Reset Password Function

Author: [email protected] 86 views

The Password Reset function is performed as part of the Reset Password end-user transaction in Password Manager.

The resetting of the password is only possible if the user has passed the configured alternative authentication methods and if the user holds the “Change Password” privilege. By default the Password Reset function first performs an operation to a random generated password and then performs a password change operation. This flow is required to ensure the policy being checked against the password history is performed. The password history count is incremented on each operation.

Required permissions:

The Password Reset function requires read permissions granted to the Domain Account on a number of attributes that are all listed in the Discover Account table. Furthermore, it requires permissions granted to the Domain Account on the attributes shown in the following table.

Attribute Access Description Stored
lockouttime
Write
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
pwdLastSet
Read-Write
When the user last set the password.
Yes
userAccountControl
Read-Write
Used to determine whether a user has been disabled.
No
msDS-User-Account-Control-Computed
Read
Used to find out the LOCKOUT setting.
No
ntSecurityDescriptor
Read
No
logonHours
Read
Used to get user’s valid logon hours
Yes

Besides the listed attribute rights the function also requires the privileges listed in the following table granted to the Domain Account.

Privilege Access Description
ResetPassword
Execute
Method used to set the password.

Domain Account Privileges:

Besides the listed attribute rights and privileges, the Password Reset function also requires the following privileges listed to be granted to the Domain Account on the Domain Policy object.

Attribute Access Stored
maxPwdAge
Read
No
minPwdAge
Read
No
minPwdLength
Read
No
lockoutDuration
Read
No
lockoutObservationWindow
Read
No
lockoutThreshold
Read
No
pwdProperties
Read
No
pwdHistoryLength
Read
No
objectClass
Read
No