Password reset ignores password history policy
When a user performs a Password Reset then password history rules are ignored, just as though an AD administrator has performed a password reset using "Active Directory Users and Computers". This means that users can completely ignore password history requirements by using Password Reset instead of Password Change.
I understand that you have added the "Upon password reset, force users to change password at next logon" option to help with this.
This is a good start, but there is a problem with the current implementation:
Users do not get a message when they complete the ADSelfService Reset Password process, so they do not know they need to change their password. In our environment many users can only change their passwords using ADSelfService (since they do not have access to Windows Desktops for a particular domain). This currently means that users are very confused at the end of the Password Reset process, since they are still unable to logon to other web applications (using their newly reset domain password), since they do not know that they need to change their password first.
It would be great if at the end of the Password Reset process, that users were immediately told they should change their password (using ADSelfService).
Even better would be if the ADSelfService Reset Password process did obey password history rules. This could be implemented by ADSelfService first performing a reset to a randomly generated password, and then immediately performing a password change to the password the user actually chose.
I understand that you have added the "Upon password reset, force users to change password at next logon" option to help with this.
This is a good start, but there is a problem with the current implementation:
Users do not get a message when they complete the ADSelfService Reset Password process, so they do not know they need to change their password. In our environment many users can only change their passwords using ADSelfService (since they do not have access to Windows Desktops for a particular domain). This currently means that users are very confused at the end of the Password Reset process, since they are still unable to logon to other web applications (using their newly reset domain password), since they do not know that they need to change their password first.
It would be great if at the end of the Password Reset process, that users were immediately told they should change their password (using ADSelfService).
Even better would be if the ADSelfService Reset Password process did obey password history rules. This could be implemented by ADSelfService first performing a reset to a randomly generated password, and then immediately performing a password change to the password the user actually chose.