Active Dir. Web Based Password Reset Tool?
Compliance, CRM, DataCenter, Desktop security, Disaster Recovery, IT architecture, Networking, Policies, Risk management, Security, Security management, Security Program Management, Servers, Vendors, Windows, Windows client administration and maintenance, Windows Server 2003, Windows XP
We run a native 2003 Active Directory. We have many remote users who have an AD account (without an Exchange account). Quite often we get emailed from users who are requesting password resets, or account unlocks (since we have a 5-try account lockout policy in effect on the domain).
Obviously, given the size of our user-base, the number of mails we get requesting these resets is creating a huge amount of work for us.
I'd like to ask you guys what you use to get around this issue? I'd ideally like some kind of automated secure password reset application, preferably one that can be accessed by a secure webpage. I'm hoping that we can setup some sort of password reset system that will allow our users to change their passwords without the need to contact IT Support.
Any suggestions or help is greatly appreciated :-)
Kind Regards,
Greg.
Software/Hardware used:
Software/Hardware used:
ASKED:
June 15, 2005 5:23 AM
UPDATED:
February 13, 2012 3:39 PM
Answer Wiki:
There is no difference between the two revisions you have selected.
------------------------------------------------------------------------------------------------------
Firstly, you'll have to delegate authority to the users to not only change their passwords but to remove themselves from lockout. This means that all users will be able to change each other's passwords etc. This is your first hurdle. A timeout for lockouts would be the easiest solution to part of this problem.
You'll then have to write something which contacts the LDAP database. In VBScript you can use a GetObject LDAP query, so you could have an ASP page which would pull the user out. You could then use the SetPassword function to set the password and then set the pwdlastset attribute to 0.
Are you sure this is a big enough issue for you to justify this little headache? It would be easier to modify user behaviour, like telling them there's a three day wait on password resets or something. Make them fill in some long-winded form so it becomes easier for them to remember their password than get it changed.
All Answer Wiki Contributors:
JennyMack 
4,265 pts. ,
JennyMack 0 pts. ,
ITKE 16,755 pts. ,
MustafaHamid 55 pts. ,
Kimo 90 pts. ,
Cptrelentless 0 pts.
4,265 pts. ,
JennyMack 0 pts. ,
ITKE 16,755 pts. ,
MustafaHamid 55 pts. ,
Kimo 90 pts. ,
Cptrelentless 0 pts. To see all answers submitted to the Answer Wiki: View Answer History.
IMHO, if they can’t either get it right in 5 tries, or if they ignore password expiration warnings for 5-10 days, they deserve to be lockked out. Set a delay for unlocking the account (we use 10 minutes), and on resets, make it a real chore to get your staff to perform this task. User education is sometimes painful, but in many cases it works.
IMHO, if they can’t either get it right in 5 tries, or if they ignore password expiration warnings for 5-10 days, they deserve to be lockked out. Set a delay for unlocking the account (we use 10 minutes), and on resets, make it a real chore to get your staff to perform this task. User education is sometimes painful, but in many cases it works.
I agree that they should take more initiative in being able to remember their password.
You may have already implemented something or thought about it, but I train our users on how to be creative with their complexity requirements. It can become quite simple for them.
Example:
If they like camping, their password could be C@mping.
that meets the 3 of 4 complexity requirements.
another example I give them: $50cash
or: #1mommy
It’s funny to see their eyes light up during training when they realize how easy it is, and some of the creative people actually have fun doing it.
That training alone has cut out our workload tremendously.
good luck!
Hey Greg,
Are you sure that users are typing thir passwords wrong…..or is someone trying to compromise the network, by trying to hack passwords.
We had an issue within our organization, where a user’s account would get locked out every day. We couldn’t track down the reason why this was happening. It just ceases to occur after few weeks.
I dont mean to worry you…its better to be safe than sorry.
aknair
At my company, users (like myself) are able to instantly reset and re-enable their own passwords/accounts in the secured, web-based associate resource utility, but they must be able to answer a few security questions first to get a new, temporary password:
1. Employee ID Number xxxxxx
2. Soc. Security Number xxx-xx-xxxx
3. Birth date Month-Day-Year
4. Home zip code xxxxx
The data for the above prompts can be queried through the employee’s profile, and it saves us hundreds of unneeded calls a day to our Helpdesk. (A big time/money saver!)
Good luck.
Gary
I don’t care how secure the site is – I wouldn’t want all of my personal information available from the web.
Maybe one of those questions, not SS#, and maybe my favorite kind of Dog, lol
Do you guys run Sharepoint Portal Server, I have a webpart in Portal that will change the users password for Active directory.
Dane
Most of our users access a timesheet system that runs on our network. They login using their AD user account, but they seem to regularly forget their passwords, since most of them only access this webpage to log their timecards. The webpage doesn’t handle the password resets, so I need another solution.
We do have a Sharepoint Portal server, and it is public facing (via https).
If you can let me know how to get Sharepoint configured to help with the password resets, that would be great.
I also like the idea of having data stored that is used to challenge the user trying to reset the password.
Thanks for all your responses, they are all appreciated
Kind Regards,
Greg.
You could give the department managers rights to those two functions and then create Taskpads for them that could only do those two things. This offloads a task that doesn’t really require technical skills to the people that are directly responsible for the employees that have the problem. That sort of thing is one of the primary uses for Taskpads.
Ok – If you have Sharepoint then you can talk to Advis about a webpart to accomplish this.
i love replies #2 and #3. they’ve been sent twice. in case of wrong passwords one try less.
imagine users who have to remember quite a many of passwords sometimes mixing them up and sometimes mis-typing them indeed. by educating them you have quite a chance to teach them to write passwords down and all that stuff. do you already know possible causes for that amount of errors? Have you considered which time for locking their account is enough regarding possible hacks? 1 minute ? what happens, when they cannot logon for a long time?
regards wolfgang
Hi Greg,
I don’t exactly know if this is of interest to you.
While I was studying for my foundation degree, my institute’s system used a three chance policy. If by mistake someone tried using a wrong password thrice, his or her password would automatically be reset to the original password, which was allocated to them at the first instance. But the catch in this is that the user can’t use the last 5 password combination.
Although this sort of thing was not a regular feature but, everytime this happened the user had to give out some information about themselves to the system in order to authenticate them properly. Every user was supposed to have a alphanumerical password.
hope this helps.
abheejeet
You can try a 3rd party utility from Quest Software. Quest Password Reset Manager allows end users to reset forgotten passwords securely, allowing administrators to implement stronger password policies while reducing the help desk workload. Password Reset Manager provides a simple, secure solution that allows end users to reset forgotten passwords and unlock their user accounts themselves. Password Reset Manager accommodates the widest possible range of organization requirements and data security standards. There is a trial version that you can implement on a test environment and see if it fit your needs.
GottaggedsoamnowIT / Gary,
What is the “secured, web-based associate resource utility” your company uses?
I can give you a good example of such utility.
You can take a look at password self service from scriptlogic. It’s highly secured password management solution.
For example, for self password reset or changing users are prompted with several challenge questions that they must to answer.
Also this tool can ensure to accept only the passwords that meet defined by administrator’s polices.
I think you should let the user feel your staffs pain when a password needs to be reset, I would not use any third party software on a so called secure website just to alleviate this problem. Websites are hacked and easily redirected, do you want to put all of your remote users at risk of having their password hacked. This is an extreme risk for little reward. Let your IT Staff handle password and lockout problems these controls are in place for a reason. Just my opinion though.
It’s easy to blame users on this one and try to prove a point. I completely understand that mindset. But in the end you’ve got to look at what’s best for the business. Do you want to be right or do you want to be happy? Each and every password reset costs the business money and it keeps admins from focusing on more productive things like teaching people how to create easy to remember yet impossible to crack passphrases so users are not getting locked out in the first place. Check out Passfilt Pro – a good tool to help get your password policies under control.
I’m not interested in blaming the end user, I just think this is a disaster waiting to happen by allowing users to change their password on a so called secure website. Again websites are targets for hackers and keyloggers. It takes little time to unlock an account or reset a password in the AD, this should not be a huge task for admins, granted the more users the more time that could be consumed doing this but again security is my primary concern for the network and a password change tool open to the external internet is not secure, and will probably be flagged as a problem in a security audit, again this is my opinion. What if the remote users pc is infected with a keylogger and then uses this tool? The server running this app is now compromised. I just think the risks need to be identified and then make the decision that is best for your network.
The following free tools can help you:
Web-based Password Reset for Active Directory – this one is just a simple web app with password change (enter old password, create new password).
NetWrix Password Expiration Notifier – automated password reminders sent by e-mail to users with expiring passwords.
Hi Greg,
when you have many users, you need to consider the enrollment process of the existing and future users.
FastPassCorp has a password reset product that reset passwords for AD users on secure webpage, you can get more information on fastpasscorp.com
regards
Hey Greg
My IT department uses netwrix password manager for these types of issues (www.netwrix.com). The netwrix tool lets users resolve account lockouts and reset forgotten passwords on their own through a web-based portal. It’s pretty easy to use and has dramatically cut down on password reset requests.
There are also several other alternatives that you can use. Here is a Buyer’s Guide that Windows IT Pro published on the matter: http://www.windowsitpro.com/article/buyers-guide/windows-password-reset-products.aspx