Reset passwords and unlock accounts from your Windows login screen

Most organizations rely on password self-service management tools to empower users to perform password operations. On the flip side, most password self-service solutions can be accessed only from a web browser, forcing locked-out users to reset their passwords from a colleague’s workstation or from a kiosk with a web browser. This defeats the whole purpose of secured self-service password management. To combat this, ManageEngine ADSelfService Plus enables users to securely perform self-service password operations in several different ways.

With the help of ADSelfService Plus' GINA/CP logon agent, users can reset their passwords and unlock their accounts from the logon screen of their Windows, Linux, or macOS machines. By allowing users to perform password operations even when they're locked out, they don't have to resort to using another machine. This feature helps organizations trim down costs associated with IT help desk calls and frees administrators from such trivial issues, helping them focus on more important tasks.

ADSelfService Plus uses the ADSelfService CP logon agent as a credential provider (CP) tile in machines running on Windows Vista and above while the ADSelfService Plus GINA logon agent displays the Reset Password/Unlock Account button on the logon screens of machines running older versions of Windows. The ADSelfService Plus GINA agent is basically an extension of the standard Microsoft GINA and has the same functionality as the ADSelfService Plus CP agent.

What is a credential provider?

Credential providers are COM objects that are displayed when a secure attention sequence event in initiated, which happens by pressing CTRL+ALT+DEL. They procure information about the user’s credentials and pass it over to the Local Security Authority server for authentication. Credential providers were first introduced with Windows Vista and have since been an integral part of all Windows versions. Third-party credential providers (i.e., the ADSelfService Plus CP agent) can coexist with the CPs that Microsoft provides.

What is Microsoft GINA?

Graphical identification and authentication (GINA) is essentially a dynamic linked library loaded by Winlogon during the booting process. Technically , it's the msgina.dll module that initiates the "Press CTRL+ALT+DEL to logon" screen to be displayed and accept the username and password. More functionality can be added to MS GINA with the help of extensions. GINA extensions are also DLLs, and multiple can be installed on a computer.

What is the ADSelfService Plus GINA/CP logon agent?

The ADSelfService Plus GINA/CP logon agent is an integral component of ADSelfService Plus that enables end users to access ADSelfService Plus from the logon screens of their Windows machines. It empowers users to reset their passwords securely and unlock their accounts without help desk intervention or assistance from other users.

How ADSelfService Plus enables Windows GINA password resets

1. A user clicks the Reset Password/Unlock Account button on their Windows login screen. They are asked to enter their username.
2. After successfully completing all the enforced authentication methods, the user is allowed to reset their password.
3. ADSelfService Plus resets the password in Active Directory (AD) and notifies the GINA/CP client that the password reset was successful.
4. The GINA/CP client establishes a secure connection with AD and updates the cached credentials in the machine after AD approves its request.

Highlights of ADSelfService Plus