Enforce password history during password reset

By design, Active Directory does not permit password history checks during password resets. However, you can configure ADSelfService Plus to check the password history in its database during password resets to prevent users from reusing expired passwords. Enabling this ensures that users create new passwords, reducing the risk of unauthorized access due to predictable or reused passwords. Additionally, this helps organizations maintain compliance with security standards and best practices.

Please note that the password history option is only applicable for password resets performed through ADSelfService Plus.

Here's how you can enable this feature in ADSelfService Plus:

1. Log in to ADSelfService Plus with administrator credentials.
2. Navigate to Configuration > Self-Service > Password Policy Enforcer.
3. Select an appropriate policy from the drop-down list.
   Note: To create or edit a policy, navigate to the Configuration tab and go to Self-Service > Policy Configuration. You can either create a new self-service policy by clicking the +Add New Policy button or by editing the existing default policy. For detailed steps, click here.
4. Check the Enforce Custom Password Policy box.
5. Click Restrict Repetition.

   

   Fig. 1: Steps to configure the Password Policy Enforcer and restrict old password repetition.

6. Check the Number of old passwords to be restricted during password reset box and select the number of previous passwords to compare against the new one. ADSelfService Plus can check the password history of up to the last 24 passwords.
7. Click Save.

Once successfully configured, users will be prevented from reusing previous passwords during resets, promoting stronger security. Additionally, ADSelfService Plus stores the SHA-512 hash of the passwords in its database to ensure the highest level of security and prevent unauthorized access to stored passwords.

For further assistance, please contact us at support@adselfserviceplus.com.