just a PC made by an OEM with a Xbox sticker on it.
    • Jumping unicorns means people initiate Nintendo gaming
    • KB5060829: Microsoft makes Windows 11 File Explorer, Search faster with Build 26100.4482 by Sayan Sen Microsoft has released a new Release Preview build for Windows 11 Insiders. The new build, 26100.4482, under KB5060829, improves the performance of the File Explorer in case of extracting archives. The company says "has been enhanced when extracting archive files" and that the improvement will mainly be felt "in the case of copy pasting large numbers of files out of large 7z or .rar archives." Aside from File Explorer, Microsoft says that users can also expect a snappier Search. Microsoft notes that earlier the feature would respond "very slowly—the Search Box can take over 10 seconds to load before you can use it." Besides those, Taskbar has also received an improvement as it will better use the available real estate space more effectively with new ability to resize icons so more apps can fit. The build also brings new PC Migration tool. Start menu pins have also changed You can view the full changelog below: Gradual rollout [App defaults] New! We are rolling out some small changes in the EEA region for default browsers via the Set default button in Settings > Apps > Default apps: Additional file and link types will be set for the new default browser, if it registers them. The new default browser will be pinned to the Taskbar and Start menu unless you choose not to pin it by clearing the checkboxes. There is now a separate one-click button for browsers to change your .pdf default, if the browser registers for the .pdf file type. [Start menu] New! For Admins, the Configure Start Pins policy now includes an option to apply Start menu pins only once. This means users will receive the admin Start menu pins on their first sign-in (day 0), but afterward, they can personalize their pinned layout, and those changes will be retained. This policy can also be applied through group policy, in addition to the existing configuration service provider (CSP) method. [Taskbar & System Tray] New! The taskbar now resizes icons to fit more apps when space runs low, keeping everything visible and easy to access. You can adjust how icons appear in settings—reduce icon size only when the taskbar is full (default), keep icons at their original size at all times by selecting Never, or use smaller icons all the time by selecting Always. To change this setting, right-click an empty area on the taskbar, select Taskbar settings, expand the Taskbar behaviors section, and choose your preference under Show smaller taskbar buttons. New! In addition to the new grouping of the Accessibility menu in Quick settings, there are text descriptions for the assistive technologies like Narrator, Voice access, and more for easier identification and learning. New! Adjusted the indicator (pill) under taskbar apps to make it wider and more visible. Fixed: Clicking the top third of the buttons in the top row doesn’t work to enable or disable the button. Fixed: WIN + CTRL + Number doesn’t work anymore for switching windows of an open app in the taskbar Fixed: When using taskbar in Windows, the media controls that appear in the preview windows for apps might unexpectedly flicker. [Windows Share] New! When you share links or web content using the Windows share window, you will see a visual preview for that content. New! In the Windows share window, you can select a compression level—High, Medium, or Low Quality—when editing and sharing images, instead of selecting from a 0–100 scale. [PC Migration] We’re beginning the rollout of a new PC-to-PC migration experience in Windows. You’ll start to see the landing and the pairing page in the Windows Backup app, giving you a first look at what’s coming. In the full experience, you will be able to transfer your files and settings from your old PC to the new one during the PC setup process. Support during the PC setup will be available in a future update. We are releasing in phases for a smooth experience and will provide more details soon. [File Explorer] Improved: Performance has been enhanced when extracting archive files – this will particularly help in the case of copy pasting large numbers of files out of large 7z or .rar archives. Narrator New! The Screen Curtain feature in Narrator helps protect your privacy and improve focus by blacking out the screen while Narrator reads content aloud. This is especially helpful in public or shared spaces, where you can work with sensitive information without others seeing your screen. To turn on Narrator, press Ctrl + Windows + Enter. Then press Caps Lock + Ctrl + C to enable Screen Curtain. While it’s on, you can use Narrator as usual with the screen hidden. Press Caps Lock + Ctrl + C again to turn it off. New! Narrator makes it easier to discover and learn about its features directly within the experience. Whether you’re new or exploring advanced options, Narrator will guide you through the latest updates using a series of steps and prompts that explain each new feature and change. [Voice Access] New! You can now use voice access to navigate, dictate, and interact with Windows using voice commands in Simplified Chinese and Traditional Chinese. New! You can add custom words to the dictionary in voice access. The feature will be available in all the currently supported voice access languages. [Settings] New! The Settings homepage on PCs managed by IT administrators now includes cards tailored for enterprise use. These include familiar options like “Recommended settings” and “Bluetooth devices,” along with two cards for device info and accessibility preferences. If a user signs in with both a work or school account and a Microsoft account, an additional accounts card appears to show both account types. New! Added the country or region selected during device setup under Settings > Time & language > Language & region. Fixed: The storage card in Settings > System > About shows an incorrect or unreadable character instead of the proper disk size. [Windowing] Fixed: When you ALT + Tab out of a full screen game, other windows (like Windows Terminal might stop responding. Fixed: An underlying issue might lead to unexpected window size and position changes after sleep/resume for some devices. Fixed: Explorer.exe might stop working unexpectedly when dragging a window if window snapping is enabled. [Scripting] Fixed: Running a script on a remote SMB share might take an unexpectedly long time if the share was an older Windows Server version like Windows Server 2019. [Graphics] Improved: Made some underlying changes to help improve display related user experiences, including reducing screen flashing in some display configuration transitions and removing unnecessary display resets which was happening in some cases. Fixed: Certain displays might be unexpectedly green. Fixed: If User Account Control (UAC) is set to Always Notify and the button under Settings > System > Display for color calibration is selected for your display and canceled, Settings will stop responding. [Color Filters] Improved: Adjusted the location of the intensity and color boost sliders under Settings > Accessibility > Color Filters, so the color previews at the top of the page are visible while adjusting the sliders. [Input] Fixed: Typing Japanese with the touch keyboard may stop working after switching to typing with an English keyboard and back. [Printing] Fixed: Printed lines might be unexpectedly thicker than expected. [MSFTEdit.dll] Fixed: Some apps like Sticky Notes and dxdiag might stop working when the display language is set to Arabic or Hebrew. Normal rollout [Copilot] Fixed: Improved the Copilot key’s reliability and resolved an issue that prevented users from restarting Copilot after using the key. [Performance] Fixed: This update addresses an issue to maintain efficiency of Storage Spaces Direct (S2D). When running complex software defined data center (SDDC) related workflows, it’s possible the system might become unresponsive. [Storage optimization] Fixed: An issue that prevented unused language packs and Feature on Demand packages from being fully removed, which led to unnecessary storage use and longer Windows Update installation times. [Windows Search] Fixed: Windows Search responds very slowly—the Search Box can take over 10 seconds to load before you can use it. Fixed: This update enhances the reliability of Windows Search and resolves an issue that prevented users from typing in Windows Search in some cases. You can find the official blog post here on Microsoft's website.
    • Windows 11 Snipping Tool gets a useful new screen recording feature by Taras Buria Last month, news emerged about the Snipping Tool app, Windows 11's default screenshot and screen-recording tool, getting a much-needed feature—the ability to save screen recordings as GIFs. Today, Microsoft officially announced this capability, and it is rolling out to Windows 11 insiders in the Dev and Canary Channels. In case you missed it, the latter received a new build with context menu improvements, new accessibility features, and more. GIF export in Snipping Tool works simply: Start screen recording as usual, then click the GIF button in the upper-right corner of the editor once you've finished. After that, the app will ask you to specify GIF quality and display your GIF's size info: duration, resolution, and FPS. Now, all it takes is pressing Export (save as a file) or Copy (copy to clipboard). Note that as of right now, GIF export is limited to 30-second videos or less. When exporting longer videos, the app will save only the first 30 seconds of the recording. GIF export in the Snipping Tool app is rolling out in version 11.2505.21.0. If you do not have the feature after installing the update (your computer should be enrolled in the Canary or Dev Channel of the insider program), try force-enabling it with the ViVeTool app: Download ViveTool from GitHub and unpack the files in a convenient and easy-to-find folder. Run Command Prompt as Administrator and navigate to the folder containing the ViveTool files with the CD command. For example, if you have placed ViveTool in C:\Vive, type CD C:\Vive. Type vivetool /enable /id:47081492 and press Enter. Restart your computer. The announcement post can be found on the official Windows Blogs website. Other changes recently introduced for the Snipping Tool app include the so-called "Perfect Screenshot" feature, which snaps the screenshot area to shapes and objects like tables and charts. Credit for the ID goes to @phantomofearth on X
    • Sure, I'm with you, but then again I don't run these companies and don't know all the details. As far as sales go, lots of MS software/services is sold through 3rd parties. I've always seen them for the longest time, they'll sell you the MS stuff and then also charge you a fee to act as direct support and so on.
  • Recent Achievements

    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later
    • Week One Done
      Karan Khanna earned a badge
      Week One Done
    • First Post
      MikeK13 earned a badge
      First Post
    • Week One Done
      OHI Accounting earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      690
    2. 2
      ATLien_0
      263
    3. 3
      Michael Scrip
      201
    4. 4
      +FloatingFatMan
      167
    5. 5
      Steven P.
      137
  • Tell a friend

    Love Neowin? Tell a friend!