2003 Server - web based password reset?

Z

zrac

Limp Gawd
Joined
Jun 14, 2006
Messages
181
Is there anything out there for free that would let my users reset & change their own passwords when they get locked out? I've seen most of the available products online and they are all fine, but for some reason I'd hate to shell out $$$ for it

maybe out of principle? lol

I could write something myself, but there has to be someone that beat me to it.
 
What I usually do is have the set the lockout threshold to something around 5 or 10 attempts, then set the lock out duration and reset to 15 minutes. If they screw up, if will go back to normal if they wait. But, most of the time they will call the help desk after two or three attempts. This is really to guard against brute force or dictionary attacks.

Are you/your help desk taking many password reset calls? We have 3000+ users and may deal with maybe 5 lockouts a month. If you are having frequent problems, maybe there is a bigger issue like the users not understanding the policy or the policy being to strict.

You could pretty easily run an LDAP query to set the password attribute of an object.
 
Doesn't allowing users reset and unlock their own passwords defeat the purpose of having an account lockout policy? What would you use to verify the user's identity so they could reset the password? Would you trust them to remember that if they can't even remember their normal network password?
 
bigshooter said:
Doesn't allowing users reset and unlock their own passwords defeat the purpose of having an account lockout policy? What would you use to verify the user's identity so they could reset the password? Would you trust them to remember that if they can't even remember their normal network password?
Click to expand...


Most password reset web pages require the user to set up a profile previously with answers to five questions that the users select. Supply three correct answers to the questions, and the web page performs the password reset.
 
yes, users create their own security questions which then if they are able to answer those they can reset their own password which they forgot

I don't get a whole lot of password reset requests, but some of our locations are not in the US so a request from those is immediately going to take 6 hours to resolve due to time differences which is unacceptable.

Guess I will purchase one of the available solutions and not hope for a free one :(
 
MorfiusX said:
What I usually do is have the set the lockout threshold to something around 5 or 10 attempts, then set the lock out duration and reset to 15 minutes. If they screw up, if will go back to normal if they wait. But, most of the time they will call the help desk after two or three attempts. This is really to guard against brute force or dictionary attacks.
Click to expand...

no one types their password wrong more than 5 times, probability of that is near 0, but they forget password and no amount of attempts will help them remember :) (sad, I know)

with VPN access from home, OWA and other remote tools that I have deployed I"m getting tired of users trying to access their mai lat 3am and calling me they forgot their password
 
You must log in or register to reply here.
Back
Top