Delegated Password Reset

Posted on 29th November 2016

Delegated Password Reset (Allow trusted users to reset other account passwords)

The Foldr administrator can enable delegated password control to allow selected Active Directory users or groups reset other users network passwords.

A new / fixed password can be set by the delegated / trusted user at the time of the reset and they can optionally set the ‘user must change password at next logon’ flag.  This feature can be used to provide a simple and secure way to allow helpdesk or trusted users such as educators to reset student passwords in an educational environment.

Delegated password reset in the web app and as with personal password change control requires LDAPS to be enabled on the Active Directory domain.  The LDAP Server(s) within Foldr Settings >> General must be prefixed ldaps:// or you will see the warning below when you try to enable password change control.

img_57f64c3a149d7

More information on enabling LDAPS can be found here:

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc

Once LDAPS has been enabled on the domain, you can validate the domain controller is accepting LDAP connections over SSL on port 636 using the LDP tool found on Windows Server.

ldp1

LDAPS connection being accepted

ldp2

 

 Permissions Required for Delegated Password Reset (& Self-Service Reset)

The Foldr appliance uses the main service account configured within Foldr Settings >> General to perform the password reset request on behalf of the delegated (trusted) user.  As such, the service account configured requires the appropriate permission to reset the target user’s password within Active Directory.

 

Windows Domain Controller – Granting permissions to the Service Account

To grant the service account user password reset permissions on the domain controller you can use the Delegate Control wizard within Active Directory Users & Computers.

1. Right click the root Organizational Unit that contains the users that are to have their password reset by the delegated user(s)

delegate

2. Search for and add the Foldr service account and click Next

delegate2a

3. Check ‘Reset user passwords and force password change at next logon’ and ‘Read all user information’ click Next

4. Complete the Delegation of Control Wizard by clicking Finish

delegate2

The delegated password reset feature is available within Security Settings >> Password Control.

Foldr Settings – Delegating Password Control to a user

password3

User web interface – Resetting a user’s password

Selecting Password Control >> Reset a Password from within the Security Settings area when logged into the Foldr (user) web interface.

The user can search the domain, enter the new password and optionally toggle the ‘User must change password at next login’ flag

password2

If the change password at next login flag is set, the student.demo1 account in the example above will be able to change this through Foldr web or mobile apps at next login.

 

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, [email protected]