Directory Password

Simple, low cost self service resetting passwords and unlocking accounts

Download

Overview

Password resets and unlocking user accounts consume as much 30% of some organization’s Help Desk resources. Directory Password is an extra-cost add-on product for Directory Update v2.0 The user uses Directory Update to answer a series of security questions; the questions and answers are stored (encrypted and hashed) in the Active Directory.

Answering security questions in Directory Update

Answering security questions to reset an account

Later, if you the user’s account is locked or if they have forgotten their password, they can unlock their account or reset their password using the Directory Password web interface. The user must be able to access a Web browser from a neighbor’s computer or a kiosk.

Features

Directory Password is designed to be an add-on product for Directory Update and thus requires the newest build of Directory Update v2.1 or later. Directory Password is configurable and allows you to customize it to fit your password and security requirements

  • Allows user to unlock their account if they have locked it
  • Allows the user to reset their password if they have forgotten it
  • User can unlock / reset from any web browser
  • List of questions possible questions is customizable
  • Administrator selects the number of questions (up to 10) that the user must pre-answer
  • Administrator selects the number of questions the user must answer in order to unlock their account or reset their password
  • Password strength is customizable
  • SQL or standalone database is not required
  • File auditing and e-mail notifications

Question and Answer Storage

Directory Password does not require a separate database instance. Instead, we store question and answer data in each user’s object in Active Directory. The questions that the user selects and the answers provided are stored in the PostalAddress. Questions are encrypted and the answers are hashed using an irreversible hash.

We use homePostalAddress to store incorrect logon count information. Both of these attributes are not frequently used in Active Directory and hold 4KB worth of information. The attributes that are used can be changed using the AppSettings.XML file. The Question and Answer data is not visible to the administrator.

Version History and Product Updates

Directory Password v3.1

Changed the installer file from .MSI to .EXE and updated the package to require elevated privileges to install and to be a per-machine installation.

Directory Password v3.0

  • Windows Server 2016 compatibility

  • Directory Update v3.0 compatibility. Directory Update is also now the master location for the PasswordSettings.XML file for Directory Password.

  • Miscellaneous bug fixes, browser compatibility fixes, and improved error detection.

Directory Password v2.0

  • Updated the code using the Bootstrap APIs to allow the screen to better display on a mobile interface.

  • Directory Update v2.7 or later should be used with this version.

  • A few fixes to the interface and improved password rule mapping and management.

Directory Password v1.2

  • Updated code so that it can evaluation a "Microsoft" strong password. A Microsoft strong password is at least 8 characters long and uses 3 out of 4 character types (special, number, upper case, and/or lower case.)

  • Created a forbidden string list. These strings cannot be found anywhere in the user's password.

  • Created an option so that user's user name is not allowed to be part of the password.

  • Installer will work now on Windows Server 2012 / 2012 R2 and software supports underlying .NET Framework v4.0.

  • Software requires a minimum of Directory Update v2.5.

Directory Password v1.0

  • Original version of Directory Password

  • Integrates with Directory Update v2.0/v2.1

Last Review: 3 Dec 2016