0 votes

Hello!

We have password policies set up to prevent users from reusing the last several passwords and to prevent them from changing their password more than once in a 24 hour period. We currently give users the ability to reset their direct reports' passwords using the Password Reset function in Adaxes. However, we noticed that when a manager resets the password for an account they manage, they are able to reset the password to the current password and they are able to reset the password multiple times in one day, bypassing some of the password policies that are normally enforced. The password complexity requirements are still enforced, but the password reuse and time limit are not enforced.

When a user signs in and clicks the Change Password button for their account, all of the policies appear to be enforced. This issue seems limited to reseting the password for another account.

Is this a known issue, and do you know of any way to fully enforce all of the password policies for password resets?

by (320 points)

1 Answer

0 votes
by (294k points)

Hello,

There are no password policies in Adaxes itself. The software only allows you to configure AD domain password policies. If some restrictions do not work for a user, most probably, the policy effective for the user is not the right one. For information on how to manage the policies in Adaxes, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ManageFineGrainedPasswordPolicies.htm.

0

Hi there,

Thanks for your response. The issue doesn't seem to be based on the user. It seems to be based on how the password for the user is reset.

If User A signs into the web interface for Adaxes and clicks the "Change Password" button to reset their own password, all of the security policies are enforced, including the password history and 24-hour rule. If User B does the same thing to reset their own password, all of the security policies are enforced. Let's say User B is User A's manager. The problem is when User B signs into the web interface for Adaxes, selects User A's account, and then clicks "Reset Password" to reset User A's password. When User B does that, they can reset User A's password to the current password and reset it within the 24-hour window which shouldn't be allowed.

+1

The thing is, Enforce password history and Minimum password age policy restrictions are applied only when the password is changed, not when it is reset. These are two distinct operations, and it doesn't matter who changes or resets the password.

For example, if the user resets their own password, they will be able to enter the same password and reset it many times without being limited by the Minimum password age. This behaviour comes from Active Directory itself, not Adaxes.

0

That makes sense. Thanks for the clarification. We were able to fix the problem by giving the managers the ability to "Change" the password for their managed accounts rather than "Reset" the password. Thanks again for your help!

Related questions

0 votes
1 answer

Is there anyway we can get an Adaxes administrator to be able to access the security the questions and answers from the “Password Self-Service Policies” portal for our users?

asked Feb 17, 2022 by JoeG (40 points)
+1 vote
1 answer

Hi, Is there any way to make Password Self Service Policies OR Operation? Let say, user can enroll to both Q&A and OTP App Google Authenication. However, during the password reset, user can choose either to use Q&A or OTP App.

asked Nov 18, 2021 by fachmi (170 points)
0 votes
1 answer

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer

We are looking to implement Self-Password reset for users through Adaxes and need the following information: Is there any additional licensing costs to use the Adaxes Self- ... the earliest version of Adaxes that the client is available? Thank you in advance.

asked Jan 7, 2021 by lgibbens (320 points)
0 votes
1 answer

Hi, We are a European branch of a US company, our Exchange server is in US and talks to the US DC. This leads to the situation that when our helpdesk resets a password, ... Even better would be if it could be scripted based on OU the user resides in. Thanks!

asked Dec 8, 2017 by digimortal (240 points)
3,589 questions
3,278 answers
8,303 comments
548,105 users