Reset Password Operation

Estimated reading: 2 minutes 60 views

The resetting of the password is only possible if the user has passed the configured alternative authentication methods and if the user holds the “Change Password” privilege.

By default, the password reset operation performs a two step process. This process is intended to honour your domain password policies and auditing requirements. The operation initially generates a random password and then performs a subsequent password change operation. In doing so, all Active Directory password policies like age and history are checked, and the password history count is incremented on each operation.

Required permissions

The Password Reset function requires read permissions granted to the Domain Account on a number of attributes that are all listed in the Discover Account table. Furthermore, it requires permissions granted to the Domain Account on the attributes shown in the following table.

ATTRIBUTE ACCESS DESCRIPTION STORED
lockouttime
Write
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
pwdLastSet
Read-Write
When the user last set the password.
Yes
userAccountControl
Read-Write
Used to determine whether a user has been disabled.
No
msDS-User-Account-Control-Computed
Read
Used to find out the LOCKOUT setting.
No
ntSecurityDescriptor
Read
No
logonHours
Read
Used to get user’s valid logon hours
Yes

Besides the listed attribute rights the function also requires the privileges listed in the following table granted to the Domain Account.

PERMISSION ACCESS DESCRIPTION
ResetPassword
Execute
Method used to set the password.
Domain Account Privileges

Besides the listed attribute rights and privileges, the password reset operation also requires the following privileges to be granted to the Domain Account on the Domain Policy object.

ATTRIBUTE ACCESS STORED
maxPwdAge
Read
No
minPwdAge
Read
No
minPwdLength
Read
No
lockoutDuration
Read
No
lockoutObservationWindow
Read
No
lockoutThreshold
Read
No
pwdProperties
Read
No
pwdHistoryLength
Read
No
objectClass
Read
No