Active Directory Password Reset

The BMC FootPrints Service Core password reset feature is a Windows-based self-service password reset tool that resets the Windows network password, enabling users to reset the password without administrator intervention.

Configure Password Reset

To configure Password Reset:

  1. Select Administration | System, then select the Active Directory Password Reset link from the Features section of the main frame. The Password Reset page is displayed.
  2. There are four tabs on the Password Reset Page. When you first configure Password Reset, the Enable/Disable and Challenge Questions tabs are mandatory. The Actions tab is not required, but is used to create an Issue in a workspace when a password reset is requested by a user. The Users tab is informational only:
    • Enable/Disable tab
      • Enabled/Disabled—Select the appropriate radio button to enable or disable the feature.
      • AD Server—Enter the full domain name or IP address of the Active Directory server.
      • AD Port—Enter the port number for secure connection to the LDAP server. This is typically 636.

      • Search Base—LDAP (including Active Directory) stores its data in a tree structure. To enable BMC FootPrints Service Core to retrieve user information, a search base specifying where to search in the tree, and in what order, must be specified here. The search base is formed by adding names of the root and each subsequent branch of the tree until you reach the point where a search should commence. The search base should be the branch of the tree closest to the data being searched. In most instances, all data being sought are in one branch of the LDAP tree. 

        Example

        If the root of the LDAP Directory tree is dc=server, dc=com and the next branch to be taken is ou=Users, which contains all the directory information, the search base would be: ou=Users, dc=server, dc=com

        Note

        Spacing, punctuation, and capitalization must be exact for a search base to work correctly. For instance, if one of the values in your search base has spaces and/or punctuation (e.g., o=My Company, Inc.), you must place the value in quotation marks (i.e., o="My Company, Inc.") and make sure that the spacing, punctuation, and capitalization are correct.

      • Distinguished Name-The Distinguished Name for the administrator account that will be used for actually resetting the password. It needs to be an account that has permission to change passwords on the LDAP directory. For example, "CN=Administrator,CN=Users,DC=fpqadomain". This can be obtained from the LDAP directory.
      • CA Certificate—A certificate from the certificate authority ("CA") who signed the server's certificate in PEM (Base-64) format (this will be the server's own certificate if the certificate is self-signed). Because a secure connection is required for Password Reset, a valid certificate is also required or Password Reset will not work. If you need more information regarding the certificate, contact your LDAP administrator.
      • Password Policy—Enter a brief description of your password policy. This will be displayed to users when they reset their passwords.
    • Challenge Questions tab—The Challenge Questions tab is where you create the challenge questions to be completed by users when they register. When the user later tries to reset his or her password, they will be required to answer the challenge questions. The process for the administrator on this tab is to first add a challenge question and then enable it. More than one challenge question can be enabled at a time and users will be required to answer all enabled challenge questions in order to reset their passwords. As an example of a set of challenge questions, an administrator might add the following: In what month were you born? In which city were you born? What is your mother's maiden name?
      • Add question—Click the Add Question button to create a challenge question. Enter the question in the field that is displayed when you click the button. You can add multiple questions at one time by clicking the button again for each new question. After adding the question, enter your password and click SAVE. The main system administration page will be redisplayed in the main frame, so if you want to return to this page, you will have to select Active Directory Password Reset from the Features section again.
      • Enable/Disable challenge question—To enable a challenge question, click the checkbox to the left of the question where it is displayed. Questions are enabled by default when they are created, but can be disabled as necessary.
      • Edit a challenge question—To edit or change an existing challenge question, click the edit icon to the let of the question. The field in which the question is displayed becomes active for input at that time.
    • Actions tab—The Actions tab allows you to create an Issue in a workspace when a user performs a Password Reset. To set up the Actions:
      • From the drop-down list, select a Workspace. When a user performs a password reset, an Issue is created in the selected Workspace for the password reset.
      • Use the drop-down fields to select which Quick Issue template is used to create a new Issue in each of the listed situations (to create Quick Issue templates for the situations, refer to the Creating Quick Issue Templates topic in this document). The situations are:
        • Password Reset Successful
        • Password Reset Unsuccessful
        • Account Unlock Successful
        • Account Unlock Unsuccessful
      • When you have made your selections, click the Save button.
      • Users tab—The Users tab lists the registered users, that is, users who have registered answers to the challenge questions and are therefore able to use Password Reset. This tab is for informational purposes only and lists the user display names, account names, Distinguished Names, the number of reset attempts they have made that have failed, and the date and time of their last failed reset attempt. This can help flag potential misuse of the password reset (e.g., someone making multiple attempts to guess the answers to a user's challenge questions). When there are three or more consecutive failed reset attempts, that user is highlighted in red on the Users tab so that an administrator can easily locate the potential problem.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*