Delegated Password Reset
Delegated Password Reset (Allow trusted users to reset other account passwords)
The Foldr administrator can enable delegated password control to allow selected Active Directory users or groups reset other users network passwords.
A new / fixed password can be set by the delegated / trusted user at the time of the reset and they can optionally set the ‘user must change password at next logon’ flag. This feature can be used to provide a simple and secure way to allow helpdesk or trusted users such as educators to reset student passwords in an educational environment.
Delegated password reset in the web app and as with personal password change control requires LDAPS to be enabled on the Active Directory domain. The LDAP Server(s) within Foldr Settings >> General must be prefixed ldaps:// or you will see the warning below when you try to enable password change control.
More information on enabling LDAPS can be found here:
Once LDAPS has been enabled on the domain, you can validate the domain controller is accepting LDAP connections over SSL on port 636 using the LDP tool found on Windows Server.
LDAPS connection being accepted
Permissions Required for Delegated Password Reset (& Self-Service Reset)
The Foldr appliance uses the main service account configured within Foldr Settings >> General to perform the password reset request on behalf of the delegated (trusted) user. As such, the service account configured requires the appropriate permission to reset the target user’s password within Active Directory.
Windows Domain Controller – Granting permissions to the Service Account
To grant the service account user password reset permissions on the domain controller you can use the Delegate Control wizard within Active Directory Users & Computers.
1. Right click the root Organizational Unit that contains the users that are to have their password reset by the delegated user(s)
2. Search for and add the Foldr service account and click Next
3. Check ‘Reset user passwords and force password change at next logon’ and ‘Read all user information’ click Next
4. Complete the Delegation of Control Wizard by clicking Finish
The delegated password reset feature is available within Security Settings >> Password Control.
Foldr Settings – Delegating Password Control to a user
User web interface – Resetting a user’s password
Selecting Password Control >> Reset a Password from within the Security Settings area when logged into the Foldr (user) web interface.
The user can search the domain, enter the new password and optionally toggle the ‘User must change password at next login’ flag
If the change password at next login flag is set, the student.demo1 account in the example above will be able to change this through Foldr web or mobile apps at next login.