Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
    Dublin
  • County:
    Dublin
  • Country:
    Ireland
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Using the Manager Attribute in Active Directory (AD) for Password Resets

January 28, 2021

Creating workflows round verifying password resets might be difficult for organizations, particularly since many have shifted work as a result of COVID-19 international pandemic.

With the numbers of cyberattacks towards companies exploding and compromised credentials usually being the offender, corporations must bolster safety round resetting passwords on consumer accounts.

How can organizations bolster the safety of password resets for distant employees? One safety workflow would possibly contain having supervisor approval earlier than IT helpdesk technicians can change a distant employee’s password. On this means, the consumer’s supervisor is concerned within the course of.

Moreover, some organizations would possibly decide to permit managers themselves the power to alter end-user passwords. How can this be configured in Lively Listing? Additionally, is there a extra seamless answer for requiring supervisor approval for password resets?

Why password reset safety is vital

This previous yr has undoubtedly created many IT helpdesk employees challenges, together with supporting a workforce containing primarily distant employees. One of many difficulties related to distant staff is a safety problem surrounding password resets.

Cybercriminals are more and more utilizing identification assaults to compromise environments. It usually gives the “path of least resistance” into an setting. If legitimate credentials are compromised, that is usually the best means to assault and compromise business-critical knowledge and methods.

With staff working remotely, IT helpdesk technicians supporting account unlock and password modifications now not have a face-to-face interplay with staff working “inside” the on-premises setting.

Organizations could also be giant sufficient that IT technicians might not personally know every worker who could also be working remotely. It introduces the potential of an attacker impersonating a respectable worker and social engineering helpdesk employees to reset a respectable account password.

Moreover, a compromised end-user consumer system can result in illegitimate password resets of end-user accounts.

Recognizing new identification threats dealing with organizations at the moment, IT admins might need to get managerial approval for worker account password resets. This activity might even be delegated to managers of end-users working of their departments. How can password resets by division managers rapidly be configured utilizing built-in options in Lively Listing?

Delegating password reset permissions in Lively Listing

Microsoft Lively Listing comprises a function that permits delegating permissions to sure customers or teams to hold out very granular duties. These duties embrace password resets. To configure delegation of password reset permissions, you possibly can following the method under.

Beginning to configure the Delegate Control options in Active Directory
Starting to configure the Delegate Management choices in Lively Listing

It launches the Delegation of Management Wizard, which first permits selecting a consumer or group you need to assign permissions. Right here you click on Add… so as to add a consumer or group. We’ve got already added the group proven under – DLGRP_PasswordReset, a website native group created in Lively Listing. As a finest follow, it’s at all times higher to make use of teams for managing permissions delegation. It permits rapidly and simply including or eradicating particular customers with out having to undergo the permissions delegation wizard every time.

Choose the users and groups who will assume the permissions
Select the customers and teams who will assume the permissions

On the Duties to Delegate display, below Delegate the next widespread duties, select Reset consumer passwords and power password change on the subsequent logon choice. Click on Subsequent.

Choosing the Reset user passwords and force password change at next logon option
Selecting the Reset consumer passwords and power password change at subsequent logon choice

End out the delegation of management wizard.

Complete the Delegation of Control Wizard
Full the Delegation of Management Wizard

Assigning managers to reset passwords

Utilizing the method proven above, directors can add managers to the group delegated the reset passwords permission. It permits pointing to a selected consumer or group for delegating permissions to reset passwords.

As talked about, it’s at all times finest follow when making a permissions delegation in Lively Listing to assign this to a gaggle, even in case you are delegating permissions to 1 consumer. Doing it this fashion makes the lifecycle administration of the permissions delegation rather more manageable.

Nonetheless, the Lively Listing group useful resource is pretty static on this context. Exterior of Microsoft Change Server and dynamic distribution teams, Lively Listing doesn’t have a local means built-in to create dynamic safety teams which can be populated primarily based on Lively Listing attributes.

Is there a method to have dynamic safety teams in Lively Listing through the use of a scripted method? Sure, there may be. Utilizing PowerShell and the get-aduser cmdlet and some different Lively Listing associated PowerShell cmdlets, you possibly can successfully question Lively Listing for customers containing particular traits after which add or take away these customers from particular teams.

You’ll be able to create customized PowerShell scripts to perform this. Nonetheless, a few assets can rapidly get you in control with a custom-made PowerShell script to including and eradicating customers from safety teams primarily based on consumer location, attributes, and different options.

Let’s take into consideration a use case associated to managerial approval for password resets. Suppose you wished to grant managers the permissions to reset passwords. In that case, you may do some PowerShell scripting at the side of the delegation wizard and have an automatic course of so as to add and take away managers from Lively Listing into a gaggle configured for password resets.

Discover the next PowerShell assets for this:

Under is an instance primarily based on the Windows OSHub code of how you may use PowerShell and seek for “Supervisor” within the title attribute.

You would schedule the above PowerShell script to run at scheduled intervals with a scheduled activity so as to add or take away customers from the group delegated password reset permissions dynamically.

Specops uReset – A greater method to password reset supervisor approvals

Specops Software program gives a a lot better automated method to allow supervisor approval for password resets. Specops uReset is a fully-featured self-service password reset (SSPR) solution that permits end-users to reset their passwords securely.

Additionally, with Specops uReset, you possibly can add the power for Supervisor Identification. When a consumer authenticates with Supervisor Identification, the authentication request sends to their supervisor within the type of a textual content message or e mail communication. The supervisor of the consumer should then verify the consumer’s identification for approving the password reset request.

It dramatically enhances the safety of password reset performance since two individuals are concerned. It additionally helps to supply a change management workflow for password reset requests and an audit trail.

There are two necessities wanted by Specops to make use of the supervisor approval:

  • Every consumer account should have a supervisor assigned to them in Lively Listing.
  • Every supervisor account will need to have an e mail handle/cell phone quantity related to their account in Lively Listing, to have the ability to obtain authentication requests from customers.

To assign a supervisor utilizing PowerShell to all of the Lively Listing group members, you should use the next Powershell code.

get-aduser -filter “division -eq ‘Accounting’ -AND samaccountname | set-aduser -manager jdoe

Within the Specops uReset administration Identification Providers configuration, you possibly can configure Supervisor Identification. You’ll be able to choose between e mail and textual content notifications.

Configuring Manager Identification in Specops uReset
Configuring Supervisor Identification in Specops uReset

Wrapping Up

Securing password resets is a vital space of safety organizations want to handle for securing distant end-user accounts. Whereas you should use a scripted PowerShell method to create dynamic Lively Listing safety teams, it may be problematic to take care of and does not scale very nicely.

Specops uReset gives a straightforward method to implement self-service password resets (SSPR) with further safety checks akin to supervisor approval. Utilizing Specops uReset, companies can simply require managers to approve password reset requests for end-users.

Study extra about Specops uReset self-service password resets with supervisor approval options.

Posted in SecurityTags:
Write a comment