Enforcing Password Policies for Password Reset

Question

Hello!

We have password policies set up to prevent users from reusing the last several passwords and to prevent them from changing their password more than once in a 24 hour period. We currently give users the ability to reset their direct reports' passwords using the Password Reset function in Adaxes. However, we noticed that when a manager resets the password for an account they manage, they are able to reset the password to the current password and they are able to reset the password multiple times in one day, bypassing some of the password policies that are normally enforced. The password complexity requirements are still enforced, but the password reuse and time limit are not enforced.

When a user signs in and clicks the Change Password button for their account, all of the policies appear to be enforced. This issue seems limited to reseting the password for another account.

Is this a known issue, and do you know of any way to fully enforce all of the password policies for password resets?

Answer 1

Hello,

There are no password policies in Adaxes itself. The software only allows you to configure AD domain password policies. If some restrictions do not work for a user, most probably, the policy effective for the user is not the right one. For information on how to manage the policies in Adaxes, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ManageFineGrainedPasswordPolicies.htm.

Comments

Hi there,

Thanks for your response. The issue doesn't seem to be based on the user. It seems to be based on how the password for the user is reset.

If User A signs into the web interface for Adaxes and clicks the "Change Password" button to reset their own password, all of the security policies are enforced, including the password history and 24-hour rule. If User B does the same thing to reset their own password, all of the security policies are enforced. Let's say User B is User A's manager. The problem is when User B signs into the web interface for Adaxes, selects User A's account, and then clicks "Reset Password" to reset User A's password. When User B does that, they can reset User A's password to the current password and reset it within the 24-hour window which shouldn't be allowed.

---

The thing is, Enforce password history and Minimum password age policy restrictions are applied only when the password is changed, not when it is reset. These are two distinct operations, and it doesn't matter who changes or resets the password.

For example, if the user resets their own password, they will be able to enter the same password and reset it many times without being limited by the Minimum password age. This behaviour comes from Active Directory itself, not Adaxes.

---

That makes sense. Thanks for the clarification. We were able to fix the problem by giving the managers the ability to "Change" the password for their managed accounts rather than "Reset" the password. Thanks again for your help!