?
Solved

AD self service password reset -  how do they work?

Posted on 2016-10-28
4
Medium Priority
?
117 Views
Last Modified: 2016-11-17
Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?  
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?    
What about storing that information in Active Directory?    
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?    
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 41865094
The principle is: you authenticate against a different entitity. That entity enables you to impersonate the account that you forgot the password of and reset it. There are many ways to put that to work.
0
 

Author Comment

by:garryshape
ID: 41865275
Ok, that makes sense.
But, I guess building your own self-service password reset that relies fully on verifying information stored in your AD user object attributes, is pretty much a security risk?
Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people.
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41865779
The idea is you have a web based application that consults data in the ad, or personnel data stored in a DB as a means of verification.
Or include external email to which a token can be sent that then can be used to reset the passwd.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41866001
"Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people" - it depends on what you do. An easy self-built concept without a webserver would work like this:
Each user has two users. Example: 1) Joe and 2) ResetJoe.
ResetJoe may not do much (he has logon restrictions and belongs to no groups), his sole privilege is to reset the password of Joe. When Joe forgets his password, he logs on with ResetJoe and resets Joe's password (via a little script).

Only drawback: Of course the user would need to remember Resetjoe's password.
1

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question