8

In Active Directory you can set and enforce rules where users have to use strong password, can't use last 5+ passwords they already had, enforce password complexity. Is there a way to enforce such settings so that if a service account (password reset web service) tries to set new password for user it's checked against the policy and is either accepted or denied?

It seems that since the service account is forcing password change user can type in the same password via web interface and keep on using same password over and over again. Since it's a service account changing the password for him it is not checked against last known passwords hence the rules of password are not enforced

While programmer could code a complexity check the last passwords used check can't be checked on web interface because the webservice doesn't have the knowledge of last passwords.

Is it possible to force it so that such change of the password by service account is also restricted like normal user password change would be ?

MadBoy
  • 3,725
  • 15
  • 63
  • 94

1 Answers1

9

In AD there are two types of operations to change a user's password - a change, which can be executed anonymously because it requires the old password as part of the request, and a reset, which does not require the old password and must be done by a user with access to be able to reset passwords for the account being targeted.

In this case, the software application is doing the reset operation, without knowledge of the user's old password but while authenticated as presumably a service account with the needed rights.

From the perspective of AD, the password is being administratively reset; password history is never enforced in this case, since the administrator doing the reset shouldn't know the user's old passwords - if they have a habit of setting the new pass to, say, Thursday1, having that fail to meet policy on a reset operation would be quite confusing.

While a poor user experience, the best mechanism that I can think of to handle this would be to have the web application reset the password (maybe to something they don't enter, just generated) then set the "must change password on next login" flag on the account to force the user to immediately do a password change operation, which will enforce history.

There's some discussion of using LDAP APIs in .Net to achieve the goal of enforcing history on this kind of reset here, but I'm not sure if this will be an option for you depending on the application you're using; if you control the code and the LDAP library you're using supports controls then it should be doable.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • It is possible to implement a password change, as you describe it, in a web app. OWA does this, and my university has a custom app that does this as well. It requires the user to enter the old password and then the new password twice, as is standard. I don't know the programming behind it, that'd be a topic best suited to SO. – Thomas May 29 '14 at 15:59
  • Here is a shareware web app that performs this function. I have not tested and do *NOT* endorse this app, I only share it to demonstrate that the functionality does exist. http://www.softpedia.com/get/Internet/Servers/Server-Tools/Web-based-Password-Change-for-AD.shtml – Thomas May 29 '14 at 16:02
  • @Thomas My guess is the application he's using is for self-service password reset when the user has forgotten their password (but has some sort of auth enforced by the web service, like security question), which would make the "change" mechanism impossible. Otherwise, definitely, just use the change operation! – Shane Madden May 29 '14 at 16:03
  • I see - the OP didn't explain if that was the case, but you could be right. – Thomas May 29 '14 at 16:10