Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

AD self service password reset -  how do they work?

Posted on 2016-10-28
4
99 Views
Last Modified: 2016-11-17
Software/servers or Identity Management t solutions that enable self service password resets for AD users, how do they generally work on the back end?  
Do most just store secure information like security questions that only the user would know in a back end SQL encrypted database?    
What about storing that information in Active Directory?    
What about AD User object CHILD objects? Are those used in things like this and in what capacity and how are they secured?    
An admin who works with me wants the password reset tool to work based off user answering security questions that are stored in AD and wants to hack the security descriptors to "secure" things like mobile phone attribute, which to me is unheard of?
0
Comment
Question by:garryshape
  • 2
4 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41865094
The principle is: you authenticate against a different entitity. That entity enables you to impersonate the account that you forgot the password of and reset it. There are many ways to put that to work.
0
 

Author Comment

by:garryshape
ID: 41865275
Ok, that makes sense.
But, I guess building your own self-service password reset that relies fully on verifying information stored in your AD user object attributes, is pretty much a security risk?
Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41865779
The idea is you have a web based application that consults data in the ad, or personnel data stored in a DB as a means of verification.
Or include external email to which a token can be sent that then can be used to reset the passwd.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41866001
"Because, any Joe Schmo with a bit of knowledge could use AD query tools to read attributes on people" - it depends on what you do. An easy self-built concept without a webserver would work like this:
Each user has two users. Example: 1) Joe and 2) ResetJoe.
ResetJoe may not do much (he has logon restrictions and belongs to no groups), his sole privilege is to reset the password of Joe. When Joe forgets his password, he logs on with ResetJoe and resets Joe's password (via a little script).

Only drawback: Of course the user would need to remember Resetjoe's password.
1

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question