Skip to main content

Windows Active Directory Self password resets - Need and general precautions.

Computer password authentication is a way to protect organizational resources including data from unauthorized access at almost the lowest level i.e. end user level. Every time Users login to their computers they need to enter a password to establish their identity so that unauthorized access to computer could be prevented. However, we are just looking at the positive side of the scenario, on the negative side, it can result in massive productivity loss for the reason that an employee may forgot his password and cannot log into the system resulting in employee downtime.

 Taking into picture the scenario that most of the projects require team effort and employees work in collaborative environments, absence of an employee from project arena, for even a little time, could lead to failure in achieving project milestones.

 Traditionally, such issues are handled by the organizations’ IT helpdesk team which consumes a significant chunk of their effort and time. The problem becomes even more critical for bigger organizations since they have a large employee base and such issues keep the helpdesk team busy taking up a bigger chunk of helpdesk support hours.

 According to various studies conducted to determine the actual extent of time and money that goes into resolving password reset requests, almost 30% to 40% of the helpdesk support hours and tens of dollars per ticket goes into resolving such issues. Of course, these figures may vary depending on the geography and the industry in which your organization is operating.

 To address the problem, you can use User self-service password reset facility in Active Directory by enabling Azure Active Directory Premium and Basic. Self-service password reset for users allows end users in your organization to reset their passwords automatically without calling an administrator or helpdesk for support.

 There are various others self password resetting tools that allow employees to reset their own forgotten password instead of calling up the helpdesk or logging a password reset issue. This power delegation approach solves the problem to a great extent as Users can now reset their own passwords avoiding downtime and the resulting productivity loss.

 As you might have guessed it right, this approach also creates security loopholes which could lead to unauthorized access as someone else may reset the password at the end user’s computer. As a counter measure, these applications ask Users to validate their identity before they can reset their passwords mitigating the risk to a large extent.

 Usual method that these AD self-service tools use for identity verification is answering a set of pre-defined questions whose answers only the concerned employee is suppose to know. Users need to answer these questions before they can reset their passwords. These questions are determined by the administrator and employees have to enter the correct answer at the time of registration/enrollment. So, in some way this leads to re-consolidation of power in administrator’s hand. Administrators, on their part, must ensure that they create identity verification questions that meet the compliance requirements and provide enough cushion against security breach. Some of the points that are important to consider here are:
  • Challenge questions must be difficult to guess. For example, you might not want to include a question such as: What is the color of your car? As this could be answered by co-workers as well.
  • Keep the number of questions in the challenge set quite high to minimize the security breach probability.
  • Minimum length of answers should be on higher side.
  • Disallow same answers to all questions or selecting the answer phrase from the question itself.
  • For roaming and disconnected Users, you can provide browser based password resets. In that case, ensure that answer to questions doesn’t get saved in the web page fields.
  • You can also use other methods for validating the identity such as sending a verification code on User’s registered mobile number. In that case ensure that all Users keep their updated mobile number in the database.
  • Another alternative is sending the password reset link in the User’s email Id.
  • For enhanced security, you can use a two-tier verification method where a User has not only to answer challenge questions but also undergo mobile verification.

     Active Directory Self Service Password Reset can easily be done using Lepide software. To find out more about this software click on this link. Also, check out this  Youtube video  to see it, Live in action on how it can be achieved easily using Lepide software.
                                                  
Labels:

Comments

Post a Comment

Popular posts from this blog

Notepad++ convert multiple lines to a single line and vice versa

Notepad++ is an awesome text editing tool, it can accept regex to process the text data. If the data is in a “.csv” format or comma separated values which is basically just a text file that can either be opened using a text editor, excel or even word. Notepad++ can process the contents of the file using regex. Example if the data has multiple rows or lines, and what is needed is to convert the whole lines of data into a single line. Notepad++ can easily do it using regex. However, if the data is on a single line and it needs to be converted into multiple lines or rows then regex can also be used for this case. Here’s an example on how to convert multiple rows or lines into a single line. Example data: Multiple rows, just a sample data. Press Ctrl+H, and  on "Find what" type: [\r\n]+ and on "Replace with" type with: , (white space) --white space is needed if need to have a space in between the data. See image below, "Regular Expression" must be se
1 comment
Read more

WMIC get computer name

WMIC get computer model, manufacturer, computer name and  username. WMIC is a command-line tool and that can generate information about computer model, its manufacturer, its username and other informations depending on the parameters provided. Why would you need a command line tool if there’s a GUI to check? If you have 20 or 100 computers, or even more. It’s quite a big task just checking the GUI to check the computer model and username. If you have remote computers, you need to delegate someone in the remote office or location to check. Or you can just write a batch file or script to automate the task. Here’s the code below on how get computer model, manufacturer and the username. Open an elevated command prompt and type:     wmic computersystem get "Model","Manufacturer", "Name", "UserName" Just copy and paste the code above, the word “computersystem” does not need to be change to a computer name. A
Post a Comment
Read more

How to check office version from command line

The are quite a few ways to check office version it can be done via registry, PowerShell or VBScript and of course, good old command line can also do it. Checking Windows office version whether it is Office 2010, Office, 2013, Office 2016 or other version is quite important to check compatibility of documents; or just a part of software inventory. For PowerShell this simple snippet can check the office version: $ol = New-Object -ComObject Excel.Application $ol . Version The command line option will tell you where’s the path located; the result will also tell whether office is 32-bit, 64-bit and of course the version of the office as well. Here’s the command that will check the office version and which program directory the file is located which will tell whether it’s 32-bit or 64-bit. Command to search for Excel.exe: DIR C:\ /s excel.exe | find   /i "Directory of"  Above command assumes that program files is on  C: drive. Sample Outpu
Post a Comment
Read more