0 votes

Hello!

We have password policies set up to prevent users from reusing the last several passwords and to prevent them from changing their password more than once in a 24 hour period. We currently give users the ability to reset their direct reports' passwords using the Password Reset function in Adaxes. However, we noticed that when a manager resets the password for an account they manage, they are able to reset the password to the current password and they are able to reset the password multiple times in one day, bypassing some of the password policies that are normally enforced. The password complexity requirements are still enforced, but the password reuse and time limit are not enforced.

When a user signs in and clicks the Change Password button for their account, all of the policies appear to be enforced. This issue seems limited to reseting the password for another account.

Is this a known issue, and do you know of any way to fully enforce all of the password policies for password resets?

by (70 points)

1 Answer

0 votes
by (206k points)

Hello,

There are no password policies in Adaxes itself. The software only allows you to configure AD domain password policies. If some restrictions do not work for a user, most probably, the policy effective for the user is not the right one. For information on how to manage the policies in Adaxes, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ManageFineGrainedPasswordPolicies.htm.

0

Hi there,

Thanks for your response. The issue doesn't seem to be based on the user. It seems to be based on how the password for the user is reset.

If User A signs into the web interface for Adaxes and clicks the "Change Password" button to reset their own password, all of the security policies are enforced, including the password history and 24-hour rule. If User B does the same thing to reset their own password, all of the security policies are enforced. Let's say User B is User A's manager. The problem is when User B signs into the web interface for Adaxes, selects User A's account, and then clicks "Reset Password" to reset User A's password. When User B does that, they can reset User A's password to the current password and reset it within the 24-hour window which shouldn't be allowed.

+1

The thing is, Enforce password history and Minimum password age policy restrictions are applied only when the password is changed, not when it is reset. These are two distinct operations, and it doesn't matter who changes or resets the password.

For example, if the user resets their own password, they will be able to enter the same password and reset it many times without being limited by the Minimum password age. This behaviour comes from Active Directory itself, not Adaxes.

0

That makes sense. Thanks for the clarification. We were able to fix the problem by giving the managers the ability to "Change" the password for their managed accounts rather than "Reset" the password. Thanks again for your help!

Related questions

0 votes
1 answer

We are looking to implement Self-Password reset for users through Adaxes and need the following information: Is there any additional licensing costs to use the Adaxes Self- ... the earliest version of Adaxes that the client is available? Thank you in advance.

asked Jan 7 by lgibbens (320 points)
0 votes
1 answer

Hi, We are a European branch of a US company, our Exchange server is in US and talks to the US DC. This leads to the situation that when our helpdesk resets a password, ... Even better would be if it could be scripted based on OU the user resides in. Thanks!

asked Dec 8, 2017 by digimortal (240 points)
0 votes
1 answer

Hello, Is it currently possible to modify what is sent to users initiating a password reset?

asked Aug 13, 2017 by polley (1.2k points)
0 votes
1 answer

We are looking to implement an email going to the manager of end user and end user that a password request was performed. We will use this a security measure similar to ... this to be a great stop gap measure for security. Please advise if this is possible.

asked Dec 9, 2016 by willy-wally (3.2k points)
0 votes
1 answer

Hello, Is there a french language pack available for password self-service policies secret questions ? Thanks

asked Jan 9, 2017 by joris.decombe (50 points)
2,556 questions
2,297 answers
6,126 comments
667,863 users