Password Self-Service Deployment

In order to take ADSelfService Plus' self-service features to the end-users, you have to implement the following:

• Configuring self-service actions
• Identity Verification
• User Enrollment
• Securing self-service actions

Configuring self-service actions

ADSelfService Plus offers four self-service features to domain users (Password reset, Account unlock, Directory self-update, and Change password). Based on the departments and organizational hierarchy, you can choose to enable specific features based on users' OUs and group membership. Thereby, they can decide which users can avail themselves of any or all of these features. This is done in the Policy Configuration section by configuring a self-service policy for the users and defining the extent to which they can use ADSelfService Plus. Click on Steps to create a policy for further details.

Identity verification

Once domain users are made part of a self-service policy, their identities need to be verified they can make use of the self-service password reset or account unlock features via the ADSelfService Plus' end-user portal, ADSelfService Plus mobile app, and Windows/macOS/Linux login screens. You can authenticate user identities using any of the fifteen multi-factor authentication (MFA) methods supported by ADSelfService Plus during:

• Windows, macOS, and Linux logins (when ADSelfService Plus client software is installed).
• ADSelfService Plus portal login.
• Enterprise application logins through single sign-on (SSO).
• Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screens (when ADSelfService Plus client software is installed).

Identity verification by multi-factor authentication (MFA) is carried out using the information provided by users during enrollment into ADSelfService Plus.

By clicking on the above links you can view the configuration steps for each of these methods.

You can enable specific MFA methods for specific set of users and can specify the number of authentications users must complete in order to verify their identity. They also have the option of forcing users to verify their identities with certain MFA methods. This is done using the MFA/TFA settings (Configuration > Self-Service > Mulit-factor Authentication > MFA/TFA Settings). To know more about configuring MFA, Click here.

User enrollment

In order to perform identity verification, users need to enroll with ADSelfService Plus by providing certain information. The information provided varies based on the MFA method configured. ADSelfService Plus simplifies the enrollment process by offering multiple enrollment options:

• Enrollment without user's intervention - Administrators enter the user's enrollment information.
• Enrollment by users - Users provide the enrollment information

Enrollment without user's intervention

• Import Enrollment Data from CSV file:

  You can import the existing security questions and answers along with the user’s mobile numbers and e-mail IDs that are stored in a CSV file format. This imported information is then used to enroll users. Click here for further details.

• Import Enrollment Data from External Database:

  Connect the organization's data sources like MS SQL, PostgreSQL, Oracle, and MySQL with ADSelfService Plus. Once ADSelfService Plus has been given sufficient permission to access the database server, data can be fetched and users can be automatically enrolled. Any changes made on the database server can be easily updated to ADSelfService Plus with just a click using the Fetch Again option.

  A scheduler can also be set to search for newly added users in the connected external data sources regularly and enroll them with ADSelfService Plus. For more information on how to import enrollment data from an external database, Click here.

Enrollment by users:

Users can enroll with ADSelfService Plus using the ADSelfService Plus client portal, ADSelfService Plus mobile app, and the Mobile Web App. In order to enforce user enrollment, you can implement the following measures:

• Enrollment Notification:

  When ADSelfService Plus is deployed in an organization, the administrator could use enrollment notification to inform employees of the product and encourage them to enroll themselves with it. The option, when enabled, sends an e-mail or push notification to all users who have not yet enrolled with ADSelfService Plus. You can also set up a scheduler to automatically send notifications to non-enrolled users regularly. Click here for further details.

• Force Enrollment:

  This involves searching for all non-enrolled users within the selected domain or policies and associates their accounts with a Logon Script. The logon script forces them to enroll when they log into their domain user accounts. Linking non-enrolled users’ accounts with a logon script can be done using a scheduler. The scheduler can be set to run periodically to check for non-enrolled and newly added users and set up the logon script to their accounts. For steps on how to enable Force Enrollment for non-enrolled users, Click here.

Securing self-service actions

ADSelfService Plus' Security Centre lists out links to security settings in the other sections of the product. These include:

• Block user accounts failing at identity verification.
• Session timeout.
• CAPTCHA (word verification).
• Enforce password strength level.
• Force users to change password at next logon.
• Prevent users from providing the same answer to multiple questions.
• Prevent users from using any word of a question in their answers.
• Display security questions one by one.
• Display only a random subset from a user's security questions.
• Make security answers case sensitive.
• Hide answers during reset / unlock operations.
• Email notification upon password self-service.
• Secure connections (SSL/LDAPS/TLS).
• Restrict inactive users.

Enabling these security settings protects the user accounts in a domain and secures the connections between the ADSelfService Plus server and other components in the network.