We've all had to reset a forgotten password at some point in our lives. But have you ever wondered what goes on behind the scenes when you initiate a password reset? Have you considered the security risks that can arise due to poor password management?
Active Directory and password resets
Let's start with the basics. There are multiple ways to reset a Windows Active Directory (AD) password. To list a few:
- AD Users and Computers (ADUC): This is the most commonly used password reset tool. The admin can to go to ADUC, right-click on the user account, and select Reset Password. If the admin has the required privileges over the account, they'll be able to reset the password.
- AD Administrative Center (ADAC): ADAC has a reset password option right on the opening screen.
- PowerShell: The admin can can use the Set-ADAccountPassword cmdlet to reset passwords for users, computers, and service accounts.
- Command Prompt: Run Command Prompt as an administrator and use the net user command to find and reset the password of the desired account.
What happens during an AD password reset?
When the password reset command reaches the domain controller (DC), the privileges of the account that initiated the password reset are checked first to ensure the account is allowed to do so.
Next comes the password filters. These filters ensure that the new password matches the history, length, and character composition requirements usually defined in the default domain group policy and any applicable fine-grained password policies.
After passing through the AD password filters, the password is checked for third-party password rule compliance. If the password successfully makes it through, it's updated in the corresponding account and the old password is given the pwdlastset attribute for tracking the password history. Once the password is changed, this change is replicated among other DCs in the domain.
Reset passwords for Windows 7, 8, and 10 with ADSelfService Plus
ADSelfService Plus is an integrated AD self-service password management and single sign-on solution. With ADSelfService Plus, you can empower your users to reset their forgotten passwords without troubling the service desk. With ADSelfService Plus, users can reset their passwords from their Windows login screens.
Prerequisites
- Download and install ADSelfService Plus.
- Configure ADSelfService Plus for your AD domain.
- Configure policies for self-service features and ensure user enrollment.
- Complete the settings required to enable password reset from the Windows login screen.
How to reset passwords for Windows 7, 8, and 10 with ADSelfService Plus
Let's take a look at how to reset Windows 10 passwords with ADSelfService Plus.
- A user clicks the Reset Password/Unlock Account button from the Window's login screen.
- In the ADSelfService portal pop-up, the user needs to click the Reset Password button.
- They'll be asked to enter their username. Once finished, they'll need to click Continue.
- Now they'll be asked to prove their identity through authentication methods that were set up while enrolling in ADSelfService Plus. Admin can choose from 15 advanced authentication methods available to enforce in ADSelfService Plus and can decide how many methods are required to complete the verification. After successfully verifying their identity, users will need to click Continue.
Note: Face ID Authentication and Google Authenticator are two of the many identity verification methods available in ADSelfService Plus. See the
full list of methods available.
- Now the user can enter a new password. If it meets all the password complexity requirements, it will be successfully reset.
Note: ADSelfService offers the
Password Policy Enforcer, which can restrict commonly used passwords, patterns, and repetition. It can also prevent the use of passwords that were involved in previous data breaches through integration with Have I Been Pwned?
- The user can close the ADSelfService Plus portal pop-up and log in to their Windows system using the new password.
The steps involved in resetting Windows 7 and Windows 8 passwords with ADSelfService Plus are the same as the steps involved in resetting Windows 10 password with ADSelfService Plus.
Why you should use ADSelfService Plus to reset passwords
- Multi-factor authentication: Secure password resets with advanced identity verification techniques including biometrics, Google Authenticator, YubiKey, and more.
- Password reset from anywhere: Allow users to reset passwords from mobile devices, computer login screens, private networks, and the ADSelfService portal.
- Password reset notification: After a password is reset, notifications are sent to the relevant users and admins as a security measure.
- Comprehensive reports: Audit password resets, identity verification failures, notification delivery, and much more.