Configure Password Self-Service
Adaxes enables users to reset their own Active Directory passwords and unlock accounts without any assistance from IT staff. The user's identity can be verified either by asking a predefined set of secret questions and/or using verification codes sent via e-mail or SMS. In this tutorial you'll learn how to configure and manage the Active Directory Self-Service Password Reset feature of Adaxes.
Password Self-Service Policies
All aspects of the self password reset process are determined by Password Self-Service Policies. A policy defines the methods used to prove the user's identity (secret questions and answers and/or verification codes), the number of questions that must be answered, the list of available and required questions, whether user-defined questions are allowed, account blocking and unlocking options, e-mail notification settings, etc.
You can define different password self-service policies for different sets of users. For example, you may want to enforce a stronger policy for IT administrators and Help Desk and a less severe policy for other users. A policy can be effective for all users in an AD domain, for all users located in an Organizational Unit, for members of groups and Business Units, for individual users, etc. If necessary, you can exclude specific users, groups, OUs, and Business Units from the activity scope of a policy.
Since multiple password self-service policies can be created, it is possible that more than one policy can be applied to a user. In this case, the policy with the highest precedence order will be effective for the user.
If no password self-service policies are assigned to a user, this user cannot use the Password Self-Service feature. By default, no password self-service policies are defined in Adaxes. So, to allow users to reset their passwords by themselves, you need to define policies for password self-service.
To create a password self-service policy, perform the following steps:
Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Password Self-Service. Select the Policies node in the Console Tree.
In the Result Pane (located to the right), click New.
Follow the instructions in the Create Policy for Password Self-Service wizard.
On the Activity Scope page of the wizard, click Add to assign the new password self-service policy to users.
In the Policy Activity Scope dialog that opens, select one of the following items:
All Objects - select if you want the policy to be effective for all users in all AD domains managed by your Adaxes service.
Specific Domain - select if you want the policy to be effective for all users within the AD domain you specify.
OU or Container - select if you want the policy to be effective for the users located under the selected Organizational Unit or container.
Group - select if you want the policy to be effective for the users that are members of the selected group.
Business Unit - select a Business Unit if you want the policy to be effective for the users that belong to this Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
Select the item you need and click Add. When finished, click OK.
To exclude users from the activity scope of the policy, select the Exclude the selection option in the Assignment Options dialog that is shown when you click the Add button.
For example, if you want to exclude a specific user, do the following:
In the Object Types drop-down box, check the User object type.
- In the list of available AD objects, select the user you want to exclude.
- Click Add.
In the Assignment Options dialog that opens, select the Exclude the selection option and click OK.
When finished, click Finish.
If two or more password self-service policies are applied to one and the same user, this user will be affected by the password policy with a higher precedence. To change the precedence order of a policy:
- Select the policy you need in the Result Pane.
- Click the buttons to change the precedence order of the selected policy.
To view all users affected by a password self-service policy, select the password policy you need and click the Show All Affected Users button located under the Applies To list.
If the Show All Affected Users dialog doesn't display some users the selected password policy applies to, it means that they are affected by another password policy with a higher precedence.
Self Password Reset via Web Interface
By default, the Self Password Reset feature is enabled for the Web Interface for Self-Service only. This means that by default, users can use only this Web Interface to enroll/disenroll for password self service, and the 'Forgot Password' link is available on the Sign In page of this Web Interface only.
To enable or disable the Self Password Reset feature for a Web Interface:
On the computer, where the Web Interface is installed, start the Web Interface Customization tool.
In the Interface type drop-down list, select the Web Interface that you want to configure.
Activate the Components tab and enable/disable the Disable Self Password Reset option inside the Password Self-Service section.
Self Password Reset via Windows Logon Screen
To enable users to reset their passwords right from the Windows Logon and Unlock screens, you need to install Adaxes Self-Service Client on each computer where you want the feature to be available.
For details on how to install and configure Adaxes Self-Service Client, seeInstallation Guide for Adaxes Self-Service Client.
Publish Link to Self Password Reset
You can integrate the Self Password Reset feature with your web sites and applications by adding a link to the Reset Password page of the Adaxes Web Interface.Example:
<a href="http://example.com/AdaxesSelfService/SelfPasswordReset.aspx?ReturnUrl=http%3A%2F%2Fwebsite.com">Forgot password?</a>
On how to configure Adaxes to automatically enroll users for Password Self-Service, see Autoenroll Users for Self-Password Reset.