- Free Edition
- Quick Links
- Multi-factor authentication
- Adaptive MFA
- Active Directory MFA
- Conditional access
- Passwordless authentication
- Endpoint MFA
- MFA for remote and local Windows logons
- MFA for Windows servers
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for VPN logons
- MFA for OWA logons
- MFA for RDP
- Offline MFA
- MFA for UAC
- Device-based MFA
- MFA for cloud apps
- MFA for Microsoft 365 users
- Phishing-resistant MFA More..
- Password management
- Password management and security
- Self-service password reset
- Self-service account unlock
- Web-based domain password change
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance More..
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
Password change for your hybrid workforce
Changing passwords periodically is a healthy habit that helps to thwart cyberattacks that exploit stolen credentials. Security experts suggest that administrators should ensure users change their passwords by implementing effective password expiration policies.
When a password expiration date nears, users are typically notified by the administrator via email to change their passwords. But in many organizations, users can only change their domain password when they are connected to the company network. So what happens if VPN and OWA users are not connected to the LAN when their passwords are about to expire?
Self-service password change with ADSelfService Plus
ADSelfService Plus, an identity security solution with MFA, SSO, and self-service password management capabilities, provides a secure, web-based portal which allows hybrid domain users to change their own passwords. It also allows administrators to configure a custom password policy, which is displayed to the user while creating their password to ensure that it's strong.
During a remote password change, the new password is updated only in Active Directory and not on the user's local machine. This means the cached credentials on the user's local machine need to be updated before they can log in. ADSelfService Plus solves this challenge by providing a cached credentials update capability for remote users, ensuring their cached credentials are updated after a password change, either with or without a VPN client.
How to change a user password in Active Directory using ADSelfService Plus
- Log in to the ADSelfService Plus user portal, and go to the Change Password tab.
- Enter your existing Active Directory password in the Old Password field.
- Provide a new password in the New Password field, and re-enter it in the Confirm New Password field. Make sure your new password meets the displayed complexity requirements.
- Click Change Password.
Why you should use ADSelfService Plus for Active Directory password changes
Strong password policies
ADSelfService Plus' Password Policy Enforcer allows you to configure a custom password policy stronger than the default Active Directory password policy, ensuring your users create robust passwords that are immune to brute-force and dictionary attacks.
24/7 availability
With ADSelfService Plus' web-based password change portal, users can change their passwords from any browser or mobile phone—anytime, anywhere.
MFA
ADSelfService Plus offers 20 different MFA methods, including passwordless and phishing-resistant options such as FIDO passkeys, biometrics, and YubiKey, allowing you to choose the best way to secure the password change process for your users.
A domain user may need to change their password in the following situations:
- Their password is nearing its expiration date.
- An administrator instructs them to change their password for compliance purposes.
- An administrator resets their password to a default value.
- They suspect their password has been compromised.
- Their organization follows a periodic password change policy for security reasons.
- When they return from a long absence and need to change their password for security reasons.
- Their role or access privileges in the organization change, requiring a password change.
Password change vs. password reset
| Password change | Password reset |
|---|---|
| User updates their current password . | User recovers their forgotten password. |
| Usually initiated by the user when their password is about to expire or when instructed by their administrator. | Initiated by the user (self-service) or the administrator when the user forgets their password and loses access to a resource. |
| User authentication is mandatory. | User authentication is mandatory in case of self-service. |
| User is required to enter their current password before choosing a new one. | User is not required to enter their current password before choosing a new one. |
While Microsoft offers multiple ways for administrators to reset Active Directory users' passwords, ADSelfService Plus enables domain users to perform self-service password resets and changes through its web-based portal after their identities have been verified using strong authentication methods configured by the administrator.
Complying with data privacy regulations through password policies
Implementing ADSelfService Plus' password management solutions not only eases the burden for IT administrators and users, but it also ensures that your organization complies with the password and authentication requirements of data privacy regulations, including HIPAA, the GDPR, NIST, the CJIS, and the PCI DSS through its powerful features.
- Password Policy Enforcer : Configure strong password policies besides the default domain password policy and the fine-grained password policy available in Active Directory during password changes. Some of the password requirements that can be enforced using ADSelfService Plus include:
- Banning dictionary words and keyboard sequences.
- Disallowing the use of consecutive characters from usernames and old passwords.
- Restricting the use of palindromes.
- Mandating the use of a specific type of first character.
- Integration with Have I Been Pwned: Check every password created during a change or reset via ADSelfService Plus against the Have I Been Pwned database of previously breached passwords. If the new password is present in the database, ADSelfService Plus alerts the user and restricts them from using it.
- MFA: In addition to the username and password, configure robust authentication methods to verify user identities during password self-service. You can choose from the 20 supported authentication methods, including phishing-resistant FIDO passkeys, YubiKey, biometrics, and TOTPs, to verify your users.
Highlights
MFA
Secure all identities and endpoints in the network by enforcing strong, phishing-resistant MFA methods for enterprise app, VPN, OWA, RDP, and machine logins.
Self-service password reset
Free Active Directory users from attending lengthy help desk calls by allowing them to perform self-service actions like password resets or account unlocks.
SSO and password sync
Provide seamless one-click access to cloud apps with SSO, or sync users' Active Directory passwords and account changes across systems, including Microsoft 365, Google Workspace, and IBM iSeries.
Password and account expiration notifications
Notify Active Directory users of their impending password and account expiry via email and SMS notifications.
Password Policy Enforcer
Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements to resist various hacking threats.
Directory self-update and corporate search
Enable Active Directory users to update their latest information without assistance. The quick search feature helps administrators scout for information on peers using search keys like contact numbers.
FAQs
A self-service Active Directory password change is the process that enables users to securely change their own Active Directory passwords remotely through a web-based portal or a mobile app, without help desk assistance.
PowerShell can only be used to reset user passwords and not change them. You can reset Active Directory passwords for either a single user or a group of users, but you cannot change Active Directory passwords using PowerShell. The difference between a password reset and change is that while resetting an Active Directory password, you don't have to enter your old password, while during a password change, you do need to supply your old password.
You can employ ManageEngine ADSelfService Plus' self-service Active Directory password change capability in your organization, which secures self-service with adaptive MFA, having strong authenticators, like biometrics, YubiKey, smart cards, and TOTP passwords. Using ADSelfService Plus' simple and user-friendly console, end users can easily change their Active Directory passwords without help desk assistance.
To learn more about ADSelfService Plus' self-service password change capability, please schedule a personalized web demo with a solution expert or download a free, 30-day trial to try it out yourself.
To change your own Active Directory password using ADSelfService Plus, you need to log in to the ADSelfService Plus user portal, go to the Change Password tab, provide your existing Active Directory password, supply a new password, and save it. For detailed steps, click here.
