Adaxes enables users to reset their own passwords and unlock their accounts without any assistance from the Help Desk or IT staff. The user's identity can be verified by answering security questions and/or receiving an SMS or e-mail verification code.
All aspects of the self-password reset process are determined by Password Self-Service policies. A policy defines the methods used to prove the user's identity (security questions and/or verification codes), the number of questions to be answered, which questions are mandatory and which are optional, whether user-defined questions are allowed, account blocking and unlocking options, e-mail notification settings, etc.
The policy-based approach allows you to apply different levels of security to different users and groups. For example, you can enforce strict policies to privileged users, such as administrators and Help Desk operators, and less severe policies to other users. A policy can be assigned to all users within an Active Directory domain, users located in an Organizational Unit, members of groups and Business Units, individual users, etc. If necessary, you can exclude specific users, groups, OUs, and Business Units from the scope of a policy.
If users have no assigned policies, the Self-Service Password Reset feature is not available for them. By default, there are no Password Self-Service Policies defined in Adaxes, so, to allow users to reset their forgotten passwords, you need to create and assign Password Self-Service policies.
To create a policy for password self-service, perform the following steps:
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Password Self-Service and select Policies.
In the Password Self-Service Policies section located to the right, click New.
Follow the instructions in the Create Policy for Password Self-Service wizard.
On the Activity Scope page of the wizard, click Add to assign the new policy to users.
In the Activity Scope dialog, select the following items:
All Objects - select to apply the policy to all users in all AD domains managed by Adaxes.
Specific Domain - select to apply the policy to all users within an Active Directory domain.
OU or Container - select to apply the policy to the users located under an Organizational Unit or container.
Group - select to apply the policy to members of a group.
Business Unit - select to apply the policy to members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.
You can exclude specific users, groups, Organizational Units and Business Units from the policy scope. For example, if you've applied the policy to all users in a domain, but do not want to apply it to members of a certain group, you can exclude the group from the scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.
Click the object you want to exclude.
In the Assignment Options dialog, select the Exclude option.
When done, click OK and then Finish.
If a user falls within the scope of two or more policies, the policy with a higher precedence is applied to the user. To change the precedence of a policy, select it and use the buttons.
To view all users a policy applies to, select the policy and click the Show all affected users. To view the policy applied to a user, click Lookup policy for user.
By default, the Password Self-Service component is enabled in the Web Interface for Self-Service only. It means that by default, only the Web Interface for Self-Service can be used to reset forgotten passwords, unlock accounts and enroll for password self-service.
Follow the steps below to enable or disable the Password Self-Service component for a Web Interface and configure the options related to enrolling for Password Self-Service.
Open Adaxes Web Interface Configurator.
The permissions to configure the Web Interface are delegated via Security Roles. By default, only Service Administrators have the appropriate rights. To enable other users to configure the Web Interface, grant them the corresponding permissions.
In the top left corner, select the Web Interface you want to customize.
In the left navigation menu, click Components.
Use the Password Self-Service checkbox to enable or disable the Password Self-Service component.
To periodically prompt users to enroll for password reset, check the Prompt users to enroll for password self-service checkbox and select how often the prompt should appear.
To configure which Password Self-Service options are available in the My Menu drop-down, use corresponding checkboxes under the My Menu checkbox.
To allow users to enroll, re-enroll and cancel enrollment for Password Self-Service right from the Home page of the Web Interface, you can enable the Password Self-Service card. The card is not visible when there are no policies for Password Self-Service assigned to the user.
For details on how to configure the Home page, see Customize the Home Page.
For information on how to configure Adaxes to automatically enroll users for Password Self-Service, see Autoenroll Users for Self-Password Reset.
To enable users to reset their passwords right from the Windows Logon and Unlock screens, you need to install Adaxes Self-Service Client on each computer where you want the feature to be available.
To install and configure Adaxes Self-Service Client:
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Password Self-Service and select Windows Integration.
In the Client Setup section located to the right, click Self-Service Client to download Adaxes Self-Service Client. To download Installation Guide for Adaxes Self-Service Client, click Installation Guide.
Follow the Installation Guide to install and configure Adaxes Self-Service Client.
You can integrate the Self Password Reset feature with your web sites and applications by adding a link to the Reset Password page of Adaxes Web Interface.Example:
<a href="http://example.com/Adaxes/SelfService/#/SelfPasswordReset?ReturnUrl=http%3A%2F%2Fwebsite.com">Forgot password?</a>
Use the ReturnUrl parameter to specify the URL to open when the user completes or cancels resetting the password.