Solved

AD self service password reset -  how do they work?

Posted on 2016-10-28
4
107 Views
Last Modified: 2016-11-17
Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?  
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?    
What about storing that information in Active Directory?    
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?    
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41865094
The principle is: you authenticate against a different entitity. That entity enables you to impersonate the account that you forgot the password of and reset it. There are many ways to put that to work.
0
 

Author Comment

by:garryshape
ID: 41865275
Ok, that makes sense.
But, I guess building your own self-service password reset that relies fully on verifying information stored in your AD user object attributes, is pretty much a security risk?
Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41865779
The idea is you have a web based application that consults data in the ad, or personnel data stored in a DB as a means of verification.
Or include external email to which a token can be sent that then can be used to reset the passwd.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41866001
"Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people" - it depends on what you do. An easy self-built concept without a webserver would work like this:
Each user has two users. Example: 1) Joe and 2) ResetJoe.
ResetJoe may not do much (he has logon restrictions and belongs to no groups), his sole privilege is to reset the password of Joe. When Joe forgets his password, he logs on with ResetJoe and resets Joe's password (via a little script).

Only drawback: Of course the user would need to remember Resetjoe's password.
1

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question