Delegated Password Reset

Delegated Password Reset (Allow trusted users to reset other account passwords)

The Foldr administrator can enable delegated password control to allow selected Active Directory users or groups reset other users network passwords.

A new / fixed password can be set by the delegated / trusted user at the time of the reset and they can optionally set the ‘user must change password at next logon’ flag.  This feature can be used to provide a simple and secure way to allow helpdesk or trusted users such as educators to reset student passwords in an educational environment.

Delegated password reset in the web app and as with personal password change control requires LDAPS to be enabled on the Active Directory domain.  The LDAP Server(s) within Foldr Settings >> General must be prefixed ldaps:// or you will see the warning below when you try to enable password change control.

img_57f64c3a149d7

More information on enabling LDAPS can be found here:

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc

Once LDAPS has been enabled on the domain, you can validate the domain controller is accepting LDAP connections over SSL on port 636 using the LDP tool found on Windows Server.

ldp1

LDAPS connection being accepted

ldp2

 

 Permissions Required for Delegated Password Reset (& Self-Service Reset)

The Foldr appliance uses the main service account configured within Foldr Settings >> General to perform the password reset request on behalf of the delegated (trusted) user.  As such, the service account configured requires the appropriate permission to reset the target user’s password within Active Directory.

Windows Domain Controller – Granting permissions to the Service Account

To grant the service account user password reset permissions on the domain controller you can use the Delegate Control wizard within Active Directory Users & Computers.

1. Right-click the root Organizational Unit that contains the users that are to have their password reset by the delegated user(s)

delegate

2. Search for and add the Foldr service account and click Next

delegate2a

3. Check ‘Reset user passwords and force password change at next logon’ and ‘Read all user information’ click Next

In order to allow Foldr users to unlock  ‘locked’ accounts in Active Directory, you must also select:

Create, delete, and manage user accounts

Alternatively, you can enable the granular permission ‘Write all properties’ in the Security tab > Advanced tab – granting the permission to the Foldr service account user, on the OUs concerned.

4. Complete the Delegation of Control Wizard by clicking Finish

delegate2

Enable Delegated Password Reset for Users or Groups in Foldr Settings

The delegated password reset feature is available within the top right web app menu >> Password Control.  In the iOS app this feature is available in Me >> Password control.

1.  In Foldr Settings > Security > Passwords > Delegated Reset – click + Add User or Group

2.  Search Active Directory for the user or security group that you would like to grant delegated password permissions.  In this example, all members of the ‘Staff’ security group are granted permission to reset student passwords.

3.  Click Update and finally, click SAVE CHANGES.

Now when a member of staff signs into Foldr using the web or iOS apps, they will be able to use the Password Control feature to reset student passwords.


User web app – Resetting a user’s password

Select Password Control >> Reset a Password from within the web app top-right menu when logged into the Foldr (user) interface.

The user can search the Active Directory domain, enter the new password and optionally unlock the account or toggle the ‘User must change password at next login’ flag

If the change password at next login flag is set, the student.demo1 account in the example above will be able to change this through Foldr web, desktop or mobile apps when they next sign in.

 

Need more help?

Get in touch and we'll be happy to assist you, [email protected]

© Minnow IT. Registered in England and Wales with company number 07970411.

Made with in Bristol, UK

<