Solved

AD self service password reset -  how do they work?

Posted on 2016-10-28
4
60 Views
Last Modified: 2016-11-17
Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?  
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?    
What about storing that information in Active Directory?    
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?    
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?
0
Comment
Question by:garryshape
  • 2
4 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41865094
The principle is: you authenticate against a different entitity. That entity enables you to impersonate the account that you forgot the password of and reset it. There are many ways to put that to work.
0
 

Author Comment

by:garryshape
ID: 41865275
Ok, that makes sense.
But, I guess building your own self-service password reset that relies fully on verifying information stored in your AD user object attributes, is pretty much a security risk?
Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41865779
The idea is you have a web based application that consults data in the ad, or personnel data stored in a DB as a means of verification.
Or include external email to which a token can be sent that then can be used to reset the passwd.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41866001
"Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people" - it depends on what you do. An easy self-built concept without a webserver would work like this:
Each user has two users. Example: 1) Joe and 2) ResetJoe.
ResetJoe may not do much (he has logon restrictions and belongs to no groups), his sole privilege is to reset the password of Joe. When Joe forgets his password, he logs on with ResetJoe and resets Joe's password (via a little script).

Only drawback: Of course the user would need to remember Resetjoe's password.
1

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now