Delegated Password Reset (Allow trusted users to reset other account passwords)
The Foldr administrator can enable delegated password control to allow selected Active Directory users or groups reset other users network passwords.
A new / fixed password can be set by the delegated / trusted user at the time of the reset and they can optionally set the ‘user must change password at next logon’ flag. This feature can be used to provide a simple and secure way to allow helpdesk or trusted users such as educators to reset student passwords in an educational environment.
Delegated password reset in the web app and as with personal password change control requires LDAPS to be enabled on the Active Directory domain. The LDAP Server(s) within Foldr Settings >> General must be prefixed ldaps:// or you will see the warning below when you try to enable password change control.
More information on enabling LDAPS can be found here:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc
Once LDAPS has been enabled on the domain, you can validate the domain controller is accepting LDAP connections over SSL on port 636 using the LDP tool found on Windows Server.
LDAPS connection being accepted
Permissions Required for Delegated Password Reset (& Self-Service Reset)
The Foldr appliance uses the main service account configured within Foldr Settings >> General to perform the password reset request on behalf of the delegated (trusted) user. As such, the service account configured requires the appropriate permission to reset the target user’s password within Active Directory.
Windows Domain Controller – Granting permissions to the Service Account
To grant the service account user password reset permissions on the domain controller you can use the Delegate Control wizard within Active Directory Users & Computers.
1. Right-click the root Organizational Unit that contains the users that are to have their password reset by the delegated user(s)
2. Search for and add the Foldr service account and click Next
3. Check ‘Reset user passwords and force password change at next logon’ and ‘Read all user information’ click Next
In order to allow Foldr users to unlock ‘locked’ accounts in Active Directory, you must also select:
Create, delete, and manage user accounts
Alternatively, you can enable the granular permission ‘Write all properties’ in the Security tab > Advanced tab – granting the permission to the Foldr service account user, on the OUs concerned.
4. Complete the Delegation of Control Wizard by clicking Finish
Enable Delegated Password Reset for Users or Groups in Foldr Settings
The delegated password reset feature is available within the top right web app menu >> Password Control. In the iOS app this feature is available in Me >> Password control.
1. In Foldr Settings > Security > Passwords > Delegated Reset – click + Add User or Group
2. Search Active Directory for the user or security group that you would like to grant delegated password permissions. In this example, all members of the ‘Staff’ security group are granted permission to reset student passwords.
3. Click Update and finally, click SAVE CHANGES.
Now when a member of staff signs into Foldr using the web or iOS apps, they will be able to use the Password Control feature to reset student passwords.
User web app – Resetting a user’s password
Select Password Control >> Reset a Password from within the web app top-right menu when logged into the Foldr (user) interface.
The user can search the Active Directory domain, enter the new password and optionally unlock the account or toggle the ‘User must change password at next login’ flag
If the change password at next login flag is set, the student.demo1 account in the example above will be able to change this through Foldr web, desktop or mobile apps when they next sign in.