Reset Password Operation
The resetting of the password is only possible if the user has passed the configured alternative authentication methods and if the user holds the “Change Password” privilege.
By default, the password reset operation performs a two step process. This process is intended to honour your domain password policies and auditing requirements. The operation initially generates a random password and then performs a subsequent password change operation. In doing so, all Active Directory password policies like age and history are checked, and the password history count is incremented on each operation.
The Password Reset function requires read permissions granted to the Domain Account on a number of attributes that are all listed in the Discover Account table. Furthermore, it requires permissions granted to the Domain Account on the attributes shown in the following table.
| ATTRIBUTE | ACCESS | DESCRIPTION | STORED |
|---|---|---|---|
|
lockouttime
|
Write
|
Used to determine whether a user has been locked because of too many failed login attempts.
|
Yes
|
|
pwdLastSet
|
Read-Write
|
When the user last set the password.
|
Yes
|
|
userAccountControl
|
Read-Write
|
Used to determine whether a user has been disabled.
|
No
|
|
msDS-User-Account-Control-Computed
|
Read
|
Used to find out the LOCKOUT setting.
|
No
|
|
ntSecurityDescriptor
|
Read
|
|
No
|
|
logonHours
|
Read
|
Used to get user’s valid logon hours
|
Yes
|
Besides the listed attribute rights the function also requires the privileges listed in the following table granted to the Domain Account.
| PERMISSION | ACCESS | DESCRIPTION |
|---|---|---|
|
ResetPassword
|
Execute
|
Method used to set the password.
|
Besides the listed attribute rights and privileges, the password reset operation also requires the following privileges to be granted to the Domain Account on the Domain Policy object.
| ATTRIBUTE | ACCESS | STORED |
|---|---|---|
|
maxPwdAge
|
Read
|
No
|
|
minPwdAge
|
Read
|
No
|
|
minPwdLength
|
Read
|
No
|
|
lockoutDuration
|
Read
|
No
|
|
lockoutObservationWindow
|
Read
|
No
|
|
lockoutThreshold
|
Read
|
No
|
|
pwdProperties
|
Read
|
No
|
|
pwdHistoryLength
|
Read
|
No
|
|
objectClass
|
Read
|
No
|