Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?
What about storing that information in Active Directory?
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?