Question

  Asked: Jun 15 2005   5:23 AM GMT
  Asked by: GregNottage


Active Dir. Web Based Password Reset Tool?


IT architecture, Security management, Tech support, Windows client administration and maintenance, Desktop security, Windows XP, Servers, Windows, Windows Server 2003, Networking, Security, Management, Vendors, Security Program Management, Compliance, Risk management, CRM, Policies, Disaster Recovery, DataCenter

We run a native 2003 Active Directory. We have many remote users who have an AD account (without an Exchange account). Quite often we get emailed from users who are requesting password resets, or account unlocks (since we have a 5-try account lockout policy in effect on the domain).

Obviously, given the size of our user-base, the number of mails we get requesting these resets is creating a huge amount of work for us.

I'd like to ask you guys what you use to get around this issue? I'd ideally like some kind of automated secure password reset application, preferably one that can be accessed by a secure webpage. I'm hoping that we can setup some sort of password reset system that will allow our users to change their passwords without the need to contact IT Support.

Any suggestions or help is greatly appreciated :-)

Kind Regards,

Greg.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window

Answer Wiki (Improve, edit or add to this answer)


 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0



Firstly, you'll have to delegate authority to the users to not only change their passwords but to remove themselves from lockout. This means that all users will be able to change each other's passwords etc. This is your first hurdle. A timeout for lockouts would be the easiest solution to part of this problem.
You'll then have to write something which contacts the LDAP database. In VBScript you can use a GetObject LDAP query, so you could have an ASP page which would pull the user out. You could then use the SetPassword function to set the password and then set the pwdlastset attribute to 0.
Are you sure this is a big enough issue for you to justify this little headache? It would be easier to modify user behaviour, like telling them there's a three day wait on password resets or something. Make them fill in some long-winded form so it becomes easier for them to remember their password than get it changed.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on CIO, Security and Microsoft Windows.

Looking for relevant CIO Whitepapers? Visit the SearchCIO-Midmarket.com Research Library.


Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

spadasoe  |   Jun 15 2005  9:01AM GMT

IMHO, if they can’t either get it right in 5 tries, or if they ignore password expiration warnings for 5-10 days, they deserve to be lockked out. Set a delay for unlocking the account (we use 10 minutes), and on resets, make it a real chore to get your staff to perform this task. User education is sometimes painful, but in many cases it works.

 

spadasoe  |   Jun 15 2005  9:02AM GMT

IMHO, if they can’t either get it right in 5 tries, or if they ignore password expiration warnings for 5-10 days, they deserve to be lockked out. Set a delay for unlocking the account (we use 10 minutes), and on resets, make it a real chore to get your staff to perform this task. User education is sometimes painful, but in many cases it works.

 

TheVyrys  |   Jun 15 2005  9:24AM GMT

I agree that they should take more initiative in being able to remember their password.

You may have already implemented something or thought about it, but I train our users on how to be creative with their complexity requirements. It can become quite simple for them.

Example:
If they like camping, their password could be <a href="mailto:C@mping.">C@mping.</a>
that meets the 3 of 4 complexity requirements.
another example I give them: $50cash
or: #1mommy
It’s funny to see their eyes light up during training when they realize how easy it is, and some of the creative people actually have fun doing it.
That training alone has cut out our workload tremendously.
good luck!

 

aknair  |   Jun 15 2005  10:05AM GMT

Hey Greg,

Are you sure that users are typing thir passwords wrong…..or is someone trying to compromise the network, by trying to hack passwords.
We had an issue within our organization, where a user’s account would get locked out every day. We couldn’t track down the reason why this was happening. It just ceases to occur after few weeks.

I dont mean to worry you…its better to be safe than sorry.

aknair

 

gottaggedsoamnowIT  |   Jun 15 2005  2:17PM GMT

At my company, users (like myself) are able to instantly reset and re-enable their own passwords/accounts in the secured, web-based associate resource utility, but they must be able to answer a few security questions first to get a new, temporary password:

1. Employee ID Number xxxxxx
2. Soc. Security Number xxx-xx-xxxx
3. Birth date Month-Day-Year
4. Home zip code xxxxx

The data for the above prompts can be queried through the employee’s profile, and it saves us hundreds of unneeded calls a day to our Helpdesk. (A big time/money saver!)

Good luck.
Gary

 

dpiatt  |   Jun 15 2005  2:43PM GMT

I don’t care how secure the site is - I wouldn’t want all of my personal information available from the web.
Maybe one of those questions, not SS#, and maybe my favorite kind of Dog, lol
Do you guys run Sharepoint Portal Server, I have a webpart in Portal that will change the users password for Active directory.

Dane

 

GregNottage  |   Jun 15 2005  3:31PM GMT

Most of our users access a timesheet system that runs on our network. They login using their AD user account, but they seem to regularly forget their passwords, since most of them only access this webpage to log their timecards. The webpage doesn’t handle the password resets, so I need another solution.

We do have a Sharepoint Portal server, and it is public facing (via https).

If you can let me know how to get Sharepoint configured to help with the password resets, that would be great.

I also like the idea of having data stored that is used to challenge the user trying to reset the password.

Thanks for all your responses, they are all appreciated ;-)

Kind Regards,

Greg.

 

EricHarris  |   Jun 16 2005  10:42AM GMT

You could give the department managers rights to those two functions and then create Taskpads for them that could only do those two things. This offloads a task that doesn’t really require technical skills to the people that are directly responsible for the employees that have the problem. That sort of thing is one of the primary uses for Taskpads.

 

dpiatt  |   Jun 16 2005  11:46AM GMT

Ok - If you have Sharepoint then you can talk to Advis about a webpart to accomplish this.

 

dunklur  |   Jun 17 2005  6:20AM GMT

i love replies #2 and #3. they’ve been sent twice. in case of wrong passwords one try less.
imagine users who have to remember quite a many of passwords sometimes mixing them up and sometimes mis-typing them indeed. by educating them you have quite a chance to teach them to write passwords down and all that stuff. do you already know possible causes for that amount of errors? Have you considered which time for locking their account is enough regarding possible hacks? 1 minute ? what happens, when they cannot logon for a long time?
regards wolfgang

 

abheejeet  |   Jun 20 2005  9:19AM GMT

Hi Greg,

I don’t exactly know if this is of interest to you.

While I was studying for my foundation degree, my institute’s system used a three chance policy. If by mistake someone tried using a wrong password thrice, his or her password would automatically be reset to the original password, which was allocated to them at the first instance. But the catch in this is that the user can’t use the last 5 password combination.

Although this sort of thing was not a regular feature but, everytime this happened the user had to give out some information about themselves to the system in order to authenticate them properly. Every user was supposed to have a alphanumerical password.

hope this helps.

abheejeet

 

vqt411  |   Jun 28 2005  4:48PM GMT

You can try a 3rd party utility from Quest Software. Quest Password Reset Manager allows end users to reset forgotten passwords securely, allowing administrators to implement stronger password policies while reducing the help desk workload. Password Reset Manager provides a simple, secure solution that allows end users to reset forgotten passwords and unlock their user accounts themselves. Password Reset Manager accommodates the widest possible range of organization requirements and data security standards. There is a trial version that you can implement on a test environment and see if it fit your needs.

 

Sgiovanni  |   Nov 22 2007  1:35AM GMT

GottaggedsoamnowIT / Gary,

What is the “secured, web-based associate resource utility” your company uses?

 

Gefff  |   Feb 22 2008  2:29PM GMT

I can give you a good example of such utility.
You can take a look at password self service from scriptlogic. It’s highly secured password management solution.
For example, for self password reset or changing users are prompted with several challenge questions that they must to answer.
Also this tool can ensure to accept only the passwords that meet defined by administrator’s polices.