[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

AD self service password reset -  how do they work?

Posted on 2016-10-28
4
Medium Priority
?
119 Views
Last Modified: 2016-11-17
Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?  
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?    
What about storing that information in Active Directory?    
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?    
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?
0
Comment
Question by:garryshape
  • 2
4 Comments
 
LVL 57

Accepted Solution

by:
McKnife earned 1000 total points
ID: 41865094
The principle is: you authenticate against a different entitity. That entity enables you to impersonate the account that you forgot the password of and reset it. There are many ways to put that to work.
0
 

Author Comment

by:garryshape
ID: 41865275
Ok, that makes sense.
But, I guess building your own self-service password reset that relies fully on verifying information stored in your AD user object attributes, is pretty much a security risk?
Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people.
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41865779
The idea is you have a web based application that consults data in the ad, or personnel data stored in a DB as a means of verification.
Or include external email to which a token can be sent that then can be used to reset the passwd.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41866001
"Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people" - it depends on what you do. An easy self-built concept without a webserver would work like this:
Each user has two users. Example: 1) Joe and 2) ResetJoe.
ResetJoe may not do much (he has logon restrictions and belongs to no groups), his sole privilege is to reset the password of Joe. When Joe forgets his password, he logs on with ResetJoe and resets Joe's password (via a little script).

Only drawback: Of course the user would need to remember Resetjoe's password.
1

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question