Learn With Me: Specops – Managing AD Password Resets

Adam Bertram

Read more posts by this author.

Welcome back to ATA’s Learn with Me series on securely managing Active Directory (AD) passwords with Specops! If you missed the previous posts, be sure to catch up here. Today, we’re going to cover managing AD password resets using Specops’ uReset.


When I started as a helpdesk tech, I still recall the constant Active Directory password reset calls. Users would seemingly forget their passwords or somehow “forget” how to reset them themselves. All of the password reset calls not only took up my time but other helpdesk personnel too.

These types of calls and helpdesk tickets were trivial to complete but in large quantities, took up a lot of time we could have used to work on more pressing tickets like fixing the damn printers! Oh, the flashbacks.

We’d ask for their mother’s maiden name, or if they were a regular, I’d sometimes recognize their voice and reset their password with no authentication at all. Those were the days. The life of just taking the users’ word that they were who they said they were. Life was simpler and a whole lot less secure too.

Apparently, Specops felt my and others’ pain and decided to build a tool to prevent users from manually resetting passwords, making it secure to do so!

Introducing Specops uReset and Specops Authentication

Flashbacks aside, let’s now cover what we’re all here for; to learn about securely managing AD password resets with uReset. uReset is a service that’s part of the overall Specops Authentication product.

From what I can see, uReset is a service that lives both on-prem and in the cloud that provides four main components:

  • Authentication Cloud and Web – A cloud-based web portal to manage product configuration, authentication policies, identity providers, and more. It also contains the user self-service portal users can go to from anywhere to reset their AD passwords.
  • Gatekeeper – The Gatekeeper is the component that lives on an on-prem domain controller. The Gatekeeper is in charge of keeping on-prem AD and the cloud in sync and commits all tasks performed from the cloud back to AD.
  • Identity services – A set of identity providers can authenticate users before resetting passwords with providers like the mobile Google Authenticator app, the Specops Authenticator app, SMS code, or simply secret questions.
  • Specops Authentication Client – The optional client can be installed on end-user workstations to assist with password resets and send password reminders when applicable.

These components come together to provide a secure and easy way for users to reset their AD passwords.

Setting up GateKeeper

uReset provides a self-service AD password reset portal via a hybrid approach. Using data synced from your local, on-prem AD environment and their cloud, they provide a web portal for user enrollment and password resets.

To allow their cloud to understand your AD environment, they use a piece of software called GateKeeper. GateKeeper is the service that syncs on-prem AD to the cloud. You’ll see below that, in GateKeeper, you’ll be able to “tag” certain GPOs that apply settings to the Specops Authenticator client installed on computers when configured.

By assigning a uReset GPO to specific users, you can then assign users’ different authentication policies, password reminders, and more.

Configuring uReset settings with GateKeeper
Configuring uReset settings with GateKeeper
Tagging GPOs for uReset
Tagging GPOs for uReset

Setting Identity Verification Policies

When you set up uReset, one of the first tasks you must perform is coming up with a policy that dictates what user accounts uReset will manage and how they should authenticate before resetting their password.

Before users enroll with uReset, you must define a policy that dictates which identity providers you will require users to authenticate with to reset their password.

You’ll have a few options that allow you to define various authentication rules. Below you’ll see the uReset section in the Authentication Web portal.

uReset manages two types of accounts; AD accounts and cloud accounts. Cloud accounts exist only in the Authentication web portal and exist only to view settings.

Viewing Cloud and Group Policy policy modes

When setting up authentication rules for the policy, I was configuring you can see all of the options available. uReset provides a ton of ways to authenticate users. It also uses a unique way to ensure one or more identity services are used by assigning a weight to each provider and requiring the user to use a combination for either enrolling or authentication.

Viewing uReset Identity providers

Enrolling Users with uReset

One of the first tasks you must do is enroll users with uReset. You’ll see below some screenshots of where I went through the process. uReset provides a place in their web portal that allows you to provide an AD username and password and be walked through the process.

Authenticating with a WIndows password

While enrolling, you’ll be introduced to Identity Services. You’ll see below you have quite a few ways to enroll users. I chose the Google Authenticator, Specops Authenticator apps, and Mobile Code. Once you enroll a user, they can then authenticate themselves and reset their own passwords, as you’ll see later.

Note that the providers you see below are only a handful I enabled. uReset has over 20 different identity providers to choose from.

Choosing an identity provider

An AD Password Self-Service Portal

Once a user is enrolled in uReset, and the Specops Authentication Client is installed on their computer, they can access the self-service password reset portal. I went through the enrollment process, configured a user account to work with Google Authenticator, and this is the experience when resetting the password.

Note that uReset also completely replaces the “Change password” screen on Windows with a simple web link also.

To change the password for a user on a PC, I installed the Specops Authentication client on a domain-joined PC and logged in with my user account. I then clicked on the Change Password option below, now available in my start menu.

SpecOps authentication agent Change Password link

The Change Password link brought me to the Specops Authentication Web, which then walked me through the process step by step. You’ll see in the example below since I enrolled the user account using the Google Authenticator provided, I was forced to provide that code and the AD password. It was only then I was provided with a place to reset my AD password.

uReset user password reset steps

Users can also reset their password if they forgot it or unlock it themselves. No more helpdesk calls!

Changing an AD password and unlocking with uReset

Desktop Password Reminders

I used to hate that helpdesk calls from users that seemingly “forgot” to reset that password all the time. They’d wait until they were locked out to call us, and by that time, they were frantic! Hopefully, uReset’s desktop password reminder may help you prevent this.

Once you assign a “tagged” GPO to a set of computers with the Specops Authentication client, uReset will periodically remind the user their password is going to expire.

Adding a new uReset settings GPO
Adding a new uReset settings GPO

Reporting

Once you have uReset running and available to your admins and users, you also have quite a few reports available to track adoption rate and other various tasks.

In the Authentication Web portal, you’ll see a Reporting tab that provides various ways to track activities, such as user enrollment, as shown below. I liked the reports because they were intuitive and allowed me to get an overall view of the entire process.

uReset AD password management reporting

Conclusion

Specops’ uReset is a service that will definitely reduce or even eliminate helpdesk password reset calls. It also ensures that AD passwords are securely changed by requiring several identity providers (not just an AD password).

By giving the ability for users to change and reset passwords and unlock their own accounts, I’m sure any organization that’s still doing this process manually will save tons of time, or organizations struggling with auditing password resets will benefit greatly.

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!